Most UK businesses now rely on Software-as-a-Service applications for critical operations — from customer relationship management in Salesforce to marketing automation in HubSpot, and productivity tools in Microsoft 365. Yet a dangerous misconception persists: many organisations assume their SaaS provider is responsible for backing up their data. In reality, the shared responsibility model means your data protection is ultimately your problem.
The consequences of SaaS data loss are severe and often irreversible. Accidental deletions, malicious actions by disgruntled employees, synchronisation errors, and third-party app integrations gone wrong can all result in permanent data loss — and your SaaS provider’s native recovery options are typically limited in scope and time.
This guide explains why SaaS backup is essential, how to protect your most critical cloud applications, and what UK businesses need to consider when building a comprehensive SaaS data protection strategy.
The Shared Responsibility Model Explained
Every major SaaS provider operates under a shared responsibility model. This means the provider is responsible for the availability and security of the platform infrastructure, while you — the customer — are responsible for the data you put into it.
Salesforce, HubSpot, Microsoft, and Google all make this clear in their terms of service, though few customers read the fine print. In practical terms, this means:
- Platform uptime and availability
- Infrastructure security and patching
- Disaster recovery of the platform itself
- Physical data centre protection
- Network and application-level security
- Backing up your data within the platform
- Protecting against accidental or malicious deletion
- Managing user access and permissions
- Compliance with data protection regulations
- Recovery from data corruption or loss events
Salesforce’s Recycle Bin retains deleted records for only 15 days. HubSpot’s restore options are limited to 90 days for most object types. Microsoft 365 retention policies vary by service. After these windows close, your data is gone permanently unless you have an independent backup solution in place.
Why SaaS Providers Don’t Back Up Your Data
It’s important to understand that SaaS providers replicate your data for their own high-availability purposes — this is not the same as backup. Replication ensures the platform stays online if a server fails. But replication faithfully copies deletions and corruption too, which means if your data is damaged or deleted, the replicated copies are equally damaged or deleted.
SaaS providers don’t offer comprehensive backup services for several reasons: it would significantly increase their infrastructure costs, it creates complex liability issues around data retention and privacy regulations, and frankly, data protection is considered the customer’s responsibility under their terms of service.
Salesforce Backup Options
Salesforce is often the most critical SaaS application for sales-driven organisations, making its backup particularly important. Here are the available approaches:
Native Salesforce Tools
Salesforce offers a weekly data export feature that allows you to download your data as CSV files. This is better than nothing, but it’s manual, limited to weekly frequency, and restoring from CSV files is a complex and error-prone process. Salesforce also offers “Backup and Restore” as an add-on product, though it comes at significant additional cost.
Third-Party Backup Solutions
For most organisations, a dedicated third-party backup tool provides the best protection. These solutions offer automated daily backups, granular restore capabilities, and metadata backup that native tools often miss.
| Solution | Backup Frequency | Metadata Backup | Granular Restore | Typical Cost |
|---|---|---|---|---|
| OwnBackup (Own Company) | Daily | Yes | Record-level | £3–£8 per user/month |
| Spanning Backup | Daily | Yes | Record-level | £2–£5 per user/month |
| Grax | Configurable | Yes | Record-level | £4–£10 per user/month |
| Salesforce Backup and Restore | Daily | Limited | Object-level | £5–£12 per user/month |
| Weekly Data Export (Native) | Weekly | No | Manual CSV | Free (included) |
HubSpot Backup Strategies
HubSpot presents unique backup challenges because of its interconnected data model. Contacts, companies, deals, tickets, and marketing assets are all linked together, and preserving these relationships during backup and restore is critical.
HubSpot’s native export functionality allows you to export contacts, companies, deals, and tickets as CSV files. However, this doesn’t capture workflows, email templates, landing pages, forms, or the relationships between records. For comprehensive protection, you need a solution that backs up both structured data and marketing assets.
Schedule weekly exports of your core CRM data (contacts, companies, deals) as a baseline, and supplement this with a third-party backup tool that captures workflows, email templates, and relationship data. This two-pronged approach ensures you can recover from both minor data loss and major incidents.
Microsoft 365 Backup Considerations
Microsoft 365 is arguably the most widely deployed SaaS platform in UK businesses, covering email (Exchange Online), file storage (OneDrive and SharePoint), and collaboration (Teams). Microsoft’s native retention policies provide some protection, but they are not a substitute for proper backup.
Exchange Online retains deleted items for 14 days by default (extendable to 30 days). SharePoint and OneDrive have version history and a recycle bin with a 93-day retention period. However, these native tools have significant limitations for bulk recovery scenarios, and Microsoft explicitly recommends third-party backup in their service documentation.
Choosing a Third-Party Backup Tool
When evaluating SaaS backup solutions, UK businesses should consider several factors beyond just the feature list:
Data residency: Under UK GDPR and the Data Protection Act 2018, you need to know where your backup data is stored. Many providers offer EU or UK-based data centres, but you should verify this explicitly. Data stored outside the UK or an adequacy-assessed jurisdiction may create compliance issues.
