HIPAA and GDPR Salesforce Backup in 2026
- Jan 16
- 12 min read
Salesforce doesn't back up your data. That single fact creates a compliance risk most enterprise IT teams don't fully appreciate until an incident happens. Regulations like HIPAA and GDPR require you to demonstrate data integrity, retention, and recoverability on demand — capabilities Salesforce's native platform doesn't deliver out of the box.
For IT teams managing protected health information (PHI) or personal data of EU residents, the gap between Salesforce's shared responsibility model and regulatory obligations is measured in audit findings, fines, and recovery failures. This guide covers everything you need to know about building a compliant Salesforce backup strategy that satisfies HIPAA and GDPR requirements while giving you granular recovery and full control over your data.
Key Takeaways: HIPAA and GDPR Salesforce Backup
Salesforce's native data recovery options don't meet HIPAA or GDPR retention and recoverability requirements for most enterprises.
Metadata backup is as critical as record backup — custom objects, workflows, and field definitions must be recoverable.
Granular restore capabilities let you recover individual records with parent-child relationships intact, avoiding full org restores.
Sesame Software gives you customer-hosted backup with audit trails, encryption, and compliance documentation built in.
A compliant backup strategy includes encryption, access controls, retention policies, and documented recovery procedures.
Why Salesforce's Native Backup Falls Short for HIPAA and GDPR
Salesforce operates under a shared responsibility model. They protect the infrastructure. You protect your data. This distinction matters when regulators ask for proof of data integrity, retention compliance, or recovery capability.
Salesforce's native Data Recovery service has significant limitations. Recovery requests can take weeks to fulfill. The service recovers your entire org — you can't restore individual records or objects. And the recovered data may not include all metadata, attachments, or related records.
For HIPAA-covered entities, this creates a gap. The HIPAA Security Rule (45 CFR § 164.308) requires you to establish procedures for creating and maintaining retrievable exact copies of electronic protected health information. A recovery process measured in weeks doesn't satisfy "retrievable."
GDPR Data Recovery Requirements
GDPR Article 32 mandates the ability to restore availability and access to personal data "in a timely manner" following an incident. Article 5(1)(f) requires you to protect against accidental loss, destruction, or damage using "appropriate technical or organizational measures."
If you're storing EU personal data in Salesforce without an independent backup, you're relying on Salesforce's recovery timeline to meet your GDPR obligations. That's a compliance risk you control by implementing your own backup infrastructure.
What HIPAA Requires for Salesforce Backup
HIPAA doesn't prescribe specific technologies. It requires you to demonstrate that your backup and recovery practices protect PHI confidentiality, integrity, and availability.
Here's what that translates to for Salesforce environments:
Data Backup Plan Requirements
The Security Rule requires a data backup plan that creates retrievable exact copies of ePHI. For Salesforce, "exact copies" means you need to capture not just records, but the metadata that defines them — custom fields, validation rules, workflows, and object relationships.
Your backup frequency must match your recovery point objective (RPO). If you can't afford to lose more than one day of data, daily backups are your minimum. Near real-time replication reduces RPO to minutes rather than hours.
Disaster Recovery Requirements
HIPAA requires procedures to restore data that's been lost. This means tested, documented recovery workflows — not theoretical plans. You need to demonstrate that you can actually recover specific records, objects, or your entire Salesforce org within your recovery time objective (RTO).
Documentation matters. Auditors want to see backup logs, recovery test results, and evidence that your procedures work. At Sesame Software, we've spent over 30 years helping enterprises build exactly this kind of audit-ready infrastructure.
Encryption and Access Control
HIPAA's addressable specification for encryption becomes effectively mandatory for backup data. Your Salesforce backups must be encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to backup data requires role-based controls and audit logging.
This is where customer-hosted backup architecture makes compliance clearer. When your backup data stays in your environment — on your infrastructure, under your access controls — you maintain direct accountability for HIPAA safeguards.
GDPR Compliance Requirements for Salesforce Backup
GDPR adds requirements that go beyond HIPAA's focus on security controls. You need to address data subject rights, cross-border transfers, and retention limitations in your backup strategy.
Right to Erasure and Backup Data
GDPR's "right to be forgotten" (Article 17) creates a unique challenge for backup systems. When a data subject requests deletion, you must remove their personal data from all systems — including backups — unless retention is legally required.
Your backup solution needs to support granular deletion or have a documented exception process. The UK Information Commissioner's Office has clarified that backup data can be retained temporarily if deletion is technically difficult, but you must delete it when the backup is restored or cycled out.
Data Processing Agreements
If you use a third-party backup vendor, GDPR Article 28 requires a Data Processing Agreement (DPA) that specifies how they'll handle personal data. This includes obligations around sub-processors, security measures, breach notification, and data return or deletion.
