Many organisations rely on Microsoft 365 for email and file storage. It is stable, widely trusted, and always available, which makes it easy to assume that the data within it is fully protected.
That assumption does not hold.
Microsoft secures the infrastructure and keeps services running. The responsibility for protecting business data remains with the organisation itself. Files are deleted, overwritten, or encrypted as part of everyday activity, and when that happens, recovery options depend on what has been put in place beforehand.
Best practice requires an independent backup that runs regularly, stores data outside Microsoft 365, and allows reliable recovery when needed.
What Microsoft does and does not cover
Microsoft operates on a shared responsibility model. It maintains uptime and platform resilience, while data protection beyond standard retention settings sits with the client.
Retention helps in limited scenarios, but it does not provide the depth or flexibility of a backup. Once data falls outside those windows or is altered in place, recovery becomes uncertain.
What regulators expect
Regulators such as the DFSA and ADGM’s FSRA require firms to maintain control over their data, including its availability, integrity, and recoverability. Firms must be able to restore systems after disruption and retain records for defined periods, often at least six years depending on the data.
Backup supports both compliance and operational continuity.
What this means for Penta clients
For Penta clients, this is already addressed. All Microsoft 365 environments managed by Penta include independent external backups using dedicated third-party software.
Data is stored in Penta’s data centres, separate from Microsoft, ensuring a clean copy remains available even if the primary environment is affected. Recovery is therefore controlled and not constrained by Microsoft’s retention limits.
A simple distinction that matters
Microsoft 365 is a powerful platform. It does not replace backup.
