SaaS Backup and Recovery (CPS 230 & Essential Eight): Why Uptime Isn’t Enough

David Long
Sep 19, 2025
7 min read

(CPS 230 & Essential Eight) is critical for Microsoft 365, Google Workspace, Salesforce, and Dynamics 365.)

Split graphic with a glowing “Online” button on the left and a cracked “Restore” button on the right, symbolising SaaS uptime versus failed data recovery. — Uptime doesn’t equal recovery - SaaS providers keep services online but won’t restore your lost data.

Introduction

Ask ten IT leaders about SaaS data protection, and most will talk about uptime. Microsoft 365, Google Workspace, Salesforce, Dynamics 365, they all guarantee the lights will stay on. But uptime isn’t the same as recoverability. If a ransomware attack encrypts SharePoint, if an admin identity is compromised in Entra ID, or if a staff member accidentally wipes a Gmail folder, uptime offers no comfort.

In Australia, this gap isn’t just technical. It’s regulatory. APRA’s CPS 230 and the Essential Eight require proof that organisations can recover data quickly, independently, and immutably. That means evidence - not assumptions.

This guide explains why independent SaaS backup matters, how Keepit’s approach is different, and what recovery-first looks like in practice. We’ll share scenarios to test, compliance checklists to use with auditors, and a comparison framework to evaluate your vendors.

SaaS Backup and Recovery and Why Uptime ≠ Recoverability

Illustration of a glowing green “Online” button next to a cracked red “Restore” button with broken icons of an email envelope, folder, and ID card, symbolising that Microsoft 365, Google Workspace, and Salesforce guarantee uptime but not data recovery. — Availability keeps SaaS services online - but only independent backup ensures recoverability of email, files, and identities.

SaaS platforms are built for availability not recovery.

Microsoft promises 99.9% uptime. Salesforce boasts global redundancy. Google guarantees Gmail continuity. These commitments keep services online, but they don’t bring lost data back.

When an identity is phished, a file is deleted, or ransomware hits your tenant, the provider won’t restore what’s gone. And the reality is harsher than most assume:

Roughly half of organisations hit by SaaS data attacks fail to fully recover what was lost.
Only 14% of IT leaders feel confident they could restore critical SaaS data quickly after an incident.
Most rely on native recycle bins and retention policies - tools built for convenience, not compliance or resilience.

Availability keeps the lights on. Recoverability keeps the business alive. That’s the gap independent SaaS backup closes.

What Keepit Does Differently

Keepit isn’t another checkbox in a vendor marketplace. It’s purpose-built, independent, and architected for one thing: sovereign, immutable SaaS recovery.

Immutable by design → Every backup is sealed with blockchain verification. Tamper-proof, undeletable, and always verifiable.
Sovereign and vendor-neutral → Data lives outside Microsoft, Google, and Salesforce clouds, ensuring separation from their outages and control.
Instant visibility → Search millions of objects in seconds. Find what’s lost, and bring it back without delay.
Universal recovery → Whether it’s a single file, a compromised mailbox, or an entire tenant, Keepit restores at speed and scale.
Straightforward economics → Storage is included. No creeping costs per gigabyte, no hidden recovery fees.

This isn’t just backup, it’s independence. Keepit sits outside the SaaS provider’s shared failure domain, ensuring that when the vendor stumbles, your backups remain intact, accessible, and certified.

Recovery Scenarios You Should Demand

The difference between a marketing claim and real resilience is simple: test it. Run these scenarios in a live demo or proof of concept and watch what happens:

Identity breach → Delete an Entra ID admin group. How fast can you bring it back? With Keepit, entire identities and groups are restored in minutes - without waiting on the vendor.
Accidental deletion → Wipe a Gmail inbox or a OneDrive folder. Can your platform find and return it instantly? Keepit’s search engine cuts through millions of objects in seconds, so users aren’t left idle.
Ransomware blast radius → Simulate mass file encryption or deletion. Does your backup spot it? Keepit flags anomalies as they happen, while immutable storage ensures attackers can’t overwrite history.

If your current provider stalls, limits restores, or buries you in support tickets, you don’t have recovery - you have hope. And hope is not a strategy.

SaaS Backup and Recovery (CPS 230 & Essential Eight): Compliance & Audit Readiness

Infographic of a glowing teal shield symbolising compliance, surrounded by four icons: split cloud for Independence, blockchain lock for Immutability, location shield for Sovereignty, and checklist clipboard for Testing. Represents CPS 230 and Essential Eight compliance requirements for SaaS backup and audit readiness. — CPS 230 and the Essential Eight demand evidence: independence, immutability, sovereignty, and testing.

For regulated industries, backup isn’t just an IT control, it’s a board-level obligation. APRA’s CPS 230 raises the bar: financial institutions (and any organisation they touch) must prove operational resilience. That means being able to demonstrate, with evidence:

Independence → Backups cannot live inside the same SaaS provider’s domain of failure.
Immutability → Data must be tamper-proof, with verifiable audit trails.
Sovereignty → Information must stay in approved jurisdictions - for Australia, that means AU-based storage.
Testing → Regulators expect proof of recovery drills, not just policies on paper.

Essential Eight reinforces the same expectations: isolated backups, long-term retention, and recovery that works under pressure.

