Backing up your Salesforce data is critical for security and business continuity. And even then, it’s not enough to have a backup solution in place and just forget about it. Designing your backup strategy, then communicating it to the team and wider business, is almost as important as choosing the right solution in the first place.
So how can you make sure there are no gaps in your data backup and recovery strategy? We’ve put together ten best practices you should follow to keep your orgs as secure and compliant as possible, whichever backup tools you’re using.
1. Have a data backup and recovery plan
You need to make sure that everyone involved in backing up and restoring your data knows what to do when faced with data loss. Once you have a backup and recovery plan in place, make sure it’s well documented and can be accessed by everyone in the team.
If you’re not sure where to start, watch our webinar on how you can design your own disaster recovery plan. You’ll be shown a 3-step backup and recovery process that will keep you and the rest of your team on the same page when it comes to detecting data loss and ensuring effective recovery.
2. Know who’s responsible for backups
Communicating who’s responsible for backing up your data to the wider business is a vital detail that’s often overlooked. As the Salesforce development team, you’ll often be the default point of contact if a data incident or loss is noticed. Having a team, instead of a single person, that takes ownership of backups avoids having a single point of failure.
You’ll need to work out how to empower a team to collaborate on recovery, without giving continuous access to sensitive data in your backups. For example, with Gearset you can quickly assign permissions to view, edit or fully restore from backups, based on the need of the moment.
3. Run frequent automated backups
Manually backing up your Salesforce orgs is time consuming and can lead to a slip in cadence and backup quality. Even if you think backing up once a month is at least something, can the business afford to lose a month’s worth of data? Setting up automated backups that run at least daily reduces the amount of time that passes between a backup and any incident — your recovery point objective (RPO).
For most businesses, an RPO of 24 hours is acceptable, but some critical objects may need additional protection, which is where something like Gearset’s high-frequency jobs come in. You should always be in a position to back up on demand as well, before a risky release or platform upgrade.
4. Don’t forget you need metadata backups too
Your metadata is just as important as your data, but is so often overlooked. Metadata is critical as it provides the structure for your org, so backing up metadata is essential. Without it, your data has nowhere to live. So if you lose the metadata that houses your data, you’re unable to restore anything at all. After a data loss incident, metadata should be restored first, so you can safely restore your data next.
Having separate backup and recovery processes for data and metadata is suboptimal. You want both kinds of backup to run in sync, so snapshots of the whole org are from the same moment in time. Not every backup solution backs up metadata, and some only back up a subset of metadata types. So make sure your tooling and process is capturing the metadata you need to restore your org’s configuration.
5. Keep your backups compliant
Compliance requirements are becoming increasingly strict and teams are finding they have to achieve compliance with more frameworks, so it can be hard to keep on top of exactly what’s expected of your data management strategy. And breaching data compliance regulations can cause serious consequences: not only can it lead to huge fines but the operational disruption and reputational damage can be irreversible.
Manual backup processes pose a big challenge for compliance. Having backups is often a compliance requirement, but you’ll also need to track which data has been backed up and who has access. A backup solution like Gearset will give you a full audit trail. You can also set a retention period for backup data, automatically removing data in line with your retention policy. With manual backup processes, it’s also difficult and time-consuming to comply when customers exercise a right to erasure. But many backup solutions provide functionality for purging specific records across all backups.
6. Store backup data securely off platform
With hard copy files, it’s obviously a mistake to keep backups in the same filing cabinet as the originals. This can feel less intuitive with data stored “in the cloud”. But data is still held physically in data centers. It’s just as much a mistake to store backups for digital files on the same servers, or access them via the same platforms. In the Salesforce context, there are native backup solutions, but relying on them goes against a fundamental best practice for backups and recovery.
7. Secure your backup data with encryption
Encrypting your backups is essential for the security of your data. Within Salesforce, your data is encrypted in transit and at rest. Exporting data and not using the same encryption standards for backups could ironically make your data less secure.
Where and how you store your backups really matters. All Gearset backups are stored with Amazon Web Services (AWS) and your data is encrypted in transit and at rest, to enterprise-grade standards.
8. Monitor your backup data
The sooner you spot an error, the quicker it can be resolved and business operations can continue. If a team isn’t actively monitoring for unexpected changes to their data, incidents can go unnoticed for long periods of time. However you’re backing up your data, monitoring for unusual changes is the best way to spot a data loss quickly.
You can set configurable smart alerts in Salesforce, to keep an eye on critical objects. The alert threshold is completely customizable, letting you choose how many records would be an unusual level of change in your org. Your backup dashboard also makes it obvious when there’s been a spike in removed data that looks a little suspicious and will need investigating.
9. Test your recovery process regularly
Once you have a backup strategy, make testing it a priority. Best practice would be testing your recovery plan every 3 months and when there’s a new hire or significant change in the team. When data loss happens, everyone involved should feel comfortable with the process. With each practice run, you’ll learn more about what works well — and what typically goes wrong. Document those learnings, adjust for the future, and optimize your disaster recovery plan if needed.
10. Prepare for different data loss scenarios
All data loss incidents are different. Sometimes there are large-scale losses that need to be recovered. At other times, you might just need to restore a single record from the Account object, or even a single field — restoring selectively to avoid corrupting other records in production. A dedicated Salesforce recovery solution will support different workflows for restoring data.
Implement best practices with a third-party backup solution
Implementing a robust backup and recovery strategy can be a challenge. But with a third-party backup solution, all these best practices have been taken into account, making it easy for teams like yours to protect your Salesforce orgs without compromising on security and compliance. According to the State of Salesforce DevOps Report 2024, users of third-party Salesforce-specialist backup solutions reported the most regular backups, the quickest data recovery times and the least data incidents.
No team can completely prevent data loss from affecting Salesforce. But with the right strategy and tools, you can minimize the impact. To find out more about how Gearset can help your secure Salesforce, get in touch to arrange a tailored demo of our comprehensive backup solution.