Backup frequency: Daily backups are the minimum standard for business-critical applications. Some solutions offer more frequent backups (every 4, 6, or 8 hours) for organisations with low RPO requirements.
Restore granularity: Can you restore individual records, or only entire datasets? Granular restore capability is essential for practical day-to-day recovery scenarios, where the most common need is recovering a handful of accidentally deleted or modified records.
Restore speed: How quickly can you recover data when you need it? Some solutions offer near-instant restore for small datasets but take hours or days for bulk recovery. Understand the restore performance characteristics before you commit.
Backup Frequency and Retention
Your backup frequency and retention policy should align with your organisation’s Recovery Point Objective (RPO) and any regulatory requirements. Here’s a practical framework:
UK GDPR Compliance Considerations
SaaS backup introduces specific GDPR considerations that UK businesses must address:
Right to erasure: When a data subject requests deletion of their personal data, you must ensure it is deleted from your backups as well as the live system. Some backup solutions offer selective deletion capabilities specifically for this purpose.
Data processing agreements: Your backup provider is a data processor under UK GDPR. You must have a Data Processing Agreement (DPA) in place that specifies how they handle your data, their security measures, and their obligations around breach notification.
Data residency: Backups stored outside the UK require appropriate safeguards under UK GDPR, such as Standard Contractual Clauses or an adequacy decision. Verify your backup provider’s data storage locations.
If your backup solution cannot selectively delete individual records from backups, you may face challenges complying with data subject erasure requests. Ensure your chosen solution supports granular deletion or has a clear process for handling these requests within the regulatory timeframe.
Cost of SaaS Data Loss
The financial impact of SaaS data loss extends far beyond the immediate recovery effort. Consider these cost factors:
Direct recovery costs: Engineering time to identify what was lost, attempt recovery through native tools, and rebuild data manually. For a significant Salesforce data loss, this alone can run into tens of thousands of pounds.
Business disruption: Sales teams without CRM data cannot work effectively. Marketing campaigns pause. Customer service suffers. The productivity impact compounds daily until data is restored.
Regulatory penalties: If personal data is permanently lost due to inadequate backup, this may constitute a breach under UK GDPR, potentially triggering notification requirements and fines from the ICO.
Customer trust: If data loss affects customer-facing services or forces you to contact customers about lost data, the reputational damage can have long-term revenue implications.
Automated vs Manual Exports
Many UK businesses still rely on manual data exports as their “backup strategy” for SaaS applications. While better than nothing, this approach has significant limitations:
- Free (no additional software cost)
- Relies on someone remembering to run the export
- CSV format — complex to restore relationships
- Doesn’t capture metadata, workflows, or configurations
- Restoring is a manual, error-prone process
- No alerting if exports fail or are missed
- Monthly per-user cost (£2–£10 typically)
- Runs automatically on schedule without human intervention
- Preserves data relationships and record hierarchies
- Captures metadata, configurations, and attachments
- One-click or automated restore capabilities
- Monitoring, alerting, and compliance reporting built in
Building Your SaaS Backup Strategy
Here’s a practical step-by-step approach for UK businesses looking to implement comprehensive SaaS backup:
Step 1: Audit your SaaS applications. Create a complete inventory of every SaaS application your organisation uses and classify each by criticality. Focus your initial backup efforts on tier-one applications (CRM, email, file storage).
Step 2: Understand native recovery options. Document what each provider offers natively — retention periods, export capabilities, and any built-in backup features. This helps you identify the gaps that third-party backup needs to fill.
Step 3: Define your RPO and RTO. For each critical application, determine how much data loss is acceptable (RPO) and how quickly you need to be able to restore (RTO). These requirements drive your solution selection.
Step 4: Select and implement backup solutions. Choose solutions that cover your critical applications, meet your RPO/RTO requirements, comply with UK data residency needs, and fit your budget.
Step 5: Test your restores regularly. A backup is only valuable if you can restore from it. Schedule quarterly restore tests for each critical application to verify your backup is working correctly and your team knows the recovery process.
Step 6: Document and review. Document your SaaS backup policies, assign ownership, and review the strategy annually or whenever you add new critical SaaS applications to your stack.
Conclusion
SaaS backup is not optional — it’s a fundamental component of any modern data protection strategy. The shared responsibility model means your SaaS providers are not backing up your data in a way that protects against accidental deletion, malicious actions, or data corruption. UK businesses that rely on Salesforce, HubSpot, Microsoft 365, and other critical SaaS platforms need independent backup solutions that provide automated, comprehensive, and compliant data protection.
The cost of implementing proper SaaS backup is a fraction of the cost of a data loss incident. Whether you start with your most critical application or implement a comprehensive multi-platform strategy from day one, the important thing is to start. Your data is too valuable — and too vulnerable — to leave unprotected.
Need Help Backing Up Your SaaS Applications?
Our cloud backup specialists can assess your SaaS data protection gaps and implement automated backup solutions that keep your business data safe. Whether you need Salesforce backup, Microsoft 365 protection, or a comprehensive multi-platform strategy, we’re here to help. Get in touch for a free consultation.
Contact Us Today
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.