What Auditors Actually Ask

When APRA or internal auditors test resilience, they don’t want vague assurances, they ask for hard evidence, such as:

“Show us a record that your backup environment is physically separate from your SaaS production tenant.”
“Demonstrate that your backup logs cannot be altered by administrators or attackers.”
“Where is your backup data physically located, and under what jurisdiction?”
“Provide evidence of your last recovery test — when was it run, how long did it take, and what was recovered?”

How Keepit Answers

Blockchain-verified immutability → Audit trails that cannot be rewritten.
AU-based storage options → Clear sovereignty and jurisdictional compliance.
Independent architecture → Backups sit outside Microsoft, Google, and Salesforce, eliminating shared-failure risk.
Self-service recovery testing → Run and document tests at any time, producing regulator-ready evidence.

Compliance doesn’t wait for downtime. With Keepit, you’re not scrambling for screenshots when the audit letter arrives - you’re already audit-ready.

👉 [Download the CPS 230 Evidence Checklist]

Keepit vs. Alternatives: A 7-Point Comparison

Feature	Keepit	Typical Competitor
Immutability	Blockchain-verified, undeletable	Relies on cloud provider features - often reversible
Recovery speed	Seconds - instant search & restore	Hours to days, depending on vendor SLAs
Sovereignty	AU data centres, vendor-neutral	Locked into shared hyperscaler infrastructure
Identity restore	Full Entra ID rollback (groups, roles, identities)	Limited or none
Cost model	All storage included - no surprise bills	Hidden per-GB and per-restore charges
Audit evidence	Tamper-proof blockchain logs, exportable	Manual reports, prone to gaps
Coverage	Microsoft 365, Entra ID, Salesforce, Google Workspace, Dynamics 365 and more	Varies, often M365-only

The difference is stark: Keepit is built recovery-first - sovereign, immutable, and audit-ready. Competitors tick a “backup” checkbox but leave gaps in speed, coverage, and compliance.

How to Validate a Vendor (4 Simple Tests)

Infographic showing four SaaS backup validation tests: Teams Recovery (delete a Teams chat and restore quickly), Audit Evidence (immutable audit logs), Identity Rollback (restore Entra ID users, groups, and roles), and Data Sovereignty (backups stored in approved jurisdictions like Australia). — *Four tests to validate a SaaS backup provider: Teams recovery, immutable audit evidence, Entra ID rollback, and proof of data sovereignty.*

Datasheets and sales slides won’t keep you compliant. The only way to separate marketing from reality is to test it yourself. Run these four checks with any SaaS backup provider:

Teams recovery → Delete a Teams chat and time the recovery. If it takes hours - or worse, support tickets - that’s downtime your business can’t afford.
Audit logs → Export a backup log. Is it blockchain-verified and immutable, or just a CSV anyone could edit?
Identity rollback → Simulate an Entra ID breach. Can groups, roles, and identities be restored quickly — or not at all?
Data sovereignty → Ask exactly where backups are stored. Demand evidence. If the answer is “in the same hyperscaler region,” you’re still in the shared blast radius.

If a vendor fails here, it won’t just fail you in production - it will fail you in front of an auditor.

Case Studies: Real-World Proof

Prince Alfred College

Prince Alfred College needed more than uptime - they needed assurance that student and staff data in Microsoft 365 could be recovered independently of Microsoft.

With Keepit in place, the difference was immediate:

Mailbox recovery that once took hours now happens in minutes.
Immutable audit logs provide evidence for both internal governance and external auditors.
Australian data residency ensures sovereignty and compliance with local requirements.

The result wasn’t just faster recovery. It was regulatory confidence - proof the school could meet its duty of care to students and satisfy compliance obligations.

Deakin University

Deakin University wanted more than a checkbox backup — they needed recovery that was fast, reliable, and audit-ready.

Before Keepit, restoring Microsoft 365 data could take weeks, requiring tapes, archives, and manual intervention. After deploying Keepit:

Restores are completed in hours or even minutes, no matter how old the data.
Legal and partner teams get evidence quickly for investigations and compliance.
Lean IT operations benefit: restores no longer consume senior engineering time.

Keepit gave Deakin confidence that critical data is always available and recoverable when it matters most.

FAQs

Does Microsoft back up Microsoft 365 data?

No. Microsoft guarantees platform availability, not recovery. Deleted or corrupted data is your responsibility.

Does Keepit protect other SaaS platforms beyond Microsoft 365?

Yes. Keepit also safeguards Google Workspace (Gmail, Drive, Docs), Salesforce (objects, metadata, workflows), and Dynamics 365 (ERP and CRM processes). All platforms are protected with the same sovereign, immutable architecture.

Is Keepit data stored in Australia?

Yes. Keepit offers Australian data centres, meeting sovereignty and compliance requirements.

How long can I retain data?

Retention is fully configurable - from days to years - at no extra cost.

Can Keepit restore identities in Entra ID?

Yes. Keepit supports full rollback of users, groups, and roles.

How is pricing structured?

Flat subscription with storage included. No hidden per-GB or restore fees.

Conclusion & Call to Action

Availability isn’t recovery. Regulators don’t accept assumptions, and auditors won’t accept screenshots. The difference between staying online and staying compliant is the ability to prove - with evidence - that you can recover what matters, when it matters.

Keepit delivers independent, sovereign, immutable SaaS backup - engineered for recovery-first resilience and audit-ready compliance with CPS 230 and the Essential Eight.

👉 [Book a Live Recovery Demo]👉 [Download the CPS 230 Evidence Checklist - free template for your next audit]