Data Backup & Recovery SOP Template for SaaS Teams
Free data backup and disaster recovery SOP template for SaaS. Covers RDS snapshots, RPO/RTO targets, backup verification, and SOC 2 evidence.
Purpose
Define the backup schedules, verification procedures, and disaster recovery steps for all production data in your SaaS application. This SOP ensures your team can restore service within defined RPO and RTO targets after any data loss event — from accidental deletion to full infrastructure failure. It also produces the backup evidence your SOC 2 auditor requires.
Scope
Covers all production databases (relational and NoSQL), object storage, application configuration, and secrets. Applies to AWS, GCP, or Azure-hosted environments. Does not cover development or staging environments, which are considered disposable and can be rebuilt from infrastructure-as-code templates.
Prerequisites
- Production database instances identified and documented (e.g., RDS PostgreSQL, DynamoDB, Cloud SQL)
- Cloud provider backup services configured (AWS Backup, RDS automated snapshots, GCS versioning)
- RPO and RTO targets agreed upon by engineering and business leadership
- Disaster recovery runbook drafted with step-by-step restore procedures
- Monitoring and alerting configured for backup job failures (PagerDuty, Opsgenie, or CloudWatch Alarms)
- Separate backup storage account or cross-region bucket for off-site copies
Roles & Responsibilities
Infrastructure / SRE Lead
- Configure and maintain automated backup schedules across all production data stores
- Monitor backup job health and respond to failures within 1 hour
- Lead quarterly disaster recovery drills
- Maintain the disaster recovery runbook
Engineering Manager
- Approve RPO and RTO targets based on business impact analysis
- Ensure new data stores added by the team are included in the backup schedule
- Participate in disaster recovery drill reviews
Compliance / Security Lead
- Verify backup evidence is collected and archived for SOC 2 audits
- Confirm backup encryption meets SOC 2 and GDPR requirements
- Review disaster recovery drill results and flag gaps
Procedure
Create a complete inventory of every production data store your application depends on. Include relational databases, NoSQL stores, object storage buckets, Redis/Elasticache instances, message queues, and any third-party SaaS tools where your data lives (e.g., Stripe, Intercom). For each, document: data type, estimated size, acceptable data loss (RPO), and acceptable downtime (RTO).
- aList all RDS, Aurora, or Cloud SQL instances with database engine and size
- bList all DynamoDB tables, MongoDB Atlas clusters, or equivalent NoSQL stores
- cList all S3/GCS buckets containing production data (uploads, exports, logs)
- dList all Redis/Elasticache instances and whether they hold persistent data
- eIdentify any third-party SaaS tools that store data you can't rebuild from your own systems
Completion Checklist
Key Performance Indicators
Backup success rate (daily jobs completed without failure)
99.9% or higher
Recovery Point Objective (RPO) — maximum data loss
1 hour or less for primary database
Recovery Time Objective (RTO) — time to full restore
4 hours or less
Monthly restore test completion rate
12 of 12 months per year
Quarterly DR drill completion rate
4 of 4 quarters per year
Backup alert response time
Under 1 hour
Why This Matters for SaaS
Every SaaS company will eventually face a data loss event — whether it's a developer accidentally dropping a production table, a ransomware attack encrypting your database, or a cloud provider outage taking down an entire region. The difference between a 10-minute recovery and a week-long crisis is whether your backups are tested, monitored, and documented. SOC 2 auditors specifically examine backup policies, retention schedules, and evidence of regular restore testing. Companies without documented backup SOPs fail this control and face audit findings that can delay enterprise deals.
Common Mistakes
- ×Configuring backups but never testing a restore — 37% of backup restores fail on first attempt due to configuration drift, permission changes, or corrupted snapshots
- ×Keeping all backups in the same region as production, which provides zero protection against a regional outage
- ×Relying on RDS automated snapshots without realizing they're deleted if the database instance is deleted
- ×Not monitoring backup job failures, leading to days or weeks of missing backups discovered only during an incident
- ×Setting RPO/RTO targets without measuring actual restore time — your real RTO is whatever you measured during your last drill, not what you wrote in a document
SaaS-Specific Notes
SOC 2 Trust Service Criteria require SaaS companies to demonstrate they have backup procedures, test restores regularly, and can recover within defined targets. Your auditor will ask for backup configuration evidence, restore test logs, and DR drill reports. GDPR adds a requirement that backups of EU personal data must be encrypted and that you can fully delete a user's data from backups upon request (the 'right to erasure'). Plan your backup encryption and retention policies with both SOC 2 and GDPR in mind from the start.
Frequently Asked Questions
Learn More About Data Backup & Recovery
For a deeper look at building onboarding documentation, see our complete guide.