Managed Backup & Disaster Recovery ServicesImage-Based BCDR · SaaS Backup · Ransomware-Resistant

Backup is a copy of your data. By contrast, disaster recovery is the procedure that turns that copy back into a running business. A good backup gives you a restore point. Meanwhile, a good DR program gives you the runbook, the failover environment, the contact tree, and the tested recovery time that lets you actually use the restore point under pressure. Most organizations have backups. Still, far fewer have a DR program. In short, the two are complementary, and neither is a substitute for the other. So our engagements always include both.

Yes, and Microsoft says so explicitly. Specifically, Microsoft’s shared-responsibility model assigns service availability to Microsoft and data protection to you, the customer. In practice, native retention has tight limits, granular point-in-time restore is not always available, and items deleted past the recycle bin are gone. So third-party backup for Exchange Online, SharePoint, OneDrive, and Teams covers accidental deletion, malicious insider activity, ransomware that reaches synced files, and long-tail compliance retention beyond what the platform offers. Typically, we pair this with our managed Microsoft 365 service.

The 3-2-1 rule says keep three copies of your data on two different storage media with one copy off-site. In short, it is the oldest durable backup principle. By contrast, the modern update, 3-2-1-1-0, adds an immutable copy that ransomware cannot encrypt and a recovery-test pass that proves the restore actually works. So we architect every backup program against the 3-2-1-1-0 standard, because each digit closes a real failure mode we have personally seen burn other businesses.

At minimum, quarterly, and a different surface should be tested each quarter so the full estate cycles through annually. Also, weekly file-restore spot-checks for SharePoint and OneDrive add a second tier of verification at very low cost. Compliance frameworks vary on the cadence; for example, SOC 2 and CMMC 2.0 expect documented periodic testing, HIPAA expects testing as part of the contingency plan, and most cyber insurance carriers now ask for a written test schedule on renewal questionnaires. Bottom line: quarterly is a sensible target for most companies in the 10 to 500 user range.

RPO is how much data you can afford to lose; RTO is how long you can afford to be down. In practice, most small and mid-market businesses land at an RPO of 1 to 4 hours for the core systems (file servers, ERP, email, line-of-business apps) and an RTO of 4 to 24 hours for the same systems. By contrast, Tier-2 systems (intranet, archived projects, dev environments) typically tolerate an RPO measured in 24 hours and an RTO measured in days. Ultimately, the right answer depends on revenue impact, regulatory exposure, and customer expectations. So we set the targets in Phase 1 of our methodology, before the technology decision.

Yes, and modern attackers actively look for them. Notably, the MITRE ATT&CK technique catalog lists T1490 (Inhibit System Recovery) as standard ransomware tradecraft. Typically, threat actors compromise a domain, locate the backup server, and either delete the backups, encrypt the repository, or revoke its credentials before triggering the production payload. By contrast, the defenses are immutable cloud storage that cannot be deleted within the lock window, an air-gapped or logically isolated copy outside the production identity domain, and phishing-resistant MFA on every backup admin account. In practice, we pair this with the broader controls in our managed cybersecurity practice.

Retention is per-workload and per-regulation, not a single setting. For example, default retention for most server image backups is 30 days local plus 1 year in the cloud. Meanwhile, Microsoft 365 mailboxes and SharePoint typically retain at 7 years to satisfy long-tail discovery and SEC 17a-4 record requirements where they apply. By contrast, endpoint file backups retain 90 days by default. Regulated workloads (healthcare, financial services, DoD supply chain) often need longer windows; in practice, we tune the policy in Phase 1 against your compliance map and audit history.

Yes. In practice, Google Workspace has the same shared-responsibility gap Microsoft has, and the recovery options inside the Admin Console are similarly limited beyond the standard recycle bin window. So our SaaS backup tier covers Gmail mailboxes, Google Drive (including shared drives), Calendar, Contacts, and Sites, with item-level restore and indefinite retention. Critically, the architecture mirrors what we run for Microsoft 365 tenants, which makes mixed-platform organizations straightforward to support.

Yes. Specifically, we protect Azure VMs, managed disks, Azure Files, and Azure SQL with a mix of cloud-native backup services and third-party platforms, depending on the recovery objectives and compliance scope. On AWS, we cover EC2, EBS, RDS, S3, and DynamoDB with application-consistent snapshots, cross-region copies, and immutable vault tiers. As a result, the cloud workload tier integrates with the rest of our managed cloud infrastructure service, so the backup design lines up with the broader cloud architecture.

When you call the incident hotline, an engineer opens the runbook your account already has on file. First, the opening hour is triage: scope, blast radius, business impact, and a call list. Then the next phase depends on the event type. If a server-room flood, we spin up replicated workloads in the cloud failover target. With ransomware, we isolate, validate that the immutable backup copy is clean, then stage a clean-room restore. During a SaaS-platform incident, we run granular point-in-time restores into the affected tenants. Throughout, we coordinate with leadership, your cyber insurance carrier where relevant, and your business continuity response team.

Yes. Specifically, managed backup and disaster recovery is delivered remotely to businesses across the United States. In practice, architecture, deployment, monitoring, recovery testing, and incident response all happen over secure remote channels. While On-Site Technology is headquartered in New Jersey, and our deepest engineering capacity sits in Northern NJ, the NYC metro, Pennsylvania, and South Florida, that is a capacity note, not a service boundary. So if your business operates in the U.S., we can run your backup program. Often, we pair the BCDR engagement with our managed IT services for clients in the regional footprint who also want hands-on support.

Pricing is scoped to the environment: protected workload count, retention windows, compliance posture, and recovery objectives. For example, we do not publish per-seat pricing because a 50-user manufacturer with on-prem ERP, CMMC-aligned retention, and Azure workloads has very different economics from a 50-user services firm running entirely in Microsoft 365. Typically, most engagements include a fixed monthly fee plus a one-time onboarding investment for the discovery phase and the initial seed. Notably, the discovery deliverables are yours to keep regardless of whether you continue with us afterward. So call (973) 777-7227 or use the form at the top of this page for a custom quote.