Software as a service has become a way of life for many organizations, but it has not always been clear whether customer data is being fully protected from accidental deletion, incorrect modifications or similar scenarios. In some cases, backups can help recover from such errors, depending on their frequency.
However, backups only help if they account for the service's data retention policies. Retention policies define the length of time that data is retained before it is permanently deleted from the system.
SaaS retention policies can vary significantly between vendors and even between products from the same vendor. Not only do different products show how policies can differ, but they also point to the importance of understanding these policies whenever signing on for cloud-based services. Once data has been removed from a vendor's system, it is gone forever, unless there's a backup waiting in the wings.
Below are four popular vendors that provide SaaS options and what their data retention policies contain.
Dropbox provides a collaborative environment for storing, syncing and sharing files. The service saves deleted files and previous file versions for a set number of days, depending on the level of service. For personal plans -- Basic, Plus and Family -- Dropbox retains the files and their versions for 30 days. For Dropbox Professional and Business, that number is 180 days. Dropbox Business customers can opt for the Extended Version History add-on or the Data Governance add-on, which gets them 10 years of version history, and Dropbox Plus customers can use the Extended Version History add-on to get one year of version history.
Users can also permanently delete files they own, in which case the service immediately purges the files from the Dropbox servers. In addition, Dropbox Business team administrators can permanently delete any team files, no matter who on the team owns them. They can also limit the ability of team members to permanently delete files. Once files have been permanently deleted, they cannot be recovered.
However, the Data Governance add-on enables Business team administrators to create data retention and disposition policies to help meet compliance and regulatory requirements, as well as other business needs.
Google offers many SaaS products, and understanding the company's various retention policies can be a daunting task, especially when compared to SaaS vendors, such as Dropbox. According to Google, the company retains "the data we collect for different periods of time depending on what it is, how we use it and how you configure your settings." Users can delete the data they create or upload whenever they like, or they can set it up to be deleted automatically after a set period of time. When a user deletes data, Google launches a process that completely removes the data from its storage systems. This can take up to two months, although data can linger in the backup systems for up to six months.
SaaS retention policies vary significantly from one Google service to the next, and they can change over time. For example, Google Drive used to retain files that were moved to the trash until the user specifically deleted them or the account was closed. In October 2020, Google updated its retention policy so that files moved to the trash are automatically deleted after 30 days.
This is similar to how Gmail has long dealt with email messages. After 30 days in the trash, they're automatically deleted. The retention policy is much different for Google Cloud Filestore, a fully managed file storage service. If an administrator deletes a Filestore instance, all data on that instance is deleted and cannot be recovered unless there is a backup in place. Google offers no 30-day grace period for Filestore data, as it does for Google Drive and Gmail.
Microsoft offers a wide range of SaaS products, whose retention policies can vary significantly and can be confusing to track. Even within a service, there can be different policies. For example, Microsoft 365 defines two types of deletion scenarios: active and passive. Active deletion is when a user or administrator deletes data, and passive deletion occurs when the tenant subscription ends.
Microsoft retains customer content for 30 days after an active deletion and 180 days after a passive deletion. Plus, when a paid subscription is terminated, Microsoft retains customer data in a limited-function account for 90 days to enable the subscriber to extract the data.
But this is not the entire story. Microsoft 365 customers can also request expedited subscription deprovisioning, in which case data is deleted three days after an administrator enters a Microsoft-provided lockout code. Additionally, customers can apply retention policies to specific Microsoft 365 services, such as Exchange Online, SharePoint Online, Microsoft Teams, OneDrive for Business and others. In this way, an organization can retain content forever or permanently delete content after a specific period of time. Microsoft 365 is only one of many Microsoft cloud offerings, each with its own SaaS retention policies. For example, Azure Application Insights retains raw data points for up to 730 days, but customers can set the retention time to shorter durations.
Compared to Google and Microsoft, a product like Slack -- an online communication and collaboration platform -- is much easier to understand when it comes to its SaaS retention policies. Slack retains all messages and files for the lifetime of a customer's workspace unless the data is deleted directly by an end user or the data expires as a result of an applied retention policy. Slack removes all deleted and expired customer data from its production servers every night. The data is then permanently deleted from the Slack backup systems within 14 days. Once data has been fully deleted, it cannot be recovered, even if requested by law enforcement or a government agency.
Customers can configure retention policies that specify when to delete data. The retention settings apply to all messages and files, including those that have been pinned or saved. When applying retention policies to their data, customers can retain their data, along with tracking message edits and deletions, or they can retain the data without tracking edits and deletions. They can also specify that their data be automatically deleted after a specified number of days. In addition, administrators can grant team members the ability to override retention settings for individual conversations. Regardless of the settings, however, all message and file deletions are permanent.