A new survey finds that 37% rely on native SaaS backup, risking data loss; calls for immutable, segregated storage to boost resilience and sovereignty grow.
Keepit, the only vendor-independent cloud dedicated to SaaS data protection, announced the results of its survey “Overlooked and under-protected: How the SaaS data gap threatens resilience”. The survey of senior IT decision-makers revealed that 37% of respondents rely solely on native backup capabilities, leaving organizations at risk of data loss and disruptions. Immutable, physically segregated data storage is seen as paramount alongside growing concerns over data and digital sovereignty.
In the survey, sponsored by Keepit and conducted by Foundry for CIO MarketPulse in April and May 2025, more than 300 senior IT decision-makers in the US, Europe and Asia-Pacific[1] responded to questions related to the state of their businesses’ SaaS data protection. The responses highlighted the need for immutable, independent backup to secure business continuity and revealed possible gaps in protection.
Key findings:
- 37% of respondents rely solely on their SaaS applications’ native backup capabilities, leaving organizations at risk of data loss.
- 11% of respondents say it would take a month or more to recover data after a loss incident — or that they may not be able to fully recover at all.
- 61% of respondents highlight physically segregated storage as a key requirement for modern SaaS backup.
- 49% of respondents have experienced a major data loss event in the past year.
“It’s surprising — and concerning — that in 2025, 37% still rely solely on their SaaS application’s native backup,” says Niels van Ingen, Senior Vice President of Business Development and Strategy at Keepit. “First, most SaaS applications don’t have native backup. SaaS vendors follow a ‘shared responsibility’ model: they’re responsible for the systems and controls, while customers are responsible for their own data, accounts, and identities. Second, even when native backup is available, it’s tied to the SaaS application itself — so if you lose access to the vendor or your account, you lose access to your data. That’s why SaaS vendors themselves recommend using a third-party backup.”
Evolving requirements put pressure on how and where you store your data
SaaS resilience now requires infrastructure that’s purpose-built to withstand the current, increasingly complex threat environment. Growing concerns over data sovereignty and digital sovereignty is driving organizations to take a closer look at vendor architecture, dependence on global hyperscalers, the supply chain and use of sub-processors, and compliance requirements. Consequently, according to survey respondents, the top requirements for modern backup include:
- Physically segregated storage (62%) – Data stored separately from the SaaS provider’s environment to ensure true independence in case of platform or region-level failure.
- Immutable, encrypted storage (59%) – End-to-end encryption and immutability that prevents tampering or unauthorized deletion, with deletion controls built in at the architecture level, not simply reliant on user roles.
- Granular access and deletion controls – To meet requirements from GDPR and new regulations such as the Digital Operations Resilience Act (DORA), organizations must be able to apply retention, access, and deletion policies with precision.
“As the survey data makes clear, relying on native backup is no longer enough. Organizations need to ensure their data is protected independently, immutably, and in alignment with evolving sovereignty requirements. In today’s environment, control over your data location and architecture isn’t just an IT preference — it’s a business imperative,” says Niels van Ingen.
