Who Is Responsible For Protecting Your SaaS Application Data?

When it comes to a SaaS application, subscribers may not fully understand who is responsible for protecting the data for their SaaS application and why they should be more proactive when it comes to selecting a SaaS provider.

What could be better than working with a vendor who will manage all the processes for your business-critical applications?

That’s why SaaS relationships are so compelling for organisations. The idea of having someone else run your application, store your data, and manage/maintain the hardware and software is just a dream come true for IT departments. Except for one piece of misguided information. Who is responsible for protecting the data? This is a question that most organisations typically assume falls on the lap of the SaaS provider, but in reality, it’s the responsibility of the SaaS user.

Ensuring that you have access to backed up data to meet whatever business continuity or compliance requirements you have is most certainly your responsibility. Sure, the SaaS providers have a process for protecting your data against a number of risks, but ultimately, it’s your obligation.

The SaaS user must be prepared to answer basic questions before partnering with a SaaS provider:

• What’s the impact on the business if there is data loss?
• Do you have any compliance requirements for your data — if so, what are they?
• Does your provider support data backup options?

Did you know there are escrow solutions for SaaS applications?

One solution is the SES Licensee Continuity Plan - This market-leading service is a live and functioning disaster recovery solution that not only ensures the backup and accessibility of your data, but also when called upon, SES will be responsible for rapidly recreating the working service on your behalf. To ensure the protections are effective, SES will simulate the recovery on an annual basis with the software user confirming its effectiveness. Following a confirmed release, the LCP will provide a period of service continuity, typically 6 months. Providing invaluable time to make alternative arrangements – whether that’s bringing the service in-house or transitioning to a replacement. This period of continuity is built into the coverage from the start and delivered by SES.

SES recommends focusing on the following areas with your provider:

• Availability: What is the provider’s recovery point objective (RPO) and recovery time objective (RTO) for data loss due to hardware and software failures?
• Security: How does the provider protect their application from external threats to the provider’s system versus threats to the individual subscriber account?
• User Error: Does the provider support any features that prevent user error-related data loss, such as “recycle bins” or “versioning files”?
• Data Archiving: How long does the provider store client data?
• Exiting Strategy: Does the user have the ability to extract data from the provider’s system? And, is the data provided in a format that is transferable?

There’s no denying the value a SaaS application can bring to an organisation. But SaaS providers are like snowflakes in the sense that they’re all uniquely different in some way. You cannot assume the level of data protection for one SaaS provider is the same as all other providers because SaaS environments are not designed the same. The systems that make up one SaaS environment are completely different as compared to the next SaaS environment, regardless of the similarity in application functionality. At the end of the day, you must enter into a SaaS relationship knowing that you have responsibilities too — and data protection is one of them. 

If you are using SaaS applications within your business and haven’t taken the necessary steps to protect them, or would like to find out more about protecting them with SaaS Escrow, please get in touch to speak to one of our specialists. 

© SES Secure Limited and ses-escrow.co.uk, 2022. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.