Does Ory take periodic backups of the identities in a project? Or is that something we'd have to handle ourselves?

Self-hosted or Ory Network?

Ory network

There is a DR practice and backups taken. These are not accessible unless there is a DR recovery process executed.

ok, in the event a project is deleted, or the identities deleted, there is a way to contact Ory to get those back within some period of time? Just asking in general in case we need to perform our own DR.

You can open a support ticket to look into this if the event happens. Let me check with the team to see some of the retention on the data so you can understand the time period you have.

in the end, just trying to determine if we need to create a task to export the identities periodically and save it somewhere 🙂 If Ory keeps a reasonable backup, it may not be necessary.

We do keep 90 backups, but it is not trivial for us to restore single workspaces or projects and would take time and effort unless part of a larger recovery process. If you need rollback access to your data, you may be best in keeping a copy of the data on your side.

ok good to know, thanks for the response

Hello @crooked-jelly-294 what is the concern here? One of your devs accidentally deleting the whole project/all identities within the project?

No, I'm just thinking about the DR strategy in general. Thankfully there are no issues like that at the moment. Not really concerned.

I would not recommend to keep a copy of credentials on your side - Ory goes to great lengths to ensure that data is secure, and of course it would be an additional attack vector - it's basically all we think about all day. By doubling the places where credentials are stored, you double the attack surface and if your backup database is not secured properly it can result also in catastrophic leaks. Please let me know if that makes sense - it always does depend on the threat model of course, but generally I would not recommend to duplicate this data unless you can ensure you can keep it as secured as Ory does.

yep, makes sense. We could consider an export of identities without the creds in that case. Then we'd at least have a record of the email addresses and the identity IDs to restore things from.

Yes that makes sense! Feel free to open support tickets also for this kind of questions - then you might get a more timely answer, but here is good too ofc - and in this case I think its a valuable discussion also for other users.