Data Retention

1. The SaaS system should minimally hold one month of Full Backups and then should minimally retain the last full set of backup for six months.

Data Backup

1. SaaS system should be regularly backed up. Backups must include metadata, customizations, report definitions, code, logs, access records, and any other pertinent information which may be required for legal and compliance reasons.
2. The SaaS backup and restore process should meet minimum recovery time objective (RTO) and recovery point objective (RPO) of 24 hours. A business unit may require a minimum RTO or RPO of less than 24 hours based on business need.

Data Storage

1. At least one copy of the backup data must be stored in a separate facility that is not collocated with the primary SaaS system.

Test Backups

1. Backups should be tested at least biannually to verify their reliability and integrity.

If SaaS application’s backup and retention doesn’t meet the requirements stated above, the System owner shall create additional backup and retention processes.