Home Latest news from Computas Opus Shared responsibility for cloud backup – who is really responsible for what?

Shared responsibility for cloud backup – who is really responsible for what?

Cloud services make operations simpler, but data responsibility remains yours. Cloud services promise easier operations, freeing you from servers, patching, and infrastructure headaches. However, there’s one crucial responsibility you can’t escape: the ownership and protection of your own data.

Many organizations mistakenly assume that their SaaS provider also handles data backup and recovery. This isn’t the case. All major providers—from Atlassian to Salesforce—operate on a shared responsibility model, where backup and data protection are ultimately the customer’s responsibility.

What is shared responsibility?

The shared responsibility model is about who is responsible for what:

AreaSupplier’s responsibilityCustomer responsibility
Uptime and infrastructure
Platform-security
User data and content(your responsibility)
Access and rights(you configure users)
Backup and restore(often only short-term deletion)(must be handled separately)

How different SaaS providers handle this

Here’s a review of how six popular SaaS providers approach backup and liability:

Atlassian (Jira, Confluence, etc.)

  • In the Cloud Terms of Service section 6.3, Atlassian states:
  • “We recommend that you export your Data regularly and back it up to your own systems.”
  • “We do not guarantee that your Data will not be lost or corrupted and we disclaim any liability for such loss or corruption.”
  • Atlassian does not offer customer-managed backup or the ability to restore individual objects.
  • Data can be lost through user error, deletion, or integration failure.
  • For mission-critical Jira/Confluence environments, you should consider third-party backup (e.g. Rewind, HYCU, or your own API solutions).

HYCU – Data backup for SaaS Solutions

Google Workspace

  • In Google Workspace Terms section 4 (Customer Obligations): “Customer is responsible for any use of the Services under its account and for protecting its passwords.”
  • Documented limited recycle bin (30 days for Drive), no full backup.
  • Google recommends customers use third parties for data protection.

Microsoft 365 (Office, Outlook, OneDrive, Teams)

  • In the Microsoft Services Agreement and Trust Center: “You own your data. You are responsible for managing and backing up your content. ”Microsoft has limited retention policies (30–93 days).
  • Not suitable for backup – Microsoft recommends third-party solutions for long-term storage and recovery.

GitHub / GitLab

  • GitHub’s Terms of Service, Section D.6: “You are responsible for maintaining, protecting, and making backups of your Content.”
  • GitHub has no built-in backup solution.
  • Repositories can be deleted, and recovery is limited or impossible.
  • GitLab Community Edition requires manual or self-managed backups.
  • Even with GitLab Premium, you are responsible for your own backups.

Salesforce

  • Salesforce removed its own Data Recovery service in 2020, reintroducing it as an extremely expensive emergency service.
  • I Salesforce Trust FAQ: “We recommend that customers use a partner backup solution or build their own.” Salesforce does offer a Data Recovery Service – but it costs over $10,000 and takes weeks.
  • They explicitly recommend using a third-party backup solution.
  • They write: “Customers are responsible for backing up their own data.”

Miro

  • In Miro Terms of Service: “You are solely responsible for your data and its backup.”
  • Miro has limited “undo” and version history functionality.
  • User errors or deletions cannot always be reversed.
  • No dedicated backup/restore service for end users.
  • Enterprise customers must implement backup themselves via API or third party.

Risks of relying on the supplier alone

  • Accidental deletion (users closing Jira tasks, deleting Slack channels, removing customer data)
  • Attacks (ransomware, compromised API keys)
  • Integration misconfiguration
  • Lack of data access due to terminated subscriptions or account conflicts

What should you do as a technical manager?

  1. Identify which SaaS tools are used in the business.
  2. Read the vendor’s terms and conditions regarding data responsibility and backup.
  3. Establish an external backup solution for all critical services.
  4. Test restores regularly.
  5. Include the compliance and security team in the discussion.

Did you remember to backup Atlassian Cloud?

The cloud gives you flexibility, but not immunity

Every SaaS service follows a shared responsibility model. If you don’t have a clear backup and recovery strategy, you’re vulnerable – and the responsibility lies with you.

Feel free to contact us to learn more about backup and what backup solutions we have to support your backup process.

Want to know more?

Contact us for a non-binding conversation about
how we can help you.

Preben Huseby

Relatert innhold

HYCU – Sikkerhetskopiering av data

Beskytt din organisasjons viktigste data. Vår partner HYCU leverer databeskyttelse som en tjeneste (DPaaS). Plattformen deres tilbyr blant annet beskyttelse, gjenoppretting og samsvar-funksjoner for Jira, Confluence, Jira Service Management, BitBucket, Jira Work Management, Product Discovery og Trello.
Read more

Beskyttelse av tidsregistreringsdata med HYCU og Tempo Timesheets

Hos Computas er vi alltid på utkikk etter måter å hjelpe kundene våre med å forbedre bruken av viktige forretningverktøy. Derfor er vi glade for å dele HYCU sin nyeste oppdatering, som utvider den pålitelige Jira backup-løsningen til sømløst å inkludere Tempo Timesheets, den ledende tidsregistreringsappen i Atlassian-økosystemet.
Read more

NIS2-direktivet: Hvordan påvirkes Atlassian Cloud og hva må kunder foreta seg?

I en tid med økende cybertrusler er det viktigere enn noensinne å sikre at virksomheter er godt rustet til å møte disse utfordringene. NIS2 og DORA er to lovgivning initiativer fra EU som tar sikte på nettopp dette, og norske virksomheter må forholde seg til dem. Disse initiativene reflekterer EUs fokus på å styrke cybersikkerhet og sikre at kritiske tjenester og finansielle systemer kan motstå og komme seg etter cybertrusler og forstyrrelser. Fristen for implementering av NIS2-direktivet i Norge og EU er satt til 24. oktober 2024, noe som gir virksomheter begrenset tid til å sikre at de oppfyller de nye kravene.
Read more

How to build effective Rovo agents – a high-level guide

Rovo agents are AI “teammates” that live inside Atlassian Cloud. They help teams find information, learn from existing content and perform tasks. They follow the same permissions as your users, so answers and actions stay within what each person is allowed to see and change. For an organisation, this means fewer hand‑offs, less context switching, and faster outcomes across IT, HR, finance, product, and beyond.
Read more

Agile team: Hvordan bygge og lede team som faktisk leverer

You want agile teams, and it is easy to understand why. Because when you get it right, these teams are the engine behind faster innovation, higher engagement, and better results.

However, we often see organizations struggle to get their agile initiatives up to speed. You might start with standups and Jira, and your teams definitely feel busy. Despite this, deliveries remain fragmented, meetings eat up the day, and real learning never happens.
Read more

Hvordan utøve god ledelse i en agil verden?

What do you do when your organization asks you to let go of control – but still holds you responsible for results? Welcome to the new reality for many leaders and team leads in agile organizations.

You are asked to give your teams trust and autonomy. At the same time, you must “have control” and “deliver on strategy.” This often happens in organizations where top management still operates by hierarchical principles.
Read more

Discover more from Computas Opus

Subscribe now to keep reading and get access to the full archive.

Continue reading