Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for disaster recovery as a service

Requirements, questions, and evaluation criteria specific to disaster recovery as a service procurement

7 min read

Disaster Recovery as a Service (DRaaS) procurement demands a rigorous RFP process due to the high stakes involved. Unlike typical software, DRaaS is invoked only when all other systems fail, making thorough evaluation and validation paramount to ensure business continuity during critical incidents.

What makes disaster recovery as a service RFPs different

DRaaS RFPs are uniquely complex due to the intricate technical dependencies and potential for catastrophic data loss. The RFP must address not only data replication and storage but also orchestrated failover, failback procedures, and comprehensive testing methodologies.

Furthermore, compliance requirements like HIPAA or SOC 2 add another layer of scrutiny, as the vendor's recovery site effectively becomes an extension of your own infrastructure during a disaster.nnUnlike many software categories, DRaaS procurement is less about features and more about proven reliability and recoverability.

The focus shifts from user interfaces and feature sets to stringent SLAs, RTO/RPO guarantees, and the vendor's ability to seamlessly integrate with diverse IT environments, including legacy systems and cloud-native applications. Comprehensive testing scenarios are crucial to validate the solution's effectiveness and identify potential vulnerabilities before a real disaster strikes.nnFinally, financial considerations extend beyond the monthly license fee.

The RFP needs to uncover hidden costs like data egress fees, burst compute charges, and professional services for implementation and ongoing support. A thorough TCO analysis is essential to avoid budget surprises and ensure long-term cost-effectiveness.

  • Clearly define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical applications.
  • Validate the vendor's ability to orchestrate failover and failback procedures without data loss.
  • Assess the vendor's security posture and compliance certifications (e.g., HIPAA, SOC 2) to meet regulatory requirements.
  • Evaluate the total cost of ownership, including licensing, implementation, testing, and potential egress fees.

RFP vs RFI vs RFQ

Here's when to use each document type when procuring disaster recovery as a service software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For DRaaS, an RFI helps gather broad information about available solutions and vendor capabilities, while an RFP is essential for a detailed evaluation of technical specifications, service level agreements, and cost structures. An RFQ is less suitable due to the complexity and customization required for DRaaS deployments.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Replication & Recovery

  • Continuous Data Protection (CDP) with near-zero RPO
  • Automated failover and failback orchestration
  • Support for heterogeneous environments (VMware, Hyper-V, physical servers, cloud)
  • Non-disruptive testing capabilities
  • Immutable and air-gapped backups

Security & Compliance

  • Encryption at rest and in transit
  • Multi-factor authentication for access control
  • Compliance certifications (HIPAA, SOC 2, GDPR)
  • Ransomware detection and prevention capabilities
  • Vulnerability scanning and patching

Infrastructure & Architecture

  • Geographically diverse data centers
  • Redundant network connectivity
  • Scalable compute and storage resources
  • Support for hybrid cloud environments
  • Detailed infrastructure diagrams

Management & Reporting

  • Centralized management console
  • Real-time monitoring and alerting
  • Automated reporting on RTO/RPO performance
  • Role-based access control
  • Audit logging and reporting

Service Level Agreements (SLAs)

  • Guaranteed uptime for recovery environments
  • Maximum RTO and RPO targets
  • Penalties for SLA breaches
  • Support response times
  • Data recovery guarantees

Questions to include in your RFP

Architecture & Deployment

  • Describe your DRaaS architecture, including data center locations, redundancy measures, and security controls.
    To ensure geographic diversity and resilience against regional outages.
  • What deployment models do you support (e.g., managed, assisted, self-service) and what are the responsibilities for each?
    To align with your IT team's capabilities and resource availability.
  • How do you ensure data isolation and security in a multi-tenant environment?
    To protect sensitive data from unauthorized access or breaches.
  • Explain your approach to application dependency mapping and orchestration during failover.
    To guarantee applications boot in the correct sequence and function properly.

Replication & Recovery

  • Describe your data replication technology, including RPO capabilities and support for continuous data protection (CDP).
    To minimize data loss in the event of a disaster.
  • What are your supported RTOs for different application tiers and how do you guarantee these RTOs?
    To ensure timely recovery of critical business functions.
  • Explain your failover and failback procedures, including automated orchestration and testing methodologies.
    To validate the effectiveness of the DRaaS solution and minimize downtime.
  • How do you ensure data integrity and consistency during replication and recovery?
    To prevent data corruption or loss during the disaster recovery process.