Alternatively, you can eliminate this requirement by keeping backup data entirely within your own environment. Customer-hosted backup infrastructure means no third-party processor involvement for your backup data.
Cross-Border Data Transfers
GDPR restricts transfers of personal data outside the European Economic Area. If your backup vendor stores data in the U.S. or other non-adequate countries, you need Standard Contractual Clauses, Binding Corporate Rules, or another transfer mechanism.
Customer-controlled storage locations eliminate transfer concerns. When you choose where your backup data lives — in your data center, your cloud tenant, your region — you maintain control over data residency.
The Metadata Problem: Why Record Backup Isn't Enough
Backing up Salesforce records without metadata is like backing up a database without its schema. You'll have data, but you won't be able to use it.
Salesforce metadata includes custom objects, custom fields, page layouts, validation rules, workflow rules, process builder flows, Apex classes, triggers, and permission sets. If you lose metadata — through accidental deletion, a failed deployment, or a sandbox refresh gone wrong — your org stops working correctly.
What Metadata Backup Covers
A complete Salesforce metadata backup captures:
Custom object definitions and field configurations
Picklist values and record types
Validation rules and formula fields
Workflow rules, process builder flows, and flow definitions
Apex classes, triggers, and Visualforce pages
Lightning components and custom applications
Permission sets, profiles, and sharing rules
Reports, dashboards, and list views
Sesame Software captures metadata alongside data, so you can restore not just records but the entire structure that makes those records meaningful. Your data stays yours — including the metadata that defines it.
Metadata Change Tracking
In regulated environments, you need to know who changed what and when. Metadata change tracking creates an audit trail for configuration changes — critical for demonstrating compliance controls and investigating incidents.
Sandbox seeding and metadata comparison tools let you identify differences between environments, catch unauthorized changes, and maintain consistency across production, sandbox, and UAT orgs.
Granular Recovery: Restoring What You Need Without Full Org Restores
Most Salesforce data incidents don't require a full org restore. An accidental mass deletion, a bad data import, or a corrupted integration typically affects specific records or objects.
Granular recovery lets you restore exactly what you need — individual records, specific objects, or date ranges — without overwriting good data or disrupting users. This capability is essential for minimizing recovery time and maintaining data integrity.
Record-Level Restore
When a sales rep accidentally deletes an opportunity, you shouldn't have to restore your entire org to get it back. Record-level restore lets you select specific records by ID, filter criteria, or object type and restore them directly to Salesforce.
The challenge is preserving relationships. Salesforce data is highly relational — accounts connect to contacts, opportunities, cases, and custom objects through lookup and master-detail relationships. Restoring an opportunity without its related products, line items, or activities leaves you with incomplete data.
Relationship-Aware Recovery
Enterprise backup solutions preserve parent-child relationships during backup and restore them correctly during recovery. This means restoring an account brings back its contacts, opportunities, and cases with all relationships intact.
Sesame Software's patented replication technology preserves relational integrity during backup and recovery. When you restore records, the relationships between objects are maintained — no manual re-linking or broken references.
Point-in-Time Recovery
Point-in-time recovery lets you restore data to a specific moment — useful when you discover data corruption that happened days or weeks ago. You can view your data as it existed at any backup point and selectively restore records from that snapshot.
This capability requires retention of historical backups, not just the latest copy. Your retention policy should align with your compliance requirements and your realistic recovery scenarios.
Building a HIPAA-Compliant Salesforce Backup Architecture
Compliance isn't a feature you buy — it's an architecture you design. Here's what a HIPAA-compliant Salesforce backup environment looks like:
Customer-Hosted Storage
Keeping backup data in your environment simplifies HIPAA compliance. You maintain direct control over physical and logical access. You configure encryption. You manage access controls. You generate audit logs.
Sesame Software's customer-hosted architecture means your Salesforce backup data never leaves your infrastructure. Your data stays in your hands — in your data center, your AWS account, your Azure tenant, or your private cloud.
Encryption Standards
HIPAA requires encryption for data at rest and in transit. For Salesforce backup:
TLS 1.2 or higher for all API connections to Salesforce
TLS 1.2+ for data transfer to your backup storage
AES-256 encryption for backup files at rest
Encryption key management under your control
Access Controls and Audit Logging
Role-based access control restricts who can configure backups, view backup data, and execute restores. Every action should generate an audit log entry with timestamp, user identity, and action details.
These logs serve double duty: they demonstrate HIPAA compliance to auditors and help you investigate any unauthorized access or unusual activity.
Business Associate Agreement
If your backup vendor processes PHI, HIPAA requires a Business Associate Agreement (BAA). The BAA establishes the vendor's obligations for safeguarding PHI and their liability for breaches.
With customer-hosted backup, the vendor provides software — not data processing services. Your data never touches vendor systems, which simplifies BAA requirements and reduces your compliance footprint.
