Skip to content

Business Continuity & Emergency Access

What to do if Tim is unavailable

Classification: INTERNAL — No secrets in this document

All credentials are stored separately in 1Password under the UCCA Shared vault. This document can be safely emailed, committed to git, and shared with trusted parties. The companion credential register is in 1Password only. Never email or commit credentials.

Section 1 — Who to Contact

If Tim is incapacitated, contact these people in this order:

Person Role What They Can Help With
Alex Technical collaborator Engine code, development questions, technical decisions
Jimmy Business partner Business decisions, financial matters, strategic direction
Cloudflare Support Infrastructure provider If websites go down, DNS issues, security incidents
Google Workspace Admin Email provider Account recovery (requires recovery codes from 1Password)

Critical

Alex can help with engine code but does not currently have independent access to infrastructure. He will need the credentials from 1Password to take over operations.

Australian Entity

Field Value
Name United Central Colleges of Australia Pty Ltd
Trading as RTOpacks
Jurisdiction Australia
Purpose Australian VET compliance product (rtopacks.com.au)

US Entity

Field Value
Name United Community Colleges of America Inc
DBA UCCA Inc
Jurisdiction Delaware, United States
Delaware File No 7824354
Purpose Platform company, US operations, future expansion
Franchise tax Due annually by March 1. Paid at corp.delaware.gov. ~$225/year. Late penalty is $200+.
EIN 🔒 1Password: UCCA Shared › Delaware › EIN

Section 3 — The Crown Jewel: admin@ucca.online

This single account controls access to almost every service UCCA uses.

If you can access this email account, you can recover access to everything else. If you cannot access this email account, recovery becomes extremely difficult.

Account Details

Field Value
Email admin@ucca.online
Provider Google Workspace (Education tier)
Password 🔒 1Password: UCCA Shared › Google Workspace › admin@ucca.online
MFA method 🔒 1Password: UCCA Shared › Google Workspace › MFA details
Recovery codes 🔒 1Password: UCCA Shared › Google Workspace › Recovery codes

Services that authenticate through this email

Losing this loses everything:

  • Cloudflare → all websites, DNS, databases, workers, storage
  • GitHub → all source code
  • Slack → incident.io → status page
  • Twilio → phone system
  • Google Workspace itself → all email, documents, calendar
  • Cloudflare Access OTP emails → ops, docs, knowledge sites

Section 4 — All Accounts and Services

Complete list of every service UCCA uses. All credentials are in 1Password.

Cloudflare (Infrastructure)

Field Value
What it does Hosts ALL websites, databases, file storage, DNS, SSL certificates. This is the entire production infrastructure.
URL dash.cloudflare.com
Login admin@ucca.online (Google OAuth)
Terraform token 🔒 1Password: UCCA Shared › Cloudflare › Terraform API token
Resources managed 120+ (DNS records, Workers, D1 databases, R2 storage, Pages sites, security rules)
Domains managed ucca.online, rtopacks.com.au
Monthly cost Free tier

If Cloudflare goes down or account is locked, all websites and APIs stop immediately.

GitHub (Source Code)

Field Value
What it does Stores all source code for the entire platform.
URL github.com/uccaonline
Account type Personal account (not an organisation — migrate to org before adding collaborators)
Login admin@ucca.online
Password 🔒 1Password: UCCA Shared › GitHub › uccaonline
2FA Enabled
2FA recovery codes 🔒 1Password: UCCA Shared › GitHub › Recovery codes
Git authentication gh CLI OAuth token stored in macOS Keychain on the Mac Mini

Repositories:

Repo Contents
ucca-engine (private) Core processing engine
ucca-surfaces (private) Ops console, workers, marketing site
ucca-infra (private) Terraform infrastructure declarations, backup scripts
ucca-docs (private) Knowledge site, documentation, CLAUDE.md
ucca-site (public) Marketing website

Google Workspace

Field Value
What it does Email, documents, calendar, Google Drive (including automated backups).
URL admin.google.com
Login admin@ucca.online
Plan Education tier (free)
Backup location Google Drive › UCCA Backups/ folder receives automated daily D1 database exports

Google Workspace controls domain email. If compromised, attacker can intercept password resets for every other service.