Security & Compliance

  • What security certifications and compliance standards do you adhere to (e.g., HIPAA, SOC 2, GDPR)?
    To meet regulatory requirements and protect sensitive data.
  • Describe your security measures for data at rest and in transit, including encryption and access controls.
    To prevent unauthorized access and data breaches.
  • How do you protect against ransomware attacks and ensure the integrity of backups?
    To maintain business continuity in the face of cyber threats.
  • Explain your vulnerability management and patching process for the DRaaS environment.
    To mitigate security risks and maintain a secure DRaaS environment.

Testing & Validation

  • Describe your non-disruptive testing capabilities and how you ensure testing doesn't impact production systems.
    To validate the DRaaS solution without disrupting normal operations.
  • What types of disaster recovery drills do you support and how often should they be performed?
    To identify potential weaknesses and improve the DRaaS plan.
  • What reporting and documentation do you provide after a disaster recovery test?
    To demonstrate compliance and track progress.
  • Can you provide sample test reports and customer references who have successfully executed failover and failback scenarios?
    To verify the vendor's experience and capabilities.

Pricing & Licensing

  • Provide a detailed breakdown of your pricing model, including licensing fees, implementation costs, and ongoing support charges.
    To understand the total cost of ownership (TCO) and avoid hidden fees.
  • What are your data egress fees and how are they calculated?
    To budget for potential costs associated with failback operations.
  • Do you offer volume discounts or long-term contract options?
    To potentially reduce costs and secure favorable terms.
  • What are the costs associated with scaling up or down the DRaaS environment?
    To ensure flexibility and cost-effectiveness as your needs evolve.

Support & Service

  • Describe your support organization, including response times, escalation procedures, and service level agreements (SLAs).
    To ensure timely assistance during a disaster.
  • What training and documentation do you provide to help our IT team manage the DRaaS environment?
    To empower your team and reduce reliance on the vendor.
  • Do you offer managed services for DRaaS, including ongoing monitoring, testing, and incident response?
    To offload responsibilities and improve overall resilience.
  • What is your customer satisfaction rating and can you provide references from similar organizations?
    To assess the vendor's reputation and service quality.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

HIPAA

Required if handling protected health information (phi). If applicable, request a Business Associate Agreement (BAA) and documentation of HIPAA compliance measures.

SOC 2 Type II

Required for demonstrating security, availability, processing integrity, confidentiality, and privacy controls. If applicable, request a SOC 2 Type II report from an independent auditor.

GDPR

Required if processing personal data of eu citizens. If applicable, request information on GDPR compliance measures, including data residency and data subject rights.

PCI-DSS

Required if handling payment card data. If applicable, request a current PCI-DSS Attestation of Compliance (AOC) and documentation of PCI-DSS controls.

ISO 27001

Required for demonstrating a comprehensive information security management system. If applicable, request an ISO 27001 certificate and documentation of the ISMS.

Evaluation criteria

Here is the suggested weighting for disaster recovery as a service RFPs.

Recovery Time Objective (RTO) Ability to meet defined RTOs for critical applications.
20%
Recovery Point Objective (RPO) Ability to minimize data loss based on defined RPO requirements.
15%
Security & Compliance Adherence to relevant security standards and compliance regulations.
15%
Testing & Validation Robustness of testing methodologies and validation procedures.
15%
Total Cost of Ownership (TCO) Overall cost, including licensing, implementation, and ongoing support.
15%
Vendor Reputation & Experience Vendor's track record, customer references, and industry recognition.
10%
Scalability & Flexibility Ability to scale the DRaaS environment to meet changing business needs.
10%

Some weights were adjusted based on your priorities.

  • Increase if downtime has significant financial impact.
  • Increase if data loss is unacceptable.
  • Increase for highly regulated industries.
  • Increase if previous DR solutions failed testing.
  • Increase if budget is a primary constraint.
  • Increase if the vendor is new to the market.
  • Increase if rapid growth is expected.

Red flags to watch

  • Lack of guaranteed RTO/RPO

    Indicates a lack of confidence in their ability to meet recovery objectives.

  • Vague or hidden data egress fees

    Can lead to unexpected and substantial costs during failback.

  • Inability to perform non-disruptive testing

    Prevents thorough validation of the DRaaS solution without impacting production.

  • Limited support for heterogeneous environments

    May result in gaps in coverage for critical applications or systems.

  • Weak security controls or compliance certifications

    Increases the risk of data breaches and regulatory violations.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Average RTO achieved during testing

Provides a realistic expectation of recovery times.

Number of successful failover/failback tests

Demonstrates the reliability of the DRaaS solution.

Customer satisfaction rating

Indicates the vendor's commitment to service quality.

Time to implement the DRaaS solution

Helps plan for the implementation process and minimize disruption.

Data compression and deduplication ratios

Affects storage costs and network bandwidth requirements.