E-commerce Backup and Recovery Checklist

List every system holding revenue-critical data: Shopify admin (products, orders, customers, themes, metafields), Amazon Seller Central flat files, Klaviyo lists and flows, Yotpo or Okendo reviews, Recharge subscriptions, Gorgias tickets, and the headless CMS or PIM if used. Many merchants assume Shopify backs up the store — it does not roll back theme or product changes for the merchant.

Common choices: Rewind, BackupMaster, or Talon for Shopify objects; native S3 lifecycle for raw exports; GitHub for theme code under version control. Confirm the tool covers metafields, automatic-collection rules, and discount codes — not just products and orders.

Schedule daily incrementals for high-velocity data (orders, customers, inventory) and weekly full snapshots for catalog and theme. Stagger jobs outside peak traffic windows so API rate limits don't throttle the live store.

Order and customer exports contain names, addresses, emails, and phone numbers — in-scope for GDPR, CCPA, and state privacy laws. Use AES-256 at rest and TLS 1.2+ in transit. Document the key custodian; lost keys make the backup useless.

Pull the backup tool's job log and verify yesterday's run finished with no errors. Silent failures from API token expiry are the most common cause of stale backups going unnoticed for weeks.

Triage the failure: re-authenticate the Shopify private app token, check storage quota, confirm webhook delivery. Re-run the job manually and verify the next scheduled run completes before closing.

Set recovery time and recovery point objectives by system. Storefront uptime typically demands RTO under 1 hour; order data RPO under 15 minutes; marketing data tolerates 24 hours. Tighter targets cost more — be honest about what the business can afford.

Name the incident commander, the Shopify-admin operator, the comms lead, and the 3PL/inventory contact. Include backup names for each — Q4 vacations and PTO during BFCM are a known failure mode.

Draft pre-approved Klaviyo, Postscript, and status-page templates for outage, payment failure, and data-incident scenarios. Keep them outside Shopify so they're reachable when the store is down.

Replicate backups to a region geographically separate from the primary (e.g., S3 cross-region replication us-east-1 to us-west-2). A single-region failure should not take both primary and backup down.

Calendar the next review on the leadership cadence. New apps, new sales channels (TikTok Shop, Faire), new 3PLs, and personnel changes all invalidate parts of the plan within a quarter.

Step-by-step from a clean dev store: restore theme from GitHub, re-import products via Matrixify or Rewind, replay orders, reconnect Klaviyo and Recharge. Capture exact CLI commands and app credentials needed — not generic prose.

Use a Shopify development store, not production. Time the restore end-to-end and compare against the documented RTO. Note any manual steps that should be scripted before the next drill.

Spot-check 20 random orders against source records: line items, totals, tax, shipping address, fulfillment status. Confirm product variants, inventory quantities, and metafields all hydrated. Missing metafields are the silent killer — they break PDPs without obvious symptoms.

Integrity gaps discovered in a drill are still gaps. File the incident with the spot-check evidence, identify root cause (missing object type in backup scope, API throttling, schema drift), and block the next quarterly cycle on a fix.

Place a real test order on the restored sandbox using a $0.01 product or a 100%-off discount. Confirm Shopify Payments / Stripe webhook fires, order confirmation email lands, and the 3PL sees the fulfillment request. Mobile checkout is the most common regression after a restore.

Document time-to-restore, gaps versus RTO/RPO, and any manual workarounds used. Feed findings into the next quarter's runbook updates.

Order and tax records typically retained 7 years for IRS and state sales-tax audits. Customer marketing data subject to GDPR and CCPA deletion on request. Subscription billing records 7 years. Document the window per class so archival rules can enforce them.

Move data older than 90 days to S3 Glacier, GCS Coldline, or equivalent. Lifecycle rules should run automatically — manual archival drifts within two quarters.

Pull one archived file per data class and confirm it opens and parses. Glacier retrieval can take hours — schedule the test before you need the data for an audit or a chargeback dispute.

Shopify's GDPR webhook surfaces erasure requests; Klaviyo and Yotpo have their own. Confirm deletion propagates to backups and archives — a backup that resurrects deleted PII is a privacy violation in most jurisdictions.

Restrict archive bucket access to a named IAM role, enforce MFA on assumption, and enable bucket-level access logging. Audit the access list each quarter; ex-employees with leftover access show up here.

Full end-to-end drill: pick a date, restore to sandbox, time it, document each manual step. The first drill is always slower than the runbook claims — schedule three hours, not one.

Pull job logs from Rewind / BackupMaster / S3 and confirm a successful run for every scheduled day. Gaps usually trace to API token rotation, app reinstalls, or storage quota — fix root cause, not just the missing day.

Walk the team through a Black Friday checkout outage at 9pm Eastern: who's on call, who posts the status update, who pauses Meta and Google ad spend, who notifies the 3PL. Surface the ambiguities while the stakes are theoretical.

Capture the result, the timing versus RTO, and any blocking gaps. A drill that passed with caveats is still a pass — but the caveats become next quarter's backlog.

A failed drill blocks the next quarter's cycle. Assign owners to each gap, set due dates, and re-run the failed scenario before the 30 days close. Don't paper over a fail with a tabletop redo.

For SOC 2, PCI SAQ, or merchant-bank requirements, an external review of backup and DR practices is often required annually. Even without a compliance driver, a fresh set of eyes catches assumptions internal teams stop seeing.