In this third part of the series on “Key Questions to Ask an eClinical SaaS Vendor” we will consider data backup and disaster recovery.
When using a SaaS-based eClinical application, your data is typically stored in a database that resides somewhere in “the cloud” (see the previous post for more detail on this typical scenario). A robust data backup and recovery procedure is important not only for disaster recovery, but also to serve as historical record and a means to restore data for a variety of needs.
Disaster recovery includes a number of scenarios:
- The database (hardware or software) suffers a fatal crash.
- Fire, flood, or other natural disaster destroys the database servers.
- A regional Internet outage takes the database server offline. Even though your data is still intact on the server, you cannot get to it.
Data restoration capability is important in cases such as:
- Old data was cleaned out or archived (either intentionally or unintentionally) but needs to be referenced or utilized once again.
- Current data has become corrupt, or has been removed (either accidentally or maliciously) and needs to be restored to a known good copy.
So even if you and your vendor are doing your part to keep the data secure and accurate, many scenarios could bring about a need to restore data. Here are a number of questions to ask your vendor to help ensure that sound policies and practices are in place.
Consider whether the vendor can define a clear and cohesive data backup and recovery strategy.
Questions to Ask:
- How frequently are backups performed?
Nightly backups are common, but the "right" frequency depends on how often the data changes. If data edits/changes/imports are performed daily, then weekly or monthly backups may be significantly outdated.
- How long are data backups retained?
Thanks to inexpensive storage options, it is reasonable for a vendor to securely archive weekly or monthly backups, and retain some backups for a year or more.
- Where are data archives stored?
It is common to store data archives in the cloud and/or within your vendor’s internal network. In any case, you should consider whether the location is secure and reliable. If removable media (e.g. USB drives or tape drives) or laptops are used, then the vendor should be taking extra precautions to keep your data secured.
- How are data backups secured?
It is good practice to have multiple copies of critical data in multiple locations. However, sound security policies and procedures should be in place to properly restrict access to your data. For example, data should be encrypted as it is transmitted across the public Internet, and backup files should be encrypted (or otherwise secured) wherever they reside (especially if on a laptop or removable media).
- Can data snapshots or backups be downloaded by authorized client users?
You may find it beneficial if key team members are able to download data exports or backups, especially if the data is in a common format (e.g. Excel compatible). Having a local copy can be beneficial if data recovery becomes necessary, and be sure to keep that local copy secure!
Disaster Recovery & Data Restoration
Consider whether precautions are in place to guard against common hazards, and what type of recovery procedure is in place when a problem occurs.
Questions to Ask:
- In the event my data becomes unavailable, how long will it take for access to be restored?
What is the vendor’s disaster recovery plan? Granted, disaster recovery does have many factors, especially in cases of significant natural disaster. However, today’s web technology enables SaaS providers to migrate the application and data (e.g. last night’s backup) to alternate data centers (i.e. different location) within hours.
- Are environmental safeguards in place to keep the application and database up and running?
Electrical power, climate control and cooling systems should all have backup systems in place in order to keep the servers and network up and running. The data center should employ modern fire detection and suppression systems.
- Does the vendor provide a Service Level Agreement (SLA)?
SLAs typically include the guaranteed availability (e.g. 99.99% uptime) for the application. Even if you do not require a formal SLA, you may want to inquire about the vendor's high availability plan. It is important that the vendor is collaborating directly with you to maximize the productivity of your team, including scheduled downtime that works for your schedule.
- If multiple clients are co-mingled in the same database, is client data segregated such that your data could be restored in an isolated fashion?
Multi-customer systems can be very cost effective, but they can also limit the backup and recovery options for a specific customer.
- How often are backup and restoration procedures audited & tested?
There should be frequent monitoring (e.g. weekly) to ensure that regular backups complete successfully. Auditing and testing of the procedures can be less frequent (e.g. quarterly or annually). A good follow-up is to ask when was the last time the recovery process was tested or utilized.
Since each organization has different requirements and priorities, there is no set of “right” answers to these questions. Asking these questions will help you assess a general “recovery profile” for a vendor, and allow you to weigh that against your other priorities and requirements, including feature set and cost. It can also help you assess what priority the service vendor places on these important considerations.
In the next post of this series, we will discuss monitoring of application health & availability.
At Trial By Fire Solutions, we are happy to further discuss our data backup and disaster recovery strategies for SimpleCTMS: our secure, affordable, SaaS-based Clinical Trial Management System (CTMS).
For a product demo, or to find out more, please contact us. As always, we welcome your feedback.