What Is RPO (Recovery Point Objective)?
RPO — Recovery Point Objective — defines the maximum acceptable amount of data loss measured in time: if a disaster occurs right now, how far back in time can you afford to restore your data? A 4-hour RPO means your business can tolerate losing up to 4 hours of transactions or changes. A 15-minute RPO means you can lose no more than 15 minutes of data. RPO directly determines backup frequency and the infrastructure investment required to protect your data adequately.
How RPO relates to backup frequency
| RPO Target | Required Backup Frequency | Technology Required |
|---|---|---|
| 24 hours | Daily backup | Cloud backup, NAS with daily job |
| 4-8 hours | Multiple daily backups | Cloud backup with multiple daily restore points |
| 1 hour | Hourly snapshots | Datto SIRIS, Veeam with local appliance, Azure Backup |
| 15 minutes | Continuous replication | Journaled backup appliances (Datto SIRIS), Zerto, Azure Site Recovery |
| Near-zero | Synchronous replication | Enterprise storage replication, active-active clusters |
RPO for different types of data
Not all data in a business has the same RPO. Set RPO separately for each system:
- Financial transactions / accounting — RPO often 15-60 minutes; losing a day of transactions is typically unacceptable
- Email — RPO 1-4 hours for most businesses; Microsoft 365 Exchange Online has built-in redundancy that effectively provides very low RPO for email
- CRM and client records — RPO 1-4 hours; losing client interaction data is a significant operational problem
- File servers / document storage — RPO 4-24 hours for most businesses; SharePoint Online provides built-in version history
- Development environments — RPO may be near-zero if using continuous integration/continuous deployment with code repositories
RPO and PIPEDA / PHIPA compliance
Canadian privacy law doesn't explicitly define RPO targets, but has implications for data protection:
- PHIPA: patient records must be retained and accessible; prolonged data unavailability raises compliance concerns; healthcare organizations should target low RPOs for EHR systems
- PIPEDA: requires "appropriate safeguards" for personal information; inadequate backup frequency leading to significant personal data loss in an incident may be seen as inadequate safeguards
- OSFI B-13: financial institutions must define and test RPO for all critical systems; typical OSFI expectations for critical systems are sub-4-hour RPO
Cloud services and RPO in Canada
Microsoft 365 (Exchange Online, SharePoint Online, OneDrive) provides built-in redundancy that effectively gives very low RPO for cloud-stored data — Microsoft replicates data across multiple data centres in the same geographic region, including the Canadian Toronto and Quebec City data centres. However, accidental deletion, ransomware encryption of synced files, and configuration errors are not protected by Microsoft's replication — requiring separate backup solutions like Veeam Backup for Microsoft 365 or Datto SaaS Protection.
Related glossary terms
- RTO — Recovery Time Objective
- BDR — Backup and Disaster Recovery
- Ransomware
- Microsoft 365
- Microsoft Azure
How Outsource IT Canada can help
- Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
- Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
- PIPEDA Compliance — privacy impact assessments and breach notification procedures
- Get a free assessment — call (416) 623-9677
Ready to transform your IT? Call (416) 623-9677 for a free assessment.