Recoverability and RPO
Why a completed backup is not yet a proven restore, and what RPO means here.
Walwarden leads with an uncomfortable truth: a completed backup is not the same as a proven restore. This page explains the distinction and what the RPO figure on the dashboard does and does not promise.
Backup-complete ≠ proven-recoverable
When a backup reaches completed, walwarden has:
- run
pg_dumpagainst your source database, - streamed the bytes to your S3 bucket,
- computed a SHA256 checksum and written an Ed25519-signed manifest,
- appended every step to the audit chain.
That proves an artifact exists, is signed, and has an intact audit chain. It does not prove that the artifact will restore cleanly into a working database. Dump/restore version skew, extension mismatches, or target-side privilege gaps can all surface only at restore time.
The only thing that proves recoverability is a restore. That is why we call it a restore drill: you restore a backup to a target you control and confirm the tables and row counts are there. Treat a backup you have never restored from as unproven.
What RPO means here
RPO (Recovery Point Objective) is the amount of data you could lose, measured as the age of your most recent recoverable backup. On the dashboard, the RPO figure is derived from the time since the last completed backup and rendered as an elapsed loss window: 12m 00s while it is under an hour, rolling over to 8h 36m and then 1d 4h as it ages. A loss window of 12m 00s means the most recent backup completed twelve minutes ago — so a failure now would lose at most the writes since then. The figure reads green while it sits inside the interval walwarden derives from your backup schedule and turns amber once it drifts past that interval. For a card-by-card walkthrough of the dashboard, see Read your recovery posture.
RPO here is a property of scheduled logical backups. It is a backup-recency figure, not a continuous-protection guarantee. Walwarden does not stream every write in real time; it backs up on the schedule you set. Choose a schedule whose interval matches the data loss you can tolerate.
The honest boundary
For the full list of what the product does and does not do today, see What is not shipped and the honest capability claims reference.