Any IT administrator who utilizes software-as-a-service (SaaS), such as Microsoft 365 or Google Workspace for their business data, also likely knows about the shared responsibility model.

The shared responsibility model means that both Google Workspace and Microsoft 365 protects against service interruptions due to hardware or software failure, natural disasters, or power outages. However, your business is responsible for protecting the data against accidental deletion, ransomware/malware attacks, or even attacks by malicious insiders.

As such, before (sometimes during, or after) the migration process to Google Workspace or Microsoft 365, IT administrators seek to reinforce their data and begin to vet third-party backup companies.

While assessing the various options for data backup and recovery for your business, consider these six key factors that will help you select a vendor that best fits your business.

1. Location

One of the first questions to ponder is where the third-party stores your data: Is it in a public or private cloud?

The answer to this question will have a direct impact on:

  • Cost
  • Reliability
  • Speed of backups and restores

Opting for a backup company that utilizes a public cloud, like Amazon Web Services (AWS), can seem attractive at first because of its cost-effectiveness and flexibility. However, depending on how much data your company needs to store, a public cloud can also mean the storage space cost will impact customer price points.

As your business evolves and stores more data, moving to a private cloud can substantially reduce costs and help you better serve customers.

2. Functionality

At a basic level, when working with a vendor, talk about the user interface and dashboard. Is their portal something easy to use or are you struggling to figure out basic functions? The more intuitive the portal, the more you’ll get out of it.

It’s also important to get into the meat of the technology. Within the portal, do you have manual control to back up your data as you choose? What are the predetermined options for backing up your data:

  • Frequency: How often is your data backed up? For example, does the backup occur once per day or at another regular interval throughout the day? Is there an extra charge to back your data up more than once a day?
  • Automated: Will the technology automatically back your data up, or will you have to manually back data up each day?
  • Backup time: What times do backups occur? This could be a specific time of the day (e.g. 5:00 pm) or at some guaranteed window of time each day (e.g. between 4:00 pm and 6:00 pm).
  • Data retention: How long will your data remain in the vendor's system, and can you adjust the time period? Will the data be cleared automatically after a set period of time, or will it require manual deletion?

The more control you have over your data (with the least amount of effort) the more protected you’ll feel.

3. Access to Backups

When it comes time to recover your data, it’s crucial to understand how seamless the process will be.

Especially, if your business experiences an outage or a disaster that renders your data inaccessible. Like when Microsoft was down for 5 hours back in September of this year.

Your backup solution should make it easy, fast, and efficient to recover time without draining your human or financial resources. When considering a third-party vendor, ask:

  • Can I easily find the data I need? The vendor's search feature will be an important tool whenever you need to retrieve data. Ask if you can search by user, application type, metadata, or full text.
  • Can I use my retrieved data as needed? Ask if you’ll have the capability to edit, copy, or adjust data as needed.
  • How is restored backed up data to its original location? Some vendors offer "restore in-place," meaning that the backup copy will automatically get placed in its original location. If this is the case, make sure you can differentiate the backup from other copies with the same file name. Other vendors may require you to export and then manually re-import the file to the original location.
  • Will the vendor's application be available when I need it? You should always read and understand the Service Level Agreement (SLA) of your SaaS vendor before entering into a partnership. The SLA outlines everything you should expect from your vendor and acts as a legal document. Most importantly, your vendor should have an uptime guarantee within their SLA, which guarantees the percentage of time an application is accessible.

4. Durability

If you’re trusting a third-party company with your data, you’ll want to observe their company’s backup and recovery plan to understand what procedures they have in place to ensure your data won’t get lost, damaged, or corrupted over time.

Durability is a specified number. Look for a vendor that guarantees at least 99.99% but reliably offers more. Your business likely has its own acceptable durability threshold, and the vendor’s durability threshold should be equal to or better than your own.

You can also ask the third-party company about details on their redundancy, distribution, and availability levels and whether or not they have built-in corruption detection.

5. Security and Encryption

Your vendor must have clearly documented security policies. This will typically include at least the following:

  • Methods for securing hardware
  • Frequency of security updates and audits
  • Policy for notification of breaches
  • User password strength requirements

A great tool for understanding your vendor's security capabilities are SOC II reports. These audits assess five fundamental principles:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

You can also inquire about the vendor's policy for third-party penetration testing. Reputable vendors regularly conduct these exercises and share the general results with customers.

Finally, ask how your vendor manages encryption keys. For example, a vendor may have a single key for all customers. This is the least secure management method. Much better is if the vendor offers a unique key for each customer, user, or data object.

6. Compliance

Depending on your industry, you may need a vendor that adheres to specific standards such as HIPAA, PCI-DSS, SOC II and GDPR.

To ensure compliance over your data, your third-party vendor should give you control over how long you choose to retain your data, make it easy to delete data from the system, and provide point-in-time backups.

Additionally, your backup vendor should offer flexibility in a physical storage location to accommodate compliance requirements like data residency and governmental or corporate regulations.