The Shared Responsibility Model and SaaS, explained

SaaS apps (like most cloud-powered tech) use the Shared Responsibility Model, meaning users share the responsibility of data protection.

TL;DR

In the cloud, data security is a shared responsibility – and users are always responsible for user-generated data

01

SaaS applications can’t restore individual user data

While they do “save” your data, it’s jumbled up with all of the data from all users, and not in a format that can be easily restored.

02

SaaS application terms of service take no responsibility for user data

Providers are aware of their limitations, and their terms of service reflect the fact they cannot take responsibility for user-generated data.

03

SaaS data is vulnerable to error and malicious attacks

The best method of ensuring the availability and security of your business-critical SaaS data is a third-party, platform-independent backup.

Stats

The cloud is full of essential business data that often isn’t backed up

Every type of industry, from health care to construction, development, and even government, have begun to embrace the cloud. Their tech stacks, and the volume of data they create, continues to grow at an accelerated pace.

232 billion

Expected worth of the SaaS industry by 2024.

45%

Security breaches happen in the cloud.

90%

Of data leaks are due to human error.

Data limitations of cloud computing

There’s a commonly held belief that if something is “in the cloud” it will always be there. But here’s the eye-opening truthstoring data in the cloud doesn’t mean it will always be there.

Not too long ago, vital business data used to be stored on-premise, in a giant maze of never-ending server rooms. This onsite infrastructure ran everything a company needed when it came to their networks.

Before the shift to cloud, in-house experts were typically responsible for building and maintaining backup procedures and in-house backup storage. But in the cloud, data backups have largely been left behind, likely because of the mistaken belief that “the cloud is always backed up.” Organizations with strong on-prem backup and recovery plans have neglected to bring this level of planning to cloud data backups– although they can both save a business.

Infrastructure, platform, and software as a service: What’s the difference?

As the internet matured and the flow of information got faster, companies began to outsource even more of their IT and software needs. This evolution has led to different options for businesses. These options include Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).

In IaaS, the company providing the cloud manages all the physical infrastructure. Customers (or users) then have access to this network, which essentially acts as an extension of their own data center infrastructure. IaaS brings many benefits, such as potentially making workloads (a workload is an application or a service deployed on the cloud) faster, easier, more flexible, and more cost-efficient. Think of Amazon Web Services, Microsoft Azure, Google Cloud, and others. More often than not, IaaS is being used by companies that build their own software.

PaaS essentially involves having third-party companies manage the IT infrastructure but giving developers access to a framework where they can build customized apps. Many companies are both PaaS and IaaS, however, some businesses such as Heroku, Netlify, and Elastic Beanstalk are just PaaS.

And finally, there’s SaaS, which is the type of online software most people are familiar with. At last count, there are over 145,00 SaaS companies worldwide today. Most SaaS applications run directly from a web browser without any downloads or installations required, although some require plugins. For decades, businesses ran their software on their own computers, hosted on their desktops or servers. Online software like GitHub or Jira essentially eliminated the need to install and run applications on individual computers.  

Do you own your software, or rent it?

Think about this for a second. You don’t own the software, you rent it. This includes all the servers. And if businesses no longer own or control the servers which run their software, they also don’t have full control over their data. In other words, you have no physical copy of that data. So unless you have a copy, you can’t restore anything if it gets lost. And neither can the SaaS provider.

This brings us back to the Shared Responsibility Model.

It’s an aspect of cloud computing that’s rarely talked about, but something which can have a dramatic impact. Yet the shared responsibility model is a function of cloud computing itself. It outlines where a cloud provider’s duty of care ends and the customers begin. And regardless of whether you use infrastructure, platform, or software-as-a-service – the Shared Responsibility Model is part of the mix. 

If we map all the solutions out side by side, we can see where the provider’s responsibility ends and where the users’ begins:

For IaaS and PaaS, customers have many more things they are on the hook for. SaaS has the fewest number of things, but if you notice; data and user access/security are across the board. 

So whether you have a giant on-premise server room worth millions of dollars or you’re paying $99 a month for an app, software customers are ALWAYS responsible for ensuring data is protected. This is the crux of the Shared Responsibility Model. You and the SaaS provider share the responsibility for protecting your data. 

Why don’t SaaS tools protect your data?

It’s a common question. Why don’t Software-as-a-Service companies just save the data? There’s a distinction we need to make. They do “save” it – but they only save this data in a format that makes sense to them. 

Every new piece of data or content you create is hosted on the servers of whichever SaaS tool you are using. This data gets lumped in with all the users of said tool. You see all the customer information, reports, project plans, financial statements, or whatever function you use that specific SaaS tool for. Other the other side of the mirror, the SaaS provider essentially sees ones and zeros.

