How Datto SaaS Protection works

This article describes the processes Datto SaaS Protection performs to backup and restore data and explains the technologies involved.

OAuth 2

Open Authorization (OAuth) 2 is an open standard authorization framework that uses tokens to enable certain data to be accessed and transmitted securely by a third-party service. Account credentials are not revealed to the third-party.

OAuth 2 provides Datto SaaS Protection, the third-party service, with an access token. The token authorizes Datto SaaS Protection to access specific API scopes within the organization's M365 or Google Workspace APIs. An API scope identifies and limits the information a third-party service is allowed to access.

If you have administrator login credentials for the organization's M365 or Google Workspace account and use them when adding a new organization account, Datto SaaS Protection will not store this information. Only OAuth 2 authorization is used for accessing and managing the account. For more information about administrator credentials, see the article Partner-managed, organization-managed accounts.

Once authorized via OAuth 2, you are not required to remain active to keep authorization and backups active.

Backup process

The following describes and illustrates the steps Datto SaaS Protection performs to backup data.

  1. In a SaaS environment, Microsoft and Google Workspace user data is stored in the cloud, meaning in Microsoft and Google Workspace servers, instead of in the organization's own storage servers.
  2. Datto SaaS Protection is granted access to specific API scopes within the organization's M365 or Google Workspace APIs.
  3. With the approved API scopes, Datto SaaS Protection is allowed to retrieve the organization's M365 or Google Workspace data.
  4. A backup of each end user's service data is stored in Datto's own private independent cloud. The cloud consists of multiple data storage centers located in the US, Australia, Canada, Germany, Singapore, and the UK.

The backup process is performed three times a day. Each backup provides a snapshot of the current state of the data at the time the backup is created. Not only is the content backed up, but the folder structure is backed up and maintained as well.

IMPORTANT  The backed up data is immutable, meaning the data cannot be modified or destroyed in any way. However, backups are pruned (deleted) per the applicable retention period (see the article Understanding the pricing model).

Restore process

The following describes and illustrates the steps Datto SaaS Protection performs to restore data.

  1. In Datto SaaS Protection, the administrator selects the data to be recovered which can be selected at the following levels: snapshot, file directories, or specific files. A snapshot includes all data that was protected at the time the backup was created.
  2. If necessary, the administrator indicates the account to which the data will be restored. By default, the data is restored to the original location from which it was backed up.
  3. Datto SaaS Protection recovers the selected data from its private cloud.
  4. Datto SaaS Protection is granted access to the specific API scopes within the organization's M365 or Google Workspace APIs and sends the data.
  5. The M365 or Google Workspace APIs allow the data to be saved, or restored, to the designated directories in their respective clouds.
  6. The user is able to access the restored data in the cloud.