SaaS data backup

what it is

Every major SaaS platform runs a shared-responsibility model: the vendor keeps the service available and durable against their infrastructure failing; the customer is responsible for their own data, including recovering it from deletion, corruption, or compromise on the customer's side.

The windows are shorter than most teams assume. In Google Workspace, a deleted Drive file sits in trash for 30 days, after which admins have roughly 25 more days to restore it. In Microsoft 365, mailbox items past the Deleted Items folder land in Recoverable Items with a default of 14 days (extendable to 30), and SharePoint and OneDrive recycle bins run 93 days. After the window: gone, and support cannot bring it back. All of it amounts to a grace period rather than a backup.

why it accumulates

The gap persists because the platforms feel safe. Files sync, versions exist, nothing ever seems lost, so backup drops off the list that on-prem servers kept it on. Meanwhile the business moves entirely into SaaS: the CRM, the finance system, the documents, the code. The data that would once have been on a backed-up file server now lives in twenty platforms, each with its own retention quirks and most with no backup at all.

In Backupify's 2025 survey of more than 3,000 IT professionals, 87% reported losing SaaS data in the previous year, with accidental deletion the leading cause, a vendor-commissioned figure, and consistent with what the retention windows above predict.

what it costs you

The ordinary cost is permanent loss from ordinary causes: a leaver's account deleted along with the only copy of their files, a folder emptied in error and discovered in month three, a sync client faithfully propagating ransomware-encrypted files into the cloud copy.

The strategic cost shows up in extortion. Ransomware resilience assumes recovery, and only 54% of victims restored encrypted data from backups in 2025, a six-year low (Sophos). A company whose business data lives in SaaS with no independent copy has quietly opted out of the recovery half of that defense. Attackers who reach an admin account can also reach the retention settings.

Compliance closes the loop: NIS2's security measures name backup management explicitly, and an auditor's "show me a tested restore" has no good answer when the strategy is "Google keeps it."

what works

The backup decision starts smaller than it looks. The list that matters contains the systems whose loss stops invoicing, delivery, or sales, which usually means five to ten platforms rather than the full three-hundred-app estate. Each of those gets checked against its real retention numbers, taken from the vendor's own documentation rather than a reseller's reassurance, with attention to which window is the user-facing trash and which is the true end of the line, since the admin-restore period in Workspace and the Recoverable Items window in Microsoft 365 both expire quietly and without warning.

For that short list, independent SaaS-to-SaaS backup is the control that holds, and one specific property does most of the work: at least one copy sits outside the platform's own admin reach. A backup the platform admin can delete shares its fate with the data, because an attacker who compromises the admin account can reach data, retention settings, and backup in the same session. This is also the property extortion tests, since recovering from ransomware without paying assumes a clean copy the attacker could never touch.

A backup that has never restored anything remains a hope with a logo, which is why the working practice is a quarterly timed restore of one file, one mailbox, one record. The timing matters as much as the success: a restore that technically works but takes a week answers an auditor's question and still fails the business. The last connection point is offboarding, where a leaver's data gets exported or transferred before the account deletion, as a checklist item rather than a memory exercise, because account deletion is precisely the ordinary event that turns a retention window into a permanent loss.