Needle in a haystack

SaaS apps do ‘save’ your data – but not in format you can easily restore

All your data is lumped together with all the other customers; regardless if they have one thousand or one million customers. It’s a never-ending sea of mixed-up computer code. And say you did lose data, finding and recovering it would be like looking for a needle in a field of haystacks. 

This is why the major SaaS apps add stipulations and limitations around what they can restore in their terms and conditions:

Select a SaaS App to view their Terms of Service

Shopify Terms of Service

7. Limitation of Liability and Indemnification

“Shopify and its suppliers will not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses arising out of or relating to the use of or inability to use the Service or these Terms of Service (however arising, including negligence).”
See for yourself

BigCommerce Terms of Service

10.6 Backup Storage

“It is solely your duty and responsibility to backup separately your files and data that may reside on BigCommerce servers. To the fullest extent permitted by applicable law, under no circumstances will BigCommerce be liable to you, your users, or any third party for damages of any kind, under any legal theory, for loss of files and/or data on any BigCommerce server.”
See for yourself

GitHub Terms of Service

O. Limitation of Liability

“You understand and agree that we will not be liable to you or any third party for any loss of profits, use, goodwill, or data”
See for yourself

QuickBooks Online Terms of Service

6.1 Responsibility for Content and Use of the Services

“You are responsible for any lost or unrecoverable Content. You must provide all required and appropriate warnings, information and disclosures. Intuit is not responsible for any of your Content that you submit through the Services.”
See for yourself

Confluence Terms of Service

14. Limitations of Liability

“14.1. Damages Waiver. Except for Excluded Claims or Special Claims, to the maximum extent permitted by Law, neither party will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, interruption of business or any indirect, special, incidental, reliance or consequential damages of any kind, even if informed of their possibility in advance.”
See for yourself

Atlassian Terms of Service

14. Limitations of Liability

“14.1. Damages Waiver. Except for Excluded Claims or Special Claims, to the maximum extent permitted by Law, neither party will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, interruption of business or any indirect, special, incidental, reliance or consequential damages of any kind, even if informed of their possibility in advance.”
See for yourself

Jira Terms of Service

14. Limitations of Liability

“14.1. Damages Waiver. Except for Excluded Claims or Special Claims, to the maximum extent permitted by Law, neither party will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, interruption of business or any indirect, special, incidental, reliance or consequential damages of any kind, even if informed of their possibility in advance.”
See for yourself

Trello Terms of Service

14. Limitations of Liability

“14.1. Damages Waiver. Except for Excluded Claims or Special Claims, to the maximum extent permitted by Law, neither party will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, interruption of business or any indirect, special, incidental, reliance or consequential damages of any kind, even if informed of their possibility in advance.”
See for yourself

Bitbucket Terms of Service

14. Limitations of Liability

“14.1. Damages Waiver. Except for Excluded Claims or Special Claims, to the maximum extent permitted by Law, neither party will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, interruption of business or any indirect, special, incidental, reliance or consequential damages of any kind, even if informed of their possibility in advance.”
See for yourself

Klaviyo Terms of Service

7.4. Customer Responsibilities for Data and Security

“Customer and its Authorized Users shall have access to the Customer Data and shall be responsible for all changes to and/or deletions of Customer Data and the security of all passwords and other account information required in order to access and use the Services. Customer shall have the ability to retrieve or export Customer Data out of the Services using the self-service tools Klaviyo makes available to the Customer. Customer is encouraged to make its own back-ups of the Customer Data. Customer shall have the sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data and the means by which Customer acquired Customer Data, and for the adequate security, protection and backup of Customer’s Data.”
See for yourself

Mailchimp Terms of Service

22. Limitation of Liability

“To the maximum extent permitted by law, you acknowledge and agree that (i) you assume full responsibility for any loss that results from your use of the Service, including any downloads from the Mailchimp Site; (ii) we and our Team won’t be liable for any indirect, punitive, special, or consequential damages, including any loss of data, profits, revenues, business opportunities, goodwill, or anticipated savings under any circumstances, even if they’re based on negligence or we’ve been advised of the possibility of those damages.”
See for yourself

Azure DevOps Terms of Service

Limitation of Liability

“In no event shall microsoft and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of software, documents, provision of or failure to provide services, or information available from the services.”
See for yourself

Miro Terms of Service

13. Limitations of Liability

“The disclaimer in this Section 13.1 (Consequential Damages Waiver) will not apply to the extent prohibited by Laws. Except for Excluded Claims, neither party (nor its suppliers) will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, failure of security mechanisms, revenues, goodwill, interruption of business or any indirect, special, incidental, reliance or consequential damages of any kind, even if informed of their possibility in advance.”
See for yourself

No matter what tool you use, Trello, QuickBooks Online, Zendesk, Salesforce, and so on, the Shared Responsibility Model is always present. The onus is on you, the user, to understand what data is at risk and how to protect it.  

