Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for backup as a service

Requirements, questions, and evaluation criteria specific to backup as a service procurement

7 min read

Backup as a Service (BaaS) procurement demands rigorous RFPs due to escalating cyber threats and complex data environments. Selecting a BaaS provider has become a critical strategic decision with long-term implications for organizational survival, making a detailed RFP essential.

What makes backup as a service RFPs different

BaaS RFPs differ significantly from general IT procurement due to the criticality of data recovery in the face of cyberattacks and disasters. The evaluation must extend beyond basic storage capacity and consider advanced features like immutability, anomaly detection, and clean room recovery. Furthermore, compliance requirements such as DORA and NIS2 add layers of complexity, requiring careful assessment of the vendor's security posture and data sovereignty capabilities.

The rise of SaaS applications and distributed workforces also necessitates a focus on endpoint protection and cloud-to-cloud backup solutions.

  • Data immutability and ransomware protection capabilities
  • Compliance with industry-specific regulations (e.g., DORA, HIPAA, NIS2)
  • Integration with existing security infrastructure and incident response plans
  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems

RFP vs RFI vs RFQ

Here's when to use each document type when procuring backup as a service software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

For BaaS, an RFI helps understand the range of available solutions and vendor capabilities. An RFP is crucial for in-depth evaluation of security features, compliance adherence, and disaster recovery preparedness. An RFQ is less suitable due to the complexity and customization required for BaaS implementation.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Data Security & Immutability

  • Write-Once-Read-Many (WORM) storage for backup data
  • Logical air-gapping to isolate backups from production networks
  • Encryption at rest and in transit (AES-256, TLS 1.3)
  • Multi-Factor Authentication (MFA) for administrative access

Recovery Capabilities

  • Automated backup scheduling and verification
  • Clean room recovery environment for malware scanning
  • Instant recovery options for virtual machines and applications
  • Granular file and folder-level recovery

Cloud & SaaS Support

  • Direct-to-cloud backup for endpoints
  • Cloud-to-cloud (C2C) backup for SaaS applications (M365, Salesforce)
  • Support for backing up data within IaaS environments (AWS, Azure, GCP)
  • Integration with cloud-native security tools

Compliance & Governance

  • Data residency options to meet data sovereignty requirements
  • Compliance certifications (SOC 2 Type II, ISO 27001, HIPAA, GDPR, DORA)
  • Audit logging and reporting capabilities
  • Role-Based Access Control (RBAC)

Reporting & Analytics

  • Backup success rate monitoring
  • Storage utilization reporting
  • Anomaly detection and alerting
  • Customizable dashboards and reports

Questions to include in your RFP

Architecture & Deployment

  • Describe your architecture for data immutability and how it prevents ransomware from modifying or deleting backups.
    Ensures backups remain protected even if an attacker gains administrative access.
  • Detail your deployment options and the advantages/disadvantages of each (cloud-native, hybrid, gateway-based).
    Helps determine the best fit for the organization's infrastructure and recovery needs.
  • Explain your disaster recovery and business continuity plan, including geographic redundancy and failover procedures.
    Verifies the vendor's ability to maintain data availability in the event of a major disruption.
  • How does your solution handle backup and recovery for remote endpoints (laptops, mobile devices) with limited bandwidth?
    Addresses the challenges of protecting data in distributed work environments.

Security & Compliance

  • Describe your approach to logical air-gapping and how it isolates backup repositories from the production network.
    Prevents lateral movement of attackers from production to backup environments.
  • Detail your anomaly detection capabilities and how you use AI/ML to identify potential ransomware attacks or data breaches.
    Enables proactive threat detection and faster incident response.
  • What compliance certifications do you hold (SOC 2 Type II, ISO 27001, HIPAA, GDPR, DORA) and how do you ensure ongoing compliance?
    Demonstrates the vendor's commitment to security and regulatory requirements.
  • Explain your data residency options and how you ensure data sovereignty compliance for different geographic regions.
    Meets legal and regulatory requirements for data storage location.

Recovery & Performance

  • Describe your clean room recovery process and how you scan data for malware before restoration.
    Prevents reinfection of systems during recovery.
  • What is your "Time to First Byte" during a restore of 10 Terabytes of data from the cloud?
    Indicates the performance and scalability of the vendor's cloud infrastructure.
  • Detail your automated scheduling and verification process to ensure backup integrity.
    Guarantees that backups are valid and recoverable when needed.
  • What are your Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for different types of workloads?
    Defines the acceptable downtime and data loss in the event of a disaster.