Twilio (Phone System)

Field Value
What it does Business phone system. Inbound calls, voicemail, voicemail-to-email delivery.
URL console.twilio.com
Login admin@ucca.online
Password 🔒 1Password: UCCA Shared › Twilio › Console login
Account SID ACa958efb6dca686283cb58976742341a2
Auth Token 🔒 1Password: UCCA Shared › Twilio › Auth token
Phone number +1 302 300 3336 (Delaware)
Monthly cost ~$1.25/month (prepaid balance)
Studio Flow UCCA – Inbound Calls (14-state IVR with voicemail)

Voicemails are emailed to admin@ucca.online via Gmail OAuth2 in Twilio Functions.

incident.io (Status Page & Incidents)

Field Value
What it does Public status page at status.ucca.online. Incident declaration and communication.
URL app.incident.io
Login Via Slack (ucca.slack.com) → Google OAuth via admin@ucca.online
Status page status.ucca.online
Monthly cost Free tier

Slack

Field Value
What it does Team communication. Authentication gateway for incident.io.
URL ucca.slack.com
Login admin@ucca.online (Google OAuth)

Delaware Division of Corporations

Field Value
What it does Legal home of UCCA Inc. Annual franchise tax filing.
URL corp.delaware.gov
File number 7824354
Entity name United Community Colleges of America Inc
Annual obligation Franchise tax due by March 1 each year. ~$225. $200+ penalty if late.
EIN 🔒 1Password: UCCA Shared › Delaware › EIN

Section 5 — What Is Running and Where

Everything runs on Cloudflare. There are no physical servers except Tim's Mac Mini (development and deployment).

Websites and Services

URL What It Is Access
ucca.online Marketing website Public
rtopacks.com.au Australian RTO compliance product Public
api.ucca.online API endpoint Public (static now, engine API later)
status.ucca.online Public status page (incident.io) Public
ops.ucca.online Operations console / dashboard Cloudflare Access (OTP via admin@ucca.online)
docs.ucca.online Technical documentation (MkDocs) Cloudflare Access
knowledge.ucca.online Knowledge base / architecture docs Cloudflare Access

Databases

  • ops-db (Cloudflare D1) — Platform telemetry: traffic analytics, health metrics
  • rtopacks-db (Cloudflare D1) — World data: 2,053 RTO records, enrichment data

Each world has its own isolated database. Backed up daily to Google Drive via automated script.

File Storage

  • Cloudflare R2 (S3-compatible) — document and asset storage (not yet in active use)

Backups

Field Value
Location Google Drive (admin@ucca.online) › UCCA Backups/
Schedule Daily at 3am AEST via launchd on Mac Mini
What's backed up ops-db (D1), rtopacks-db (D1), KV LEADS namespace
Retention 90 days (manual cleanup)
Scripts ucca-infra/scripts/backup/ (cf-backup.sh, cf-verify.sh, cf-restore.sh)

Infrastructure as Code

Terraform: 120+ Cloudflare resources declared in ucca-infra repo. If infrastructure is destroyed, it can be rebuilt from these declarations using terraform apply with the Cloudflare API token from 1Password.

Section 6 — The Mac Mini (Development Machine)

This machine contains all deployment capability and local credentials.

Field Value
Location Tim's home office
Login password 🔒 1Password: UCCA Shared › Mac Mini › Login
FileVault Enabled (disk encrypted at rest, same password decrypts at boot)
Biometric Tim's fingerprint (convenience only — password also works)

What Lives on This Machine

  • All source code (git clones of all repos)
  • macOS Keychain containing GitHub OAuth token
  • Terraform state files and API tokens
  • Cloudflare Wrangler configuration
  • rclone configuration for Google Drive backups
  • launchd job running daily backups at 3am
  • Claude Code (AI development assistant)

If the Mac Mini Is Lost or Destroyed

This is NOT a crisis

All code is on GitHub, all infrastructure is in Terraform, all data is backed up to Google Drive.

  1. Get a new Mac (or any machine with git, Node.js, Python, Terraform)
  2. Install gh CLI and run gh auth login with admin@ucca.online credentials from 1Password
  3. Clone all repos from github.com/uccaonline
  4. Install Terraform, configure with Cloudflare API token from 1Password
  5. Install rclone, configure Google Drive remote
  6. Install Wrangler (Cloudflare's deployment tool)
  7. Install launchd backup plist from ucca-infra/scripts/backup/
  8. Resume operations

A developer (Alex) would be needed to perform these steps.

Section 7 — Keeping the Lights On

The infrastructure runs on autopilot. Nothing requires daily attention. But some things require periodic action:

Recurring Obligations

What When What Happens If Missed
Delaware franchise tax By March 1 each year $200+ penalty. Company revoked if unpaid 3 years.
Domain: ucca.online Annual renewal All UCCA services break.
Domain: rtopacks.com.au Annual renewal RTOpacks product goes offline.
Google Workspace Check billing cycle Email stops. Cascading failure to all services.
Twilio balance Prepaid (~$0.23/mo) Phone stops when depleted.
Cloudflare Free tier No bill. If upgraded, payment required.