Protect the data and you protect the business

Today’s tech stack is an essential part of a modern workforce. It’s not uncommon to have dozens, even hundreds of different SaaS tools all working together in some capacity. It also doesn’t matter what team you are on. Sales, Development, Finance, Customer Success, or Marketing, it’s a safe bet that you are using online software every day. And with each passing week, you are becoming more reliant and dependent on the data in these tools.

Just take a step back to think about ALL the data and content you have stored in all these tools. Think of all the ways this data helps you run the business. You make decisions on resources, investments, and strategic roadmaps. You may use SaaS tools to house all your customer data and or sales leads. In essence, your data IS the business. What are the chances all this vital information could disappear?

According to a major report by Oracle & the analyst firm ESG, 49% of organizations who participated in the study blamed confusion around the Shared Responsibility Model for data loss. A 2020 survey conducted by Rewind found that 40% of SaaS users have lost data.  AppOmni found in 2023 that 79% of respondents had a SaaS cybersecurity incident within the previous year alone.

40% of SaaS users lost data in the cloud, according to a Rewind survey.

So essentially, whether you lose data or not, comes down to the same odds as a coin flip. 

The impact of this data loss varies depending on how reliant you are on these tools. Much of the data we store in SaaS is vital to our day-to-day. Since apps can’t restore this data (remember; it’s a field of haystacks), the onus is on you to put everything back. This can involve hours, days, or even weeks of manual work trying to put everything back. And that’s only if you have copies of the most recent data on hand. So again, depending on how reliant you are, it could be a minor nuisance or an earth-shattering emergency.

How data loss happens in SaaS

There are several ways this data can get lost or deleted. Some are major like data breaches or servers going down. However, if you remember how the Shared Responsibility Model works, cloud providers will be on the hook for those. Those are events that affect ALL users. Individual users, on the other hand, face several risks. Here’s a quick rundown: 

Third-party app errors

All the applications we install are just SaaS tools. Remember the “terms of service” agreements? Go back and read them. Third-party integrations typically require “read and write” permissions, meaning they can also change, manipulate, or delete your data if misconnected or they contain a bug.


Human error

All these stats point to the same conclusion: no matter how much training we do or how many times we’ve done the same thing, mistakes happen. It’s simply human nature, especially in a fast-paced environment. It isn’t a matter of if, it’s when. And with more businesses embracing the cloud and SaaS, the opportunities for people to make mistakes will inevitably go up.  


Malicious attacks

Ransomware, phishing attacks, and malware are increasingly being used to target smaller businesses without advanced security protocols, especially after the onset of the 2020 pandemic. SaaS users are one misstep away from having their data hijacked or wiped out. 


Provider outages

While not a common occurrence, provider outages do happen. 

While these instances are rare and platforms take every precaution, nobody can guarantee 100% uptime for infinity. 

How you can protect your SaaS data

The likelihood of these things happening is relative, but the odds of SaaS users losing data are much higher than SaaS providers losing data. That brings us back full circle to why their terms of service limit their liability and why understanding the Shared Responsibility Model is critical to your business.

Integrate SaaS into your Disaster Recovery Plan

Since your apps likely contain business-critical info (why would you pay for them if you didn’t use them?) SaaS data protection should be integrated into your disaster recovery strategy

It comes down to basic best practices for data security: 

  • Ensure you have strict rigor around user access and permissions.
  • Determine your acceptable RTO and RPO for SaaS data.
  • Implement a backup strategy that satisfies the 3-2-1 method: 3 copies of your data, on two different mediums, with one copy stored off-site.

Understanding the Shared Responsibility Model means understanding what you can do to protect your SaaS data. If a meteorite strikes tomorrow, there’s not much you can do. However, more localized – and more likely- disasters can be mitigated.

A third-party backup and recovery service dramatically reduces your odds of losing vital data, as you can always restore your SaaS instance from a clean copy of the data. Plus, by decreasing your time to recovery, you can prevent a flood of support tickets (and save yourself from painstaking manual rebuilding).

You’ll spend more time focused on your work, rather than working on solving the stressful challenge of data loss.

Rewind offers automatic, set-it-and-forget-it data backup and restoration solutions. Our apps integrate directly with your SaaS platform, allowing you to restore individual items of data or your entire file set. Learn more about how Rewind protects data.