Integration & Management

  • Describe your integration capabilities with common SaaS platforms (M365, Salesforce, etc.) and IaaS environments (AWS, Azure, GCP).
    Ensures comprehensive data protection across all critical systems.
  • How does your platform handle "Shadow IT" discovery and ensure that unprotected cloud instances are identified and backed up?
    Addresses the risk of data loss from unauthorized cloud applications.
  • Detail your API functionality and how it can be used to integrate backup alerts with a Security Operations Center (SOC).
    Enables automated incident response and faster threat remediation.
  • Describe your single pane of glass management console and how it simplifies the management of on-premises, hybrid, and multi-cloud environments.
    Streamlines backup administration and reduces operational overhead.

Pricing & Licensing

  • Provide a detailed breakdown of your pricing model, including all costs associated with implementation, licensing, storage, and egress fees.
    Ensures transparency and helps avoid hidden costs.
  • What is your process for "Vendor Lock-in" mitigation? What is the cost and process for extracting historical backup data if we switch vendors?
    Protects against being locked into a proprietary platform with high switching costs.
  • Do you offer volume discounts or long-term contracts and what are the associated terms and conditions?
    Helps optimize the total cost of ownership.
  • What are your data retention policies and how do you handle data deletion requests in compliance with GDPR and other privacy regulations?
    Ensures compliance with data privacy laws.

Vendor Viability

  • Provide information about your company's financial stability and years in business.
    Assesses the vendor's long-term viability and ability to support the solution.
  • Describe your customer support model, including service level agreements (SLAs) and escalation procedures.
    Ensures timely and effective support in case of issues.
  • What is your product roadmap and how do you plan to incorporate emerging technologies like Generative AI and post-quantum encryption?
    Ensures the solution remains viable against future threats.
  • Can you demonstrate a successful "Clean Room" recovery of our most complex multi-tier application?
    Tests the vendor's ability to handle complex recovery scenarios.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

SOC 2 Type II

Required for organizations requiring assurance of data security and availability. If applicable, request current SOC 2 Type II report

ISO 27001

Required for organizations needing a globally recognized security standard. If applicable, request current ISO 27001 certification

HIPAA

Required for healthcare data. If applicable, request BAA template and HIPAA compliance documentation

GDPR

Required for organizations processing data of eu citizens. If applicable, request GDPR compliance documentation and data processing agreement

DORA (Digital Operational Resilience Act)

Required for financial entities operating in the eu. If applicable, request DORA readiness assessment and compliance plan

NIS2 Directive

Required for essential and important entities within the eu. If applicable, request NIS2 compliance documentation and supply chain security measures

Evaluation criteria

Here is the suggested weighting for backup as a service RFPs.

Functionality Fit How well the solution meets stated requirements and use cases
25%
Security & Compliance Strength of security features and adherence to relevant compliance standards
25%
Total Cost of Ownership Implementation, licensing, storage, egress, and ongoing costs
20%
Integration Capabilities Ease of integration with existing systems and cloud platforms
15%
Vendor Viability & Support Financial stability, customer support, and product roadmap
10%
Recovery Performance Speed and reliability of data recovery processes
5%

Some weights were adjusted based on your priorities.

  • Increase if replacing a highly customized legacy system
  • Increase for highly regulated industries
  • Increase if complex integration landscape exists
  • Increase for critical deployments requiring high availability
  • Increase if RTOs are extremely tight

Red flags to watch

  • Vague pricing responses

    Vendors who can't provide clear pricing often have hidden costs or complex fee structures that inflate TCO

  • No customer references in your industry

    Lack of relevant references suggests limited experience with your specific requirements and use cases

  • Manual restore workflows

    Indicates a lack of automation and potential for errors during recovery

  • Proprietary encryption

    Avoid vendors using "custom" algorithms; they should use well-established standards like AES

  • Lack of SaaS native tools

    Suggests a legacy product that may not be optimized for cloud environments

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Implementation timeline for similar customers

Helps set realistic expectations and identify potential delays

Average time to first value

Indicates how quickly you'll see ROI from the investment

Backup success rate

Measures the reliability of the backup process

Restoration time for critical systems

Verifies the ability to meet Recovery Time Objectives (RTOs)

Storage utilization efficiency

Optimizes storage costs and capacity planning