Skip to main content

SaaS Backup Standards

This page defines DTC's standards for backing up SaaS platforms (Microsoft 365, Google Workspace, etc.). SaaS backup is separate from endpoint/server backup but follows the same retention philosophy defined in the Backup & Data Protection Standards.

Retention

SaaS backups follow the same default retention standard as endpoint backups: daily versions, 14 days local / 30 days cloud. Extended retention (weekly, monthly, yearly) is per-client request only.

Exception: If the SaaS backup provider does not charge extra for extended retention or unlimited data storage, configure unlimited retention. Many SaaS backup vendors (Backupify, Spanning, Datto SaaS Protection, etc.) include unlimited retention and storage in their per-user licensing with no additional cost. If that's the case, take it. There's no reason to artificially limit retention when the vendor isn't charging for it.

The rule is simple: match DTC's standard retention policy, or go unlimited if it's free. Don't pay extra for extended retention unless a client specifically requests and is billed for it.

Scope — What Gets Backed Up

Users

Every user account must be backed up. This includes all licensed users, shared mailboxes, and group mailboxes. The only exclusion is service accounts... accounts used for application integrations, automated processes, or system-level functions that don't contain user-generated data.

To be clear on what is and isn't a service account:

  • Shared mailboxes — Backed up. These contain business communications and are not service accounts.
  • Group mailboxes / distribution groups with mailboxes — Backed up. Same reasoning.
  • Room/resource mailboxes — Backed up if the provider supports it at no extra cost. Low priority but no reason to exclude.
  • Service accounts (e.g., an account used for SMTP relay, API integrations, automated notifications) — Excluded. These don't contain recoverable user data.

When in doubt, back it up. The cost of backing up one extra mailbox is negligible compared to the cost of discovering you needed it and didn't have it.

Shared Drives & SharePoint Sites

All shared drives and SharePoint sites must be backed up. No exceptions. This includes:

  • SharePoint team sites — Every site, including those created automatically by Teams channels
  • SharePoint communication sites — Company intranets, portals, published content
  • OneDrive for Business — Covered under user backup (every user's OneDrive is backed up with their account)
  • Google Shared Drives (for Google Workspace clients) — All shared drives, not just individual user drives

Shared drives and SharePoint sites often contain the most critical collaborative data in the organization... project files, templates, policies, client deliverables. Losing a SharePoint site with no backup is an unrecoverable event for most dental offices.

Configuration Checklist

When deploying or auditing a SaaS backup solution:

  • Every licensed user is included in the backup scope
  • Shared mailboxes are included (not excluded as "service accounts")
  • Group mailboxes are included
  • All SharePoint sites are included
  • All shared drives (SharePoint/Google) are included
  • Service accounts are excluded
  • Retention is set to DTC standard (daily, 14/30 day) or unlimited if no extra cost
  • Backup frequency matches vendor capability (most run 1-3x daily automatically)
  • Backup success/failure alerts are configured and routed to DTC monitoring
Back to top