SimpleBackupsSimpleBackups

Security, privacy and compliance at SimpleBackups

We build features and architecture our systems in a security-first manner.

Data Security with SimpleBackups

Based in Europe

ISO 27001 Certified

SOC2 Compliant (*)

HIPAA Compliant (*)

GDPR Compliant

Auditing & Security Programs

(*) We are not yet SOC2 and HIPAA certified but can provide you with the available security reports you may need in the context of a security review. See below for more information about coming compliance/certification and current available reports.
Encryption, in transit, at rest
At SimpleBackups we're focusing on providing the most secure and transparent backup solution, and that's why we've built a "security-first" page that documents every data we deal with and how we deal with it.

Secure Connection Options

Direct Connection

Backups are streamed to your server over SSH, with scripts executed directly on your side. No installation required—just whitelist SimpleBackups’ IPs to enable secure access and start protecting your data right away.

simple backups database backup flowchart

Headless Local Agent

Install the Agent once and backups run fully from your server, without SimpleBackups needing access. Works seamlessly behind firewalls and NAT gateways, with no open ports or IP allowlists required—ideal for dev, staging, and production environments.

simple backups agent backup flowchart

Your Backup configurations

Depending on backup types, SimpleBackups will require you to input different kinds of credentials in order to be able to run your backup.

All of these data are systematically encrypted and securely stored using a rotating key.

On top of that, you don't have to provide root access to SimpleBackups, in face we recommend against it. Root access is always something to avoid, and we've built our solution to be able to backup your data without it and by requiring the least possible permissions from you.

ℹ️ Some backup types also allow you to get credentials configured on your end without storng them on SimpleBackups

Backup data access

During the backup process NO DATA is transiting via SimpleBackups infrastructure. Meaning that your data is directly sent to the storage you've configured, without any intermediary.

The only exception to this is when using Serverless, where the backup is streamed from SimpleBackups isolated serverless infrastucture to your storage. Even in that case the data is never stored on our end.

Encryption in transit

We use encryption at rest and in transit for all your backups. This means that you can configure your backups to be encrypted using your own private key but also that all the data transiting between SimpleBackups and your storage is encrypted using AES256.

As mentioned above the data stored on SimpleBackups (configuration...) are encrypted using a rotating key. Adding your own encryption key to backups means that no backups are readable by anyone, even us at transit, since the encrypted output is sent to your storage. The process happens in complete autonomy with real-time logs available for you to check.

Encryption on storage

Your backup can be stored on any connected Storage Provider and you can define an encryption key generated on your end, unique to you, that will be used to encrypt your backup archive before the transit.
This means only you, owner of your private key, can ever decrypt it (as long as you don't lose the key of course).
Additionally, SimpleBackups supports technologies like SSE-C to ensure your data is encrypted on the storage provider side.

Your account security

Oauth 2 and 2-Factor Authentication

Manage teams and users permissions

What happens if my account on SimpleBackups is compromised?
The beauty of SimpleBackups is that it allows us to answer all the following questions by a 'No'. We tried other solutions in the past, and this was not the case, which is why we believe that our solution is the safest bet.
  • Storage secret can be viewed from my account? No.
  • Servers SSH keys could be retrieved from my account? No.
  • Servers SSH passwords could be viewed from my account? No.
  • Backups on my offsite storage could be deleted by any means? No.
  • Encrypted backups could be decrypted by anyone other than the private key owner? No.
  • If SimpleBackups disappears one day, or if my account is deleted, will I not be able to retrieve my backups? No.

Your backups security

SSL encryption
Hosted on AWSSecured by CloudFlare
Encryption with your own RSA key
Backup encryption is fully managed by your own RSA key meaning you're the only one able to read it. Not us. So don't lose your key!
We log activity for all backup operations
Any activity on your backup is logged and displayed on your backup view page.
AES-256 encryption across the board
All backup, server and storage related data is encrypted using AES-256. This means it's impossible to read the data without the encryption key in case of a data breach. Additionally:
  • All backup jobs that run do not work outside the backup directory you set or the /tmp directory
  • The scripts that run are thoroughly tested on our infrastructure continuously (we have automated test cases for all backup types, unit-tests, and minutely running backups for testing)
  • The backup scripts run for all users all the time, including us as well, since SimpleBackups uses itself to maintain its own backups
Store your backups on your storage
You can bring your own storage and connect it to SimpleBackups. In this case the data is sent from your server to your storage, not passing by our servers at anytime.

Certifications, compliance and auditing

GDPR compliance
IS27001
While many self-claim to be ISO 27001 "compliant" fewer are actually "certified".
We, at SimpleBackups, are certified since 2023, and are being audited on a yearly-basis.

Being ISO 27001 certified means we have obligations, when it comes to implementation of strict data security measures and that everything we do is documented and audited.

We're also based in Europe, where data security is known to be heavily scrutinized, and we're GDPR compliant, meaning that we have to follow strict data security regulations and that we have to provide you with all the tools you need to be compliant as well.

*While we’re not yet SOC 2 or HIPAA certified, we are implementing systems and processes that align with their data security requirements. We can also provide reports from our ISO 27001 certification in this regard.

ISO 27001 Requirements

ISO 27001, specifically in Annex A.12.3, outlines requirements for "backup" and disaster recovery in the context of information security. It mandates that organizations implement appropriate backup procedures to protect against data loss, ensuring that information and software essential to business operations are regularly backed up. Backups must be tested periodically to verify their integrity and effectiveness in disaster recovery scenarios. The standard requires that backup copies are stored securely, with defined access controls, and that they are kept separate from the operational environment to prevent data corruption or loss in case of system failure. Additionally, the organization must ensure that backup policies align with business continuity and disaster recovery plans, and that backup procedures comply with legal, regulatory, and contractual obligations.

GDPR Requirements

The GDPR does not explicitly mandate backups, but it requires organizations to implement appropriate technical and organizational measures to ensure the security, availability, and resilience of personal data, as stated in Article 32. While backups are not a direct requirement, they are often necessary to meet these obligations, particularly for ensuring data availability and timely recovery in the event of system failures, breaches, or other disruptions. Consequently, having a robust backup strategy is typically part of demonstrating compliance. Moreover, any backups containing personal data must adhere to GDPR principles, such as data confidentiality and integrity, which means they must be protected with measures like encryption and access controls.

SOC2 Requirements

In the context of SOC2, backups are not explicitly required, but they are commonly implemented to meet the Availability and Security principles.
SOC2 focuses on ensuring that systems are reliable and available as committed, and backups are a typical way to achieve this. While organizations have flexibility in how they meet these criteria, a strong backup and disaster recovery plan helps demonstrate the ability to restore data and maintain operations during disruptions. Backups also need to be secured with proper access controls and encryption to comply with SOC2’s confidentiality and security standards.

HIPAA Requirements

Under HIPAA’s Security Rule, backups are explicitly required to ensure the availability and integrity of Protected Health Information (PHI).
The Contingency Plan standard (45 CFR § 164.308(a)(7)(ii)(A)) mandates that covered entities and business associates implement a data backup plan to create and maintain retrievable copies of electronic PHI. This ensures that critical health data can be restored in case of emergencies or data loss. Backups must also be protected with appropriate security measures, such as encryption and access controls, to meet HIPAA’s confidentiality, integrity, and availability requirements. Regular testing and verification of these backup plans are strongly recommended to ensure effectiveness.

Documentation and security resources

Discover ourDocumentationDiscover ourAPIDiscover ourIntegrations

Our articles and resources about security and privacy

What happens if my account on SimpleBackups is compromised?SimpleBackups and the GDPRGDPR Simplified SheetData Processing Agreement