diff --git a/projects/business/memory/infrastructure.md b/projects/business/memory/infrastructure.md
index 1f4d0a9..75949ef 100644
--- a/projects/business/memory/infrastructure.md
+++ b/projects/business/memory/infrastructure.md
@@ -135,7 +135,7 @@ Config in `/home/openclaw/.ssh/config`:
 
 ## Backup Strategy (TO IMPLEMENT)
 
-### Current State: ❌ NO BACKUPS
+### Current State: ✅ OPERATIONAL (since 2026-02-19)
 
 ### Plan: Borg to Hetzner Storage Box
 
@@ -179,7 +179,7 @@ Target: `u149513-sub11@u149513-sub11.your-backup.de:23` (already set up, SSH key
 ## Future Improvements
 
 ### Priority: High
-- [ ] **Implement Borg backup** (see above) — ZERO backups currently
+- [x] **Implement Borg backup** — operational since 2026-02-19 (DB every 6h, full daily at 03:00 UTC)
 - [ ] **DNS: staging.docfast.dev** → 46.225.37.135 — needed for staging ingress TLS
 - [ ] **Persist HA spread constraints** — CoreDNS scale, CNPG operator replicas, pooler anti-affinity are runtime patches. Need infra-as-code (manifests in Git) to survive K3s upgrades/reinstalls
 - [ ] **Decommission old server** (167.235.156.214) — still running, no longer serves traffic. Stop Docker, delete VM, save €4.5/mo
diff --git a/skills/k3s-infra/SKILL.md b/skills/k3s-infra/SKILL.md
index d0a789f..0d03dca 100644
--- a/skills/k3s-infra/SKILL.md
+++ b/skills/k3s-infra/SKILL.md
@@ -151,21 +151,40 @@ kubectl exec -n postgres <primary-pod> -c postgres -- psql -U docfast -d <dbname
 - Hetzner FW: `coolify-fw` (ID 10553199)
 - Port 6443: 10.0.0.0/16 + 178.115.247.134/32 (CI runner)
 
-## Backup (TO IMPLEMENT)
+## Backup ✅ OPERATIONAL
 
-**Current: ❌ NO BACKUPS**
+**Borg → Hetzner Storage Box**
+- Target: `u149513-sub10@u149513-sub10.your-backup.de:23`
+- SSH key: `/root/.ssh/id_ed25519` (k3s-mgr-backup)
+- Passphrase: `/root/.borg-passphrase` (on k3s-mgr)
+- Key exports: `/root/.borg-key-cluster`, `/root/.borg-key-db`
+- Script: `/root/k3s-backup.sh`
+- Log: `/var/log/k3s-backup.log`
 
-**Plan: Borg → Hetzner Storage Box**
-- Target: `u149513-sub11@u149513-sub11.your-backup.de:23`
-- SSH key already configured on k3s-mgr (`/root/.ssh/id_ed25519`, fingerprint `docfast-backup`)
-- Per-machine subdir: `./docfast-1/` (existing), `./k3s-cluster/` and `./k3s-db/` (planned)
+**Repos:**
+| Repo | Contents | Size |
+|------|----------|------|
+| `./k3s-cluster` | K3s SQLite, manifests, token, all namespace YAML exports, CNPG specs | ~45 MB |
+| `./k3s-db` | pg_dump of all databases (docfast, docfast_staging, snapapi, snapapi_staging) + globals | ~30 KB |
 
-**What to back up:**
-1. **Cluster state:** etcd snapshots + `/var/lib/rancher/k3s/server/manifests/` → daily
-2. **Databases:** pg_dump all databases → every 6h
-3. **K8s manifests:** export all resources as YAML → daily
+**Schedule (cron on k3s-mgr):**
+- `0 */6 * * *` — DB backup (pg_dump) every 6 hours
+- `0 3 * * *` — Full backup (DB + cluster state + manifests) daily at 03:00 UTC
 
-**Recovery:** Fresh nodes → K3s install → restore etcd or re-apply manifests → restore DB → update DNS → ~15-30 min
+**Retention:** 7 daily, 4 weekly (auto-pruned)
+
+**Recovery:**
+1. Provision 3 fresh CAX11 nodes
+2. Install K3s, restore SQLite DB from Borg (`/var/lib/rancher/k3s/server/db/`)
+3. Or: fresh K3s + re-apply manifest YAMLs from Borg
+4. Restore databases: `psql -U postgres -d <dbname> < dump.sql`
+5. Update DNS to new LB IP
+6. Estimated recovery time: ~15-30 minutes
+
+**Verify backup:**
+```bash
+ssh k3s-mgr 'export BORG_RSH="ssh -p23"; export BORG_PASSPHRASE=$(cat /root/.borg-passphrase); borg list ssh://u149513-sub10@u149513-sub10.your-backup.de/./k3s-db'
+```
 
 ## Common Operations