Getty Images/iStockphoto
SaaS shared responsibility model: What vendors don't cover
Don't let your organization lose cloud data to misplaced trust and thin vendor protections. Learn what providers don't cover and how to build backups that pass audits.
Your reliance on SaaS can backfire if you don't recognize the burden of backup and recovery rests on you.
Backing up on-premises data is familiar to organizations of all sizes. But when it comes to Software-as-a-Service (SaaS) backup, the practices are neither uniform nor well understood. Does the SaaS provider back up user data? Who handles the recovery?
Cloud reliability isn't data protection
Microsoft and Salesforce, two titans in the enterprise SaaS space, make it plain in their legal terms: the provider owns platform availability, while the customer is responsible for data protection. Both vendors offer basic safeguards in their apps, but have expanded the integrated backup capabilities on their platforms in recent years. Ultimately, the customer remains solely responsible for their data.
The reliance on the cloud and its supposed reliability has led to the false assumption that vendors back up all data simply because it lives on their platforms. A 2024 Gatepoint Research survey found 58% of executives say they use Microsoft to back up their SaaS data. AppOmni's "State of SaaS Security 2025" report said that 75% of organizations experienced a SaaS security incident in the past 12 months. According to the "2025 State of SaaS Backup and Recovery" -- a vendor‑commissioned global survey of more than 3,700 IT professionals -- 87% said they experienced SaaS data loss in 2024, with malicious deletion the most common cause.
The consequences of those misconceptions hit hard in 2025 when the ShinyHunters cyberattack targeted Salesforce customers and allegedly compromised 1 billion records across more than 30 organizations, including Adidas, Allianz Life and TransUnion. The attackers used social engineering over phone calls to trick employees of those companies into authorizing data extraction from the Salesforce CRM. Organizations without independent backups faced a choice: pay a ransom or accept permanent data loss.
What shared responsibility really means
Understanding shared responsibility is a critical component of cloud operations.
Simply put, the shared responsibility model places service uptime and infrastructure security on the cloud or SaaS provider, but customers own data protection: backup, recovery testing, retention and compliance. This gap between perception and reality exposes governance and compliance gaps that typically surface during an incident.
Customer responsibility covers everything vendors exclude: protection against user error, ransomware and insider threats. Organizations must implement retention policies aligned with regulatory requirements -- GDPR's purpose-limited processing and erasure mandate, HIPAA's six-year retention for security policies and procedures documentation, and SOX's seven-year retention for financial archives -- while maintaining geographically separate backups and verified recovery procedures.
Where the provider ends and you begin
For many enterprises, Microsoft 365 is the de facto choice for cloud-based collaboration. Microsoft secures and manages this platform, while the customer is responsible for their data, including backups, recovery and long-term compliance.
Microsoft has native protections in specific products as operational safeguards for scenarios, such as user error, but they are not a substitute for independent backup and recovery. For example, Microsoft provides a 14-day retention for deleted Exchange Online items -- configurable up to 30 days -- and 93 days for SharePoint/OneDrive recycle bin retention.
For large-scale data loss, the Microsoft 365 Backup service provides point‑in‑time restoration for Exchange Online, OneDrive and SharePoint Online. It offers a one‑year retention window. Microsoft advises its customers to use a mix of data protection products to meet recovery and compliance objectives.
Salesforce follows a similar shared responsibility model. The vendor manages platform availability, while its enterprise customers are responsible for their data. The company's $1.9 billion acquisition of Own in September 2024, now offered as Salesforce Backup & Recover, underscores the need for supplemental backup options for enterprises. This offering runs daily backups with granular restore capabilities and flags unusual data activity.
Salesforce documentation stresses the need for a combination of data protection options to meet recovery and compliance requirements.
How backup gaps turn into outages
Without independent backups, enterprises face four categories of risk:
- Regulatory exposure. Organizations that lack records for proper backup retention or the ability to restore backups reliably might not be able to prove compliance during audits.
- Operational disruption. Native SaaS vendor tools tend to offer short recovery windows. Beyond that, data is permanently lost, bringing the business to a halt.
- Financial impact. Cyber insurance increasingly requires immutable, tested backups as prerequisites for coverage and can reject claims from organizations with inadequate backup strategies.
- Strategic governance gaps. Backup failures reflect broader organizational failures. With most organizations wrongly assuming SaaS includes backup, the gap exists at the leadership level, not just IT operations. Gartner projects that by 2028, 75% of enterprises will prioritize SaaS backup as a critical requirement, up from 15% in 2024, as boards recognize data governance requires direct executive oversight.
Immediate steps to cut risk
While there is significant risk in being ignorant of the SaaS backup shared responsibility blind spot, there are steps organizations can and should take. Consider the following steps to help limit risk and increase SaaS backup visibility:
- Audit contracts. Avoid marketing material and closely review the commercial licensing terms that clearly define the roles of the company and the customer. Document what the vendors do not cover.
- Map retention to reality. Compare regulatory requirements, such as GDPR, SOX and HIPAA, with the vendor's default capabilities and adjust your technology stack to address any data protection gaps.
- Assign executive ownership. Establish cross-functional governance groups with clear accountability for backup strategy, testing, compliance and user awareness programs.
- Choose the right tool combination. Enterprise-grade options range from dedicated SaaS backup platforms to comprehensive data protection suites. Organizations should assess products based on recovery capabilities, compliance support and fit with existing workflows.
The critical point is that SaaS providers don't back up your data by default. Organizations need to take their share of shared responsibility and treat SaaS backup like on-premises backup -- as a priority.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
