SaaS Agreements – SLA – Data Backup

When providing SaaS services you must specify in your SaaS agreement who is responsible for the backup/loss of customer data. The extent of your backup duties should be included in the service level agreement (SLA) and these will be dependent on a number of factors set out below.

Backup Process

You should set out details about the nature of the backups and the data media being used, for example:

  • will the backup be made to tape or disk or using some other media
  • how often will the backup media be changed/rotated/updated
  • how often will backups be made i.e. hourly/daily/monthly
  • will incremental backups be made


In view of customer concerns over data security it is essential that you provide details of where and how the backup media will be stored, for example:

  • will this be at a physically separate location
  • will a provider other than the hosting centre be used
  • what security is in place at the storage location
  • who has access to the facility
  • is emergency power available

Disaster Recovery

This should be considered as an add on extra, to cover the eventuality that the hosting centre (where the SaaS software and data backups are created)  becomes unusable.  The disaster recovery centre should be physically remote from your hosting centre to avoid a double hit! Other points to consider are:

  • carefully define what a “disaster” is
  • set out expected data recovery times
  • test your disaster recovery procedure at least once a year

Commercial Considerations

The exact nature and extent of any data backup (and related disaster recovery) services that you offer to SaaS customers will depend on:

  • how much has the customer pays for the SaaS solution, maintenance and support
  • whether or not service credits are offered for breaches of error fix times
  • whether the SaaS application is business critical i.e. online banking
  • what is standard in that particular business area


Ensure that errors or problems caused by something beyond your control are excluded from your obligations i.e. loss of data caused by the customer’s failure to use the specified browser, hardware, virus checking programmes etc.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: