Home / The 3-2-1 backup rule for SaaS data protection

Understanding the 3-2-1 rule for cloud backups

The 3-2-1 backup rule is called a rule for a reason, but this long-standing backup best practice couldn’t foresee the modern business reality where 60% of business data lives in the cloud.

Contents:

The 3-2-1 rule for cloud backups
SaaS backup, easy as 3-2-1
Why three copies of your data?
Why two different places in the cloud?
Why one shouldn’t be with your SaaS provider
Audit-ready compliance
Threats to your data

See also:

The 3-2-1 rule for SaaS backups, which we’ve outlined below, updates the long-established 3-2-1 framework for the modern business reality.

Organizations rely on SaaS platforms like Jira, Confluence, monday.com, GitHub, Azure DevOps, Notion, Hubspot, Shopify, and so on. And it’s the organization’s responsibility to protect all the critical data these platforms hold. Following the 3-2-1 rule for SaaS backups is the best way to protect critical data and ensure that it can be recovered in case of disaster.

The 3-2-1 rule for cloud backups

A bulletproof backup strategy to protect your SaaS data.

Three copies of your data stored in…

Two different places in the cloud…

One of which is not your SaaS provider

SaaS backup, easy as 3-2-1

The Shared Responsibility Model details where the SaaS platform’s responsibility for data ends and where the user’s responsibility begins. Understanding the user role in cloud data resilience is key to understanding why backing up your SaaS data—applying the 3-2-1 rule for cloud backups—is an imperative for any modern business.

An image outlining the Shared Responsibility Model for SaaS data. A line scale runs across the top with the left third saying "platform's responsibility" and the right two-thirds saying "your responsibility." Below that, another line scale that runs from "unlikely" (left) to "very likely" (right).
In the left third on the "unlikely" to "very likely" scale:
- System-wide update or failure
and between "platform's responsibility" and "your responsibility," is "data breach."
In the right two-thirds, under "your responsibility" it reads:
- Malicious data deletion
- Third-party app errors
- Data migration errors
- Poor data imports
- Human error

Three copies of your data

Keeping three copies of your data is about redundancy. The good kind. Production data—the data teams interact with every day across the various SaaS platforms an organization relies on—counts as one copy. A backup of that data is a second, a copy of the backup, or a completely separate backup, is the third.

The idea is that if production data is compromised, whether by accident or in an attack, the organization has a backup. If a backup is compromised in the same or even a different event, there is safe data to restore from. It bears mentioning that when a backup is stored in the same place as production data, the likelihood of a data event taking down production data and the primary backup increases greatly. Which brings us to the second part of the 3-2-1 rule for SaaS backup:

Two different places in the cloud

Keeping backups in two distinct locations in the cloud mitigates risk. If an issue in one cloud location impacts production data, having a copy in another location ensures that the same issue doesn’t leave the organization without a backup to restore from.

Where a solid backup strategy used to mean copying on-premises data and warehousing physical media off-site, today it means backing up cloud data and storing backups in distinct locations in the cloud. This could mean keeping backups with two different cloud providers, but it can also be simplified without compromising the 3-2-1 rule for cloud backups by using one cloud platform for backups and keeping copies in two distinct data regions within that platform. Whatever the case, keeping your production data and all your backup data in the same place is a recipe for disaster. Which brings us to the one in 3-2-1:

One of which isn’t your SaaS provider

Backing up your SaaS data with your SaaS provider is like backing up your hard drive to your hard drive. In other words, if your backup strategy has a single point of failure, you might be doing backups but you don’t have a backup strategy.

Keeping SaaS data backups independent of your SaaS provider ensures you always have a way to recover your data. The same accident, attack, or other event that impacts production data in a SaaS platform won’t also take down your backup.

Audit-ready compliance

The 3-2-1 rule for SaaS backups is not just a best practice, it’s a de facto requirement of many standard and industry-specific compliance frameworks.

SOC 2/3, ISO27001, HIPAA, DORA, and other compliance frameworks require that cloud data be backed up, stored securely, and recoverable in case of a data loss event. Following the 3-2-1 rule for cloud backups actively supports an organization’s compliance goals.

15%

15% of businesses already prioritized SaaS backup in 2024¹

75%

75% of businesses are expected to prioritize SaaS backup by 2028¹

$9,000/minute

The average cost of downtime to a business can reach $9,000 per minute²

1. Gartner

2. Atlassian / Ponemon Institute

Cloud data resilience requires a backup plan

While SaaS platforms offer organizations flexibility and scalability, they also introduce unique vulnerabilities. Building data resilience in the modern cloud environment means understanding these risks and implementing a strategy to mitigate them, i.e. the 3-2-1 rule for SaaS backups.

Human error

83% of organizations experienced data loss due to human error such as accidental deletion or misconfiguration. Human error remains the most common cause of SaaS data loss.

Malicious deletion

87% of IT professionals reported experiencing SaaS data loss in 2024 and malicious deletion—including insider threats—was a leading cause.

SaaS misconfiguration

Bad actors target the most popular SaaS apps first and the Cloud Security Alliance highlights ill-configured SaaS apps as a common source of data breaches and SaaS data loss.

Ransomware and malware

68% of all identified cyberattacks in 2022 were ransomware attacks. These attacks typically encrypt or delete SaaS data. A reliable backup strategy robs ransomware attacks of their power.

Credential theft

SaaS breaches surged 300%, in 2024. In the Snowflake breach, for instance, over 100 organizations—including some in the Fortune 50—saw their SaaS data compromised.

Assuming cloud = backed up

79% of IT professionals mistakenly believe that SaaS applications backup and can restore user data. This dangerous misconception leaves organizations vulnerable to data loss.

“[Data loss] is an inevitability, and we needed to maintain business continuity and assure ourselves that our data was available in all scenarios. We realized most SaaS vendors couldn’t answer the question, ‘what happens if this or that occurs?’ They made a lot of promises, but we wanted to own our data. We wanted to own our future.”

Jeremy Neyhart
Engineering Manager at Lutron

Read case study

You need a backup plan

If your organization works in SaaS applications, you need a backup plan in line with the 3-2-1 rule for cloud backup. This can be simplified by seeking a backup platform that supports all the DevOps, IT & security, Ecommerce, and other SaaS applications your organization relies on.

While backing up SaaS data is important, testing to ensure you can easily restore from a backup—whether a full roll-back or a granular recovery of compromised production data—is crucial.

Adopting the 3-2-1 rule for SaaS backups is key to mitigating risk and building data resilience in the cloud. A bulletproof backup plan is a pillar of any Cloud disaster recovery (DR) strategy and supports organizations to set clear and achievable recovery time objectives (RTO).

And while recovering from a SaaS data disaster probably isn’t anyone’s definition of fun, preparing for the eventuality can be if you think about what board games can teach us about disaster recovery.