Backing up your Salesforce data and metadata is critical for security and business continuity, protecting your business against loss, corruption, or accidental deletion.
And even then, it’s not enough to have a backup solution in place and just forget about it. Designing effective backup policies and communicating them to the team and wider business is almost as important as choosing the right solution in the first place.
With around 70% of organizations experiencing some form of data loss annually, a solid backup strategy is essential for protecting your Salesforce investment.
So how can you make sure there are no gaps in your data backup and recovery strategy? We’ve put together 13 Salesforce backup best practices you should follow to keep your orgs as secure and compliant as possible, whichever backup tools you’re using.
1. Have a data backup and recovery plan
Your disaster recovery plan documents how you’ll restore data and operations after an incident. That plan needs to be clear and ready before anything goes wrong. When data loss strikes, you won’t have time to figure things out.
You need to make sure that everyone involved in the backup and restore process for your data knows what to do when faced with data loss. Once you have a backup and recovery plan in place, make sure it’s well documented and can be accessed by everyone in the team. This plan should clearly outline steps to restore data quickly and effectively.
Your plan needs to define backup frequency for different data types. Critical customer data might need hourly backups, while less sensitive metadata could work with daily snapshots. Salesforce’s native backup only runs once a day, so if you need tighter recovery points, it’s worth considering whether that’s enough for your setup, or whether an enterprise platform like Gearset is better suited. Whatever tool you use, make sure complex recovery steps are broken down into clear, repeatable actions that anyone on your team can follow during an incident.
If you’re not sure where to start, watch our webinar on how you can design your own disaster recovery plan. You’ll be shown a 3-step backup and recovery process that will keep you and the rest of your team on the same page when it comes to detecting data loss and ensuring effective recovery.
London, UK
Agentforce World Tour London
2. Know who’s responsible for backups
Communicating who’s responsible for your data backups to the wider business is a vital detail that’s often overlooked. As the Salesforce development team, you’ll often be the default point of contact if a data incident or loss is noticed. Clear ownership builds resilience at scale — avoid a single point of failure by making backups a shared responsibility across the team.
A Salesforce backup policy sets out what data to capture, how often to back it up, and how long to keep it. Getting it right starts with knowing both what to back up and who can access it. Make sure policy creators have the right permissions for every object in scope — miss this step, and you risk blind spots in your coverage.
You’ll need to work out how to empower a team to collaborate on recovery, without giving continuous access to sensitive data in your backups. For example, with Gearset you can quickly assign permissions to view, edit or fully restore from backups, based on the need of the moment.
3. Run frequent automated backups
Manually backing up your Salesforce orgs is time-consuming and can lead to a slip in cadence and backup quality. Monthly backups are a good starting point, but are they enough for rapid recovery? Losing a month’s worth of data could be costly for any business. Setting up automated daily backups reduces the gap between your last backup and an incident — your recovery point objective (RPO).
Daily backups cover most needs — but some data moves faster, carries more risk, or is subject to stricter requirements. Your RPO should guide how often you back things up. In finance, that often means several backups a day — especially for fast-changing, high-stakes data.
Critical data may need hourly coverage. Start with what’s most vital:
- Customer transaction records that change throughout the day
- Real-time inventory or pricing data
- Support case records tied to customer experience
For most businesses, an RPO of 24 hours is acceptable, but some critical objects may need additional protection, which is where something like Gearset’s high-frequency jobs come in. You should always be in a position to back up on demand as well, before a risky release or platform upgrade.
Confident releases start with reliable backups. Pre-release snapshots let you deploy with confidence, and move fast without risk.
London, UK
Agentforce World Tour London
4. Follow the 3-2-1 backup rule
The 3-2-1 rule is a backup strategy built on one simple idea: redundancy. It’s been a staple in IT for years, and is recommended by Salesforce for data protection.
Keep three copies of your data — your live Salesforce org and two backups. Store those backups on two different types of storage, so one hardware issue doesn’t take out both. And make sure at least one copy lives off-site to cover you in a worst-case disaster.
Here’s why that matters: your Salesforce org counts as one copy, but if everything sits on Salesforce’s infrastructure, you’ve got a single point of failure.
