The Business Owner's Guide to Cloud Backup: What to Ask Before You Sign Any Contract

Cloud backup is one of those services that is easy to buy and difficult to evaluate until something goes wrong. Providers know this. The sales process typically focuses on features, price and storage capacity. The questions that actually determine whether the service will perform under pressure are rarely volunteered.

The consequences of a poor choice are not abstract. A backup solution that fails during a ransomware attack, cannot restore within a timeframe that keeps the business running, or holds data in a location that creates regulatory exposure, is not just an inconvenience. For some businesses, unrecoverable data loss or extended downtime is an existential event.

The questions below are designed to surface those risks before you are exposed to them. They are straightforward to ask. A capable provider will answer them directly. One that cannot should be treated with caution.

"The questions that actually determine whether the service will perform under pressure are rarely volunteered."

This is the first question for a reason. Data sovereignty is not a technical nicety for UK businesses; it is frequently a regulatory and contractual obligation. Depending on your sector, your data may be subject to requirements that not only require it to be secure but also to be physically held within the UK.

What to ask

• In which country or countries is our backup data stored?
• What data centre certifications apply to the storage infrastructure?
• Who within your organisation has access to our backup data?
• Is our data logically isolated from other customers on the same infrastructure?

What good looks like

A credible provider should be able to confirm the specific location of your backup data, demonstrate that the storage infrastructure carries recognised certifications such as ISO 27001, and explain clearly how access is controlled and audited. Contrac holds backup data in ISO 27001 accredited UK data centres, with strict data sovereignty built into the service architecture rather than offered as an optional extra.

What to watch out for

Answers that reference data stored across multiple international regions without clear clarity on which regions, or that reference providers who cannot confirm the specific certifications their storage infrastructure holds, warrant further investigation before proceeding.

The purpose of a backup solution is to restore data. Yet many providers are far more specific about the backup side of the equation than they are about recovery. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) should be defined, documented, and guaranteed before any contract is signed.

What to ask

• What RTO and RPO can you guarantee for our specific configuration?
• Are those guarantees contractual, or are they targets?
• What happens if you fail to meet them?
• How do your recovery guarantees differ across different data types and systems?

What good looks like

A provider who understands recovery guarantees will ask you about your business requirements before quoting figures, because the right RTO and RPO vary significantly by organisation and by system. They will then design a solution architecture that supports those objectives and commit to them contractually. Contrac designs every managed cloud backup engagement around defined RTO and RPO targets agreed with the client at the outset.

What to watch out for

Providers who quote RTO and RPO figures without first understanding your business are likely offering standard defaults rather than a tailored solution. A figure that sounds impressive but has not been validated against your specific environment should be treated as a sales claim rather than a service commitment.

Untested backups are one of the most common and costly failure modes in data protection. A backup that runs consistently, appears healthy in a dashboard, but has never been restored to a live environment is an assumption, not a guarantee. The only way to know that a backup is restorable is to restore it.

What to ask

• How frequently are backups tested for restoration integrity?
• Is testing automated or does it require a manual trigger?
• What does the testing process actually involve? Is it a full restoration or a file-level check?
• How are test results reported, and what happens when a test fails?

What good looks like

Automated daily testing that verifies restoration integrity without requiring manual intervention is the standard you should expect from a managed service. Contrac's backup service includes automated daily verification, with results available and anomalies surfaced to the engineering team before they become problems. The test failure process is as important as the testing itself: a provider should be able to explain clearly what steps are taken when a backup fails verification.

What to watch out for

If a provider cannot tell you how frequently backups are tested, or if testing is described as occurring on request or during an annual review, that is a significant gap. Backup integrity degrades over time for a variety of reasons, and the only reliable way to catch that degradation is through continuous, automated verification.

Support availability during normal operations and support availability during an incident are two very different things. A provider with business-hours helpdesk coverage who takes 48 hours to respond to a critical ticket is not a meaningful partner when a ransomware attack triggers at 11pm on a Friday.

What to ask

• Is your support desk available 24 hours a day, 7 days a week, 365 days a year?
• What is your target response time for a critical incident, and how is that measured?
• Who manages the restoration process during an incident? Is it the same team that manages day-to-day backup operations?
• Can you walk us through what a typical incident response engagement looks like?

What good looks like

Genuine 24x7x365 support with defined and measured response times for critical incidents is the baseline for a provider you can rely on when things go wrong. Contrac IT Support operates an ITIL-aligned service desk around the clock, with an 81 per cent first-contact resolution rate and a 99.2 per cent SLA success rate across its managed services. During a data loss incident, the engineering team manages the restoration process directly, removing the burden from internal IT teams at precisely the moment when that burden is hardest to carry.

What to watch out for

Providers who describe their support as available during business hours, with an emergency line for critical issues, should be questioned carefully about what constitutes a critical issue and the realistic response time outside normal hours. A recovery that begins 12 hours after an incident because support was unavailable does not meet most businesses' operational needs.

There is a meaningful distinction between a cloud backup tool and a managed cloud backup service. The former is software that runs backups according to a schedule. The latter is an ongoing operational commitment where a qualified team monitors your backup environment, verifies integrity, manages incidents, and takes responsibility for outcomes.

The following questions help distinguish between the two in a sales conversation:

• Who monitors our backup environment on an ongoing basis, and what are they looking for?
• If our backup fails overnight, how and when will we be notified?
• What is your process for handling a restoration request outside of business hours?
• How do you stay current with evolving threats such as ransomware techniques that specifically target backup infrastructure?
• What certifications and accreditations does your engineering team hold in relation to the backup platform you operate?

Contrac IT Support holds Acronis Platinum Partner status, the highest tier within the Acronis partner programme, and was named Acronis Partner of the Year for UK and Ireland in 2025. For a broader view of how managed cloud backup fits within a wider IT infrastructure strategy, the hosting and cloud solutions page provides useful context.