Cloud & Continuity

Is Microsoft 365 Really Backing Up Your Data?

Most South African businesses assume OneDrive and SharePoint protect their files. They don't. Here's what you need to know — and what to do about it.

Published: March 20268 min read

The Misconception That Puts Your Business at Risk

If you use Microsoft 365, there's a good chance you believe your files are safely backed up through OneDrive or SharePoint. You're not alone — it's one of the most common assumptions we encounter. But it's wrong, and the consequences can be severe.

OneDrive and SharePoint are synchronisation tools, not backup solutions. They mirror files between your devices and the cloud. If you delete a file on your laptop, it disappears from the cloud too. If ransomware encrypts your files locally, those encrypted versions sync straight up to OneDrive.

Syncing is not backing up. And that distinction could cost your business everything.

The 93-Day Cliff

Microsoft 365 retains deleted files for a maximum of 93 days. After that, your data is gone — permanently and unrecoverably. There is no safety net, no archive, no way to get it back.

Microsoft's own Files Restore feature only covers a 30-day window, and metadata backups are limited to just 14 days. If you discover data loss after these windows close, you're out of options.

True backup means you can restore from any point in time — not just within a narrow, fixed window.

From Microsoft's Own Service Agreement (Section 12):

"WE DO NOT GUARANTEE THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE OR THAT CONTENT LOSS WON'T OCCUR."

The Shared Responsibility Model

Microsoft operates under what's called the Shared Responsibility Model. In simple terms: Microsoft is responsible for keeping the infrastructure running (servers, uptime, physical security). But you are responsible for your own data — including backups, recovery, and protection against accidental deletion or cyberattack.

Most businesses don't realise this until it's too late. Microsoft provides the platform, but the data on it is your responsibility.

What This Means Under POPIA

South Africa's Protection of Personal Information Act (POPIA) places clear obligations on businesses that handle personal data:

Section 19Requires "appropriate, reasonable technical and organisational measures" to protect personal information against loss, damage, and unauthorised access.
Section 72Personal data must remain in South Africa unless adequate protection exists abroad. This makes local data storage a critical compliance factor.

Relying solely on Microsoft 365's native tools — which often store data internationally and offer limited recovery — may not satisfy these requirements. Non-compliance can result in significant fines and reputational harm.

How Does Microsoft 365 Compare to a True Backup?

The table below highlights the critical differences between relying on Microsoft 365's built-in features and using a dedicated, POPIA-compliant backup solution.

Feature	Microsoft 365 Native	StormDotCom Backup
Data Location	Often international	South Africa (local data centre)
Recovery Window	Limited (93 days max)	Unlimited / Custom (7+ years)
Ransomware Defence	Syncs encrypted files	Air-gapped / Immutable copies
Legal Compliance	Shared responsibility	POPIA-compliant data sovereignty
Restoration Speed	Manual and tedious	Instant point-in-time restore

📄

Download the Full Guide

Get the complete Microsoft 365 Backup Guide as a PDF — including the comparison table, POPIA checklist, and FAQ. Free, no obligation.

🔒 Your information is safe. We never share your details with third parties.

POPIA-Ready Backup Audit Checklist

Use this checklist to assess your organisation's backup readiness. If you can't tick every box, your business may be exposed.

Do you have independent backups of all Microsoft 365 data?Are backups stored in South African data centres?Is there a process for regular backup testing and recovery drills?Can you restore data from any point in time?Is your backup solution compliant with POPIA Section 19 and 72?Is there a clear audit trail for backup and restore operations?Do you receive alerts for failed or incomplete backups?Are your backups managed and monitored daily?

Frequently Asked Questions

Does Microsoft 365 guarantee data recovery after accidental deletion?

No. Microsoft only retains deleted items within a short window (up to 93 days). After that, data is permanently unrecoverable. Independent, periodic backup is essential.

Is backup to local data centres required by POPIA?

Section 72 of POPIA strongly supports data localisation unless strict protection exists abroad. Storing backups locally in South Africa significantly reduces your compliance risk.

How often should we test recovery?

At least quarterly. Each test should be documented with audit trails and reports to demonstrate compliance readiness.

Key Takeaways

✗OneDrive and SharePoint are sync tools, not backups
✗Deleted files vanish permanently after 93 days
✗Microsoft does not guarantee against content loss
✓POPIA requires independent, local data protection
✓True backup offers unlimited point-in-time recovery

📋

Glossary

Air-gapped backup: Isolated from the primary system, preventing ransomware from reaching it.
Immutable backup: Cannot be modified, encrypted, or deleted for a set period.
Data sovereignty: Data is subject to the laws of the country where it is stored.
Shared Responsibility Model: Microsoft manages infrastructure; you manage your data.

Related Services

Data Backup & Recovery →Microsoft 365 & Azure →Cybersecurity →

Other Categories

🔒 Cyber Security & Compliance ⚡ Tech for Growth ❓ The Help Desk

Not Sure If Your Data Is Protected?

Book a free, no-obligation backup readiness review. We'll assess your Microsoft 365 environment and show you exactly where the gaps are.

Book a Free Backup Review