Tools like Gearset solve that by handling off-site storage automatically — off Salesforce’s platform, with full support for both metadata and data restores. If one backup gets corrupted or fails, you’ve got another ready to deploy.
5. Don’t forget you need metadata backups too
Your metadata is just as important as your data, but is so often overlooked. Metadata is critical as it provides the structure for your org, so backing up metadata is essential. Without it, your data has nowhere to live. So if you lose the metadata that houses your data, you’re unable to restore anything at all. After a data loss incident, metadata should be restored first, so you can safely restore your data next.
Having separate backup and recovery processes for data and metadata isn’t ideal. You want both kinds of backup to run in sync, so snapshots of the whole org are from the same moment in time. Not every backup solution backs up metadata, and some only back up a few metadata types. So make sure your tooling and process are capturing the metadata you need. Full coverage, no blind spots — data and metadata should be captured together, so your restores are complete and aligned.
6. Keep your backups compliant
Compliance requirements are becoming increasingly strict and teams are finding they have to achieve compliance with more frameworks, so it can be hard to keep on top of exactly what’s expected of your data management strategy. And breaching data compliance regulations can cause serious consequences: not only can it lead to huge fines but the operational disruption and reputational damage can be irreversible.
Compliance isn’t one-size-fits-all. Frameworks like GDPR, HIPAA, CCPA, and SOX — each with its own rules around data handling and retention, making compliance a moving target for many teams.
Automated backups address two core needs: consistency and controlled access. They run on schedule, so you’re not relying on someone to start a job. And because they reduce manual steps, you can enforce role-based access and auditing for backup data. That supports compliance by reducing human error and data exposure.
Manual backup processes pose a big challenge for compliance. Having backups is often a compliance requirement, but you’ll also need to track which data has been backed up and who has access. A Salesforce backup solution like Gearset will give you a full audit trail. You can also set a retention period for backup data, automatically removing data in line with your retention policy. With manual backup processes, it’s also difficult and time-consuming to comply when customers exercise a right to erasure. But many backup solutions provide functionality for purging specific records across all backups.
Compliance isn’t just about policies — it’s also about being able to evidence a clear audit history and forecast costs with confidence.
7. Store backup data securely off-platform
Off-platform backup storage means keeping copies outside Salesforce’s infrastructure. It’s straightforward — yet many teams still rely on same-platform storage. When an incident affects the platform or an account, that creates a single point of failure. Off-platform copies reduce that risk and align with the 3-2-1 rule.
With hard copy files, it’s obviously a mistake to keep backups in the same filing cabinet as the originals. This can feel less intuitive with data stored “in the cloud”. But data is still held physically in data centers. It’s just as much a mistake to store backups for digital files on the same servers, or access them via the same platforms. In the Salesforce context, there are native backup solutions, but relying on them goes against a fundamental best practice for backups and recovery.
When the pressure’s on, don’t be caught out by a native solution. Off-platform, always accessible storage ensures you can still recover during an outage.
8. Ensure proper access for backup processes
Integration users need read access to every object being backed up. This may seem basic, but missing permissions are a top reason backups quietly fail on specific objects. If your job runs at midnight and hits a permissions snag, you won’t know until it’s too late — and by then, the window’s closed.
Here’s what to check:
- Make sure field-level security covers everything your backup touches
- Double-check profile permissions on custom objects
- Scan backup logs for permission errors that slip through
Don’t wait for an audit to flag gaps. Set up alerts now so you catch access issues the moment they happen. If your backup can’t reach the data, it’s not really a backup.
9. Secure your backup data with encryption
Encrypting your backups is essential for robust data protection. Within Salesforce, your data is encrypted in transit and at rest. If you export data and fail to use the same encryption standards for backups, you could actually make your data less secure.
Enterprise-grade encryption keeps your data safe in transit and at rest. But there’s another layer to consider — data residency requirements determine where backup data can be geographically stored. If your org operates across borders, this is often a legal requirement.