What Runs Without Intervention

  • All websites and APIs
  • Status page
  • Daily backups (launchd, requires Mac Mini powered on)
  • Phone system (until Twilio balance depletes)
  • Email (until Google Workspace billing lapses)
  • DNS resolution

What Eventually Stops

  • Backups — if Mac Mini is powered off or lost
  • Twilio phone — when prepaid balance depletes (months away)
  • Google Workspace — if payment lapses
  • Domains — if not renewed
  • Delaware entity — if franchise tax unpaid for 3 years

Section 8 — What NOT to Do

These mistakes can make recovery harder or impossible

  • DO NOT delete any GitHub repositories
  • DO NOT delete any Cloudflare Workers, D1 databases, or R2 buckets
  • DO NOT run terraform destroy
  • DO NOT change the admin@ucca.online password without updating 1Password
  • DO NOT share 1Password credentials outside the shared vault
  • DO NOT modify code or configuration unless you are a developer who understands the system
  • DO NOT contact support services claiming to be Tim — use account recovery with 1Password credentials
  • DO NOT panic — everything important is in the cloud (GitHub, Cloudflare, Google Drive) and declared in code (Terraform)

Section 9 — Recovery Scenarios

Scenario A: Tim unavailable for days to weeks

Do nothing. Everything runs on autopilot. Monitor status.ucca.online. Check admin@ucca.online inbox periodically for urgent notifications using credentials from 1Password.

Scenario B: Tim unavailable for months

  • Pay Delaware franchise tax if due (March 1)
  • Ensure domain renewals are paid
  • Ensure Google Workspace billing continues
  • Top up Twilio balance if phone service needed
  • Contact Alex if technical decisions needed

Scenario C: Tim permanently unavailable

  • Access admin@ucca.online using 1Password credentials
  • Access Mac Mini using 1Password credentials (or set up new machine per Section 6)
  • Contact Alex to take over technical operations
  • Review all accounts in Section 4 and ensure billing continues
  • Engage a lawyer regarding the legal entities (Section 2)
  • Consider transferring GitHub account ownership to Alex or a new technical lead

Scenario D: Mac Mini lost or destroyed

NOT a crisis. All code on GitHub, infrastructure in Terraform, data backed up to Google Drive. See Section 6 for recovery steps.

Scenario E: admin@ucca.online compromised

  1. Immediately change password (new password → 1Password)
  2. Revoke all active sessions in Google security settings
  3. Check Cloudflare for unauthorised changes
  4. Check GitHub for unauthorised commits or collaborators
  5. Rotate Twilio auth token
  6. Review Slack workspace for unauthorised members
  7. Post incident on status.ucca.online if services affected
  8. Update all changed credentials in 1Password

Section 10 — Dependency Chain

admin@ucca.online (Google Workspace)

If this goes down, EVERYTHING is affected:

  • Cloudflare → all websites, DNS, databases, storage
  • GitHub → all source code
  • Slack → incident.io → status page
  • Twilio → phone system
  • OTP emails for Cloudflare Access → ops, docs, knowledge
  • Google Drive → database backups

Cloudflare

If down: ALL websites and APIs stop. DNS stops resolving. Databases inaccessible. Extremely rare.

GitHub

If down: Source code temporarily inaccessible. Local copies exist on Mac Mini. Running services unaffected.

Mac Mini

If down: Daily backups stop. New deployments impossible until replaced. Running services unaffected. Code safe on GitHub.

Section 11 — Financial Overview

Service Cost Payment Method
Cloudflare Free tier N/A
Google Workspace Education Free tier (verify) N/A
Twilio ~$1.25/month Prepaid balance
incident.io Free tier N/A
Slack Free tier N/A
GitHub Free (personal account) N/A
Domain: ucca.online Annual renewal 🔒 1Password: UCCA Shared › Domains › Registrar login
Domain: rtopacks.com.au Annual renewal 🔒 1Password: UCCA Shared › Domains › Registrar login
Delaware franchise tax ~$225/year corp.delaware.gov (manual payment)

Section 12 — Updating This Document

This document is part of the full cycle rule in CLAUDE.md. It is automatically updated by Claude Code when infrastructure changes.

The companion credential register in 1Password must be updated manually whenever:

  • A password changes
  • A new service or account is added
  • A service is removed or replaced
  • Recovery codes are regenerated
  • The Mac Mini is replaced
  • A new team member gets access

Version History

Version Date Change Author
1.0 2026-03-03 Initial creation (sealed envelope version with handwritten credentials) Tim Rignold
2.0 2026-03-03 Separated secrets to 1Password. Document now shareable and auto-updatable. Tim Rignold / Claude