Backups & Restore

How Backups Work

Every service gets automated backups. The exact mechanism depends on the engine:

Engine	Backup type	PITR
PostgreSQL	pgBackRest + WAL archiving	Yes — any second
MySQL	mysqldump + binlog archiving	Yes — any second
MongoDB	mongodump + oplog archiving	Yes — any second
Valkey	RDB snapshots + AOF	Daily snapshots
Kafka	Topic data snapshots	No
OpenSearch	Snapshot API	Snapshot-level
SQL Server	pgBackRest (via PostgreSQL) + WAL	Yes — any second

Automated backups run daily. WAL/binlog/oplog archiving runs continuously for engines that support PITR.

List Backups

curl -u admin:password \
  https://api.foundrydb.com/managed-services/{id}/backups

{
  "backups": [
    {
      "id": "bkp_abc123",
      "backup_type": "automated",
      "status": "completed",
      "size_bytes": 1073741824,
      "created_at": "2026-03-15T02:00:00Z"
    }
  ]
}

Manual Backup

Trigger a backup on demand:

curl -u admin:password -X POST \
  https://api.foundrydb.com/managed-services/{id}/backups \
  -H "Content-Type: application/json" \
  -d '{"backup_type": "manual"}'

Useful before a risky schema migration or data load.

Restore

Restoring always creates a new service — it never overwrites the source. Your existing service keeps running.

Restore to a specific time (PITR)

For engines that support it (PostgreSQL, MySQL, MongoDB, SQL Server):

curl -u admin:password -X POST \
  https://api.foundrydb.com/managed-services/{id}/backups/restore \
  -H "Content-Type: application/json" \
  -d '{
    "restore_point": "2026-03-15T14:30:00Z",
    "target_service_name": "my-db-restored",
    "plan_name": "tier-2",
    "zone": "se-sto1"
  }'

Restore from a specific backup

curl -u admin:password -X POST \
  https://api.foundrydb.com/managed-services/{id}/backups/{backup_id}/restore \
  -H "Content-Type: application/json" \
  -d '{
    "target_service_name": "my-db-restored",
    "plan_name": "tier-2",
    "zone": "se-sto1"
  }'

Monitor restore progress

curl -u admin:password \
  https://api.foundrydb.com/managed-services/{restored_service_id}

Watch status transition from pending → provisioning → running. Restore typically completes in 5–30 minutes depending on database size.

Delete a Backup

Manual backups can be deleted. Automated backups are managed by the retention policy.

curl -u admin:password -X DELETE \
  https://api.foundrydb.com/managed-services/{id}/backups/{backup_id}

Backup Retention

Backup type	Retention
Automated daily	7 days
Manual	Until deleted
WAL / binlog / oplog (PITR window)	7 days

Backup Encryption

All backups are encrypted by default. No configuration is required.

How it works:

• Each backup is encrypted with AES-256-GCM before it leaves the database server
• Every backup receives a unique encryption key, so compromising one key does not affect other backups
• Encryption keys are managed automatically by the platform, including periodic rotation (every 90 days)
• Backups are encrypted on the server before upload to object storage, so data is never transmitted or stored in plaintext
• Object storage adds a second layer of server-side encryption (AES-256) for defense in depth

What's encrypted:

Component	Encryption
Full backups (all engines)	AES-256-GCM with per-backup key
WAL archives (PostgreSQL, SQL Server)	AES-256-CBC via pgBackRest
Binlog archives (MySQL)	AES-256-GCM with per-backup key
Oplog archives (MongoDB)	AES-256-GCM with per-backup key
RDB snapshots (Valkey)	AES-256-GCM with per-backup key

Backup encryption status is visible in the dashboard and via the API:

curl -u admin:password \
  https://api.foundrydb.com/managed-services/{id}/backups/{backup_id} \
  | jq '{encrypted: .encryption_enabled, algorithm: .encryption_algorithm}'
# {"encrypted": true, "algorithm": "AES-256-GCM"}

Disaster Recovery Checklist

1. Test restores regularly — restore to a new service and verify your data
2. Verify PITR window — confirm WAL archiving is active in your metrics
3. Document your RTO/RPO — know the restore time for your service size
4. Keep manual backups before major changes (schema migrations, bulk deletes)