Confirm your backup solution offers in-region storage and appropriate transfer safeguards for the places you operate. In the EU, that typically means EU/EEA storage or approved transfer mechanisms under GDPR. In US healthcare, use HIPAA-eligible services with a signed BAA. Financial services frequently face country-specific limits on where customer data can reside.
Where and how you store your backups really matters. All Gearset backups are stored with Amazon Web Services (AWS) and your data is encrypted in transit and at rest, to enterprise-grade standards.
10. Monitor your backup data
Backup monitoring tracks whether your Salesforce backups are running, finishing, and storing data correctly. It’s your early warning system for potential disasters.
The sooner you spot an error, the quicker it can be resolved and business operations can continue. If a team isn’t actively monitoring for unexpected changes to their data, incidents can go unnoticed for long periods of time. However you’re backing up your data, monitoring for unusual changes is the best way to spot a data loss quickly.
Keep an eye on backup success rates to make sure your data’s actually covered. Track how long jobs take, too — a backup that suddenly doubles in duration might indicate a problem. Set alerts for failures or odd data shifts so you’re not caught off guard.
To make sure your monitoring actually works, there are a few technical details you’ll want to get right:
Review backup logs regularly to identify and address errors. But don’t stop at the basics. Look at object-level backup status to spot gaps — that custom object added last week might not be protected yet. Keep tabs on API usage as well. If you hit a governor limit mid-run, your backup could quietly fail without warning.
Set configurable smart alerts in Gearset to keep an eye on critical objects. The alert threshold is completely customizable, letting you choose how many records would be an unusual level of change in your org. Your backup dashboard also makes it obvious when there’s been a spike in removed data that looks a little suspicious and will need investigating. Intuitive monitoring and recovery processes matter under pressure — the simpler the workflow, the faster you can respond.
11. Test your recovery process regularly
Once you have a backup strategy, make testing it a priority. Best practice would be testing your recovery plan every 3 months and when there’s a new hire or significant change in the team. When data loss happens, everyone involved should feel comfortable with the process. With each practice run, you’ll learn more about what works well — and what typically goes wrong. Document those learnings, adjust for the future, and optimize your disaster recovery plan if needed. Regular testing ensures your team can efficiently restore systems, recover data, and validate data integrity — minimizing downtime, protecting against data corruption, and strengthening your overall data protection measures.
Regular testing builds resilience at scale, ensuring your processes stand up to audits and real-world incidents alike.
12. Prepare for different data loss scenarios
All data loss incidents are different. Sometimes there are large-scale losses that need to be recovered. At other times, you might just need to restore a single record from the Account object, or even a single field — restoring selectively to avoid corrupting other records in production. Granular restore allows recovery of specific records or fields without affecting other data. This precision matters when you’re dealing with interconnected Salesforce objects where a full restore could cause more problems than it solves.
A dedicated Salesforce recovery solution will support different workflows for restoring data. Whether it’s rolling back a field after a failed integration, restoring a parent object with its children, or recovering across multiple objects, you need restore options that adapt to different scenarios.
13. Get your orgs ready for an Agentic future
Agentforce agents perform tasks based on your Salesforce data — and out-of-date or inconsistent data can make them unpredictable and unhelpful. Archiving removes stale data to improve org performance, while backups keep you resilient as you test with Agentforce and other AI-driven tools.
Implement best practices with a third-party backup solution
Implementing a robust backup and recovery strategy can be a challenge. But with a third-party backup solution, all these best practices have been taken into account, making it easy for teams like yours to protect your Salesforce orgs without compromising on security and compliance. According to the State of Salesforce DevOps Report 2024, users of third-party Salesforce-specialist backup solutions reported the most regular backups, the quickest data recovery times and the fewest data incidents.
Key takeaways for your backup strategy:
- Implement the 3-2-1 rule for redundancy
- Automate daily backups at minimum
- Include both data and metadata in your backups
- Test recovery processes quarterly
- Monitor backup health continuously
No team can completely prevent Salesforce data loss. But with the right strategy and tools, you can minimize the impact. To find out more about how Gearset can help you secure your Salesforce org, get in touch to arrange a tailored demo of our comprehensive backup solution.
