How are folks backing up SaaS applications? Office365, Veeva, Netsuite, etc. Do you just trust SOC II reports and assume the SaaS vendor is backing up your data regionally across data centers? I don't trust it. I am trying to build a rock solid DR plan, however we are stuck on this point.thanks

Question

How are folks backing up SaaS applications?  Office365, Veeva, Netsuite, etc. Do you just trust SOC II reports and assume the SaaS vendor is backing up your data regionally across data centers? I don't trust it. I am trying to build a rock solid DR plan, however we are stuck on this point.thanks

Answer

In the case of highly critical SaaS & PaaS applications, we have extracts from database and back them up in case of catastrophic failure (or in the event we may need to restore and transfer the data -- e.g. to a different ERP system, etc.).    Don't backup Office365 e-mail, calendaring, etc as we have a contract, SLAs, guarantees, a Business Associates Agreement (BAA), SOC II, etc with Microsoft.  Similarly with Box.com.We do have backups performed explicitly of IaaS systems (VMs) in AWS and Azure and backed up across regions.

Answer

There something important to understand about SOC 2 reports, that most people do not realize. When you see PCI, ISO 27001 or similar logo on a vendors web site, that means that are complaint with that specific standard or regulation. But when you see a SOC 2 logo, all that means is that they have undergone a SOC 2 attestation. Their SOC 2 report could be filled with critical exceptions that you may have significant issues with. With SOC 2, the expectation is that you will read the report and make a decision.  Think of it like a report card. You want to see if the grades are good, or failing.