Here’s a question most IT conversations skip: if your backup vendor disappeared tomorrow — acquired, bankrupt, or simply pricing you out — how long would it take to get your data back, and could you actually do it?
This isn’t a theoretical risk. Backup vendors get acquired and pricing changes. Support quality drops. Small vendors shut down. Cloud services pivot their product offering. And in every case, the business left holding the backup discovers, often too late, that their data is in a proprietary format or that the export process is painfully slow.
Backups are about recovery. A complete recovery strategy includes being able to recover from the vendor — not just from a failure.
Why vendor lock-in is a backup problem
When you store data in a backup solution, it’s typically compressed, deduplicated, and stored in the vendor’s proprietary format. This is fine when the vendor is operational and you’re restoring to similar hardware in a normal recovery scenario.
It becomes a problem when:
- The vendor changes pricing and you want to move to a cheaper alternative. How long does it take to export petabytes of data from their cloud platform? What does egress cost?
- The vendor gets acquired and the acquirer discontinues the product or forces migration to a different platform.
- The vendor has an outage or a breach affecting their backup infrastructure. If your backup storage is compromised, you need an alternative — and a proprietary format makes that harder.
- You change your IT provider and the new provider doesn’t support the same backup platform. Your historical backups may become inaccessible.
Three questions to ask your backup provider
1. Can I export my data in a standard, readable format?
Some vendors let you export to open formats (VMDK, VHD, bare-metal image) that can be opened by other tools. Others don’t. Find out before you need to.
2. How long does a full restore take — and have you tested it recently?
Restore time estimates from vendors are often best-case figures under ideal conditions. A real restore of a multi-terabyte dataset might take significantly longer, especially from cloud storage. If you haven’t run a full restore test in the last 12 months, you don’t actually know how long recovery takes.
3. Where is my data actually stored, and who controls it?
Many managed backup services store your data in their own cloud infrastructure. You’re not the tenant — they are. In a dispute or if the vendor becomes unavailable, accessing that data requires their cooperation. Some contracts specifically limit your right to bulk-export data. Read yours.
The 3-2-1 rule: still the right starting point
The 3-2-1 rule remains the standard for backup architecture: three copies of your data, on two different types of media, with one copy offsite. It’s not a complete strategy, but it provides the baseline redundancy that makes most catastrophic failures recoverable.
The reason it matters for vendor risk is the “two different types of media” part. If all three copies are in the same backup vendor’s platform (even across their different storage tiers), you have one vendor as a single point of failure. A true 3-2-1 implementation uses at least two distinct technologies or vendors — which gives you an exit path if one fails.
For Microsoft 365 data specifically: Microsoft’s own redundancy does not protect against accidental deletion, ransomware, or compliance holds beyond the standard retention periods. Separate Microsoft 365 backup is a distinct requirement, and the same portability questions apply.
What to do
Run a restore test this quarter. Not a file-level spot check — a full system restore of at least one critical workload. Document the time it took and compare it to your recovery time objective (RTO). If you don’t have an RTO, this is the moment to set one.
Document your exit procedure. Write down, step by step, what you would do if you had to move to a different backup vendor within 30 days. What would you export? How long would it take? What would it cost in egress fees? If you can’t answer this, you don’t have an exit strategy.
Review your contracts. Look for clauses covering data export rights, egress fees, and what happens to your data if you terminate the service. If the contract is unclear or unfavourable, raise it now rather than in a crisis.
Diversify where practical. For critical data, consider whether your backup strategy uses at least two independent paths. For Microsoft 365, a dedicated M365 backup solution separate from your device backup is a minimum.
A backup that you can restore from, but can’t move, isn’t a complete backup strategy — it’s a dependency. Building a genuine exit strategy is part of sound data governance, and it’s one of the things we look at in the Safe to Scale Scorecard.
If you’d like a review of your current backup and recovery posture, get in touch. It’s a straightforward assessment that most businesses find genuinely useful.