Building a GDPR-Compliant Salesforce Backup Architecture
GDPR compliance requires additional architectural considerations around data residency, retention, and data subject rights.
Data Residency Controls
GDPR restricts where personal data can be stored and processed. Your backup architecture should let you specify storage locations that satisfy data residency requirements — EU data centers for EU personal data, for example.
Customer-controlled storage means you choose the location. When you own the storage infrastructure, you control data residency by design rather than by vendor policy.
Retention and Deletion
GDPR's data minimization principle (Article 5(1)(c)) means you shouldn't retain personal data longer than necessary. Your backup retention policy needs to balance compliance requirements (keep data for audits) with minimization requirements (delete data you no longer need).
Build retention policies that automatically expire old backups. Document your retention periods and the legal basis for each. Implement processes to handle deletion requests that affect backup data.
Breach Notification Readiness
GDPR Article 33 requires you to notify supervisory authorities within 72 hours of discovering a personal data breach. Your backup infrastructure should support rapid incident response:
Audit logs that show what data was accessed and when
Ability to identify affected records quickly
Recovery capabilities that restore data integrity fast
Documentation that demonstrates your security measures
Backup Frequency and Recovery Point Objectives
How often should you back up Salesforce? The answer depends on how much data you can afford to lose.
Recovery Point Objective (RPO)
Your RPO defines the maximum acceptable data loss measured in time. A 24-hour RPO means you can tolerate losing up to one day of changes. A 1-hour RPO means your backups must run at least hourly.
For HIPAA-covered entities, consider your ePHI workflows. If clinicians document patient interactions in Salesforce Health Cloud throughout the day, a 24-hour RPO means potentially losing an entire day of clinical documentation.
Near Real-Time Replication
Near real-time backup captures changes as they happen, reducing RPO from hours to minutes. Sesame Software replicates data as frequently as every 5 minutes, giving you recovery points throughout the day rather than just at scheduled backup times.
This approach is especially valuable for high-velocity Salesforce orgs with constant data changes — sales teams updating opportunities, service teams logging cases, marketing automation creating leads.
Recovery Time Objective (RTO)
Your RTO defines how quickly you need to restore operations after an incident. Native Salesforce recovery can take weeks. Enterprise backup solutions restore granular records in minutes.
Document your RTO for different scenarios: individual record recovery, object-level restore, full org recovery. Test your recovery procedures to verify you can meet these objectives.
Testing Your Backup and Recovery Procedures
Untested backups are unreliable backups. Both HIPAA and GDPR expect you to verify that your controls work — not just assume they do.
Regular Recovery Testing
Schedule periodic recovery tests that exercise your actual procedures. Test different scenarios:
Restore individual records to verify relationship integrity
Restore an entire object to verify field mappings
Restore metadata to verify configuration recovery
Perform a full restore to a sandbox to verify complete recoverability
Document test results, including any issues discovered and corrective actions taken. This documentation demonstrates compliance with HIPAA's testing requirements and GDPR's accountability principle.
Sandbox Seeding
Sandbox seeding copies production data to sandbox environments for testing and development. This capability does double duty: it supports your development workflow and exercises your backup and restore infrastructure.
Sesame Software includes sandbox seeding at no extra charge — you can populate sandboxes with realistic data while verifying that your backup and recovery processes work correctly.
Documentation and Audit Readiness
Compliance isn't just about having controls — it's about proving you have controls. Documentation turns your backup infrastructure into audit evidence.
Policy Documentation
Document your backup policies, including:
Backup scope (what data and metadata is backed up)
Backup frequency and retention periods
Storage locations and encryption standards
Access controls and authorization procedures
Recovery procedures and responsible parties
Testing schedule and acceptance criteria
Operational Documentation
Maintain logs and records that demonstrate policy execution:
Backup job logs showing successful completion
Error logs and remediation actions
Recovery test results and findings
Access audit trails
Change management records for backup configuration
Compliance Reporting
At Sesame Software, we've built compliance documentation into the platform. Audit trails, job logs, and access records are captured automatically — giving you the evidence you need when auditors ask for proof of your backup controls.
Selecting a HIPAA and GDPR-Compliant Salesforce Backup Solution
When evaluating backup solutions for regulated Salesforce environments, assess these capabilities against your compliance requirements:
Data and Metadata Coverage
Verify the solution backs up all Salesforce objects, custom objects, attachments, files, metadata, and configuration. Partial backup creates partial recovery — and partial compliance.
Backup Frequency and RPO Support
Confirm the solution supports backup frequencies that meet your RPO. Daily backups won't satisfy a 1-hour RPO requirement.
Granular Recovery Capabilities
Evaluate record-level, object-level, and point-in-time recovery. Verify that recoveries preserve relational integrity — restoring parent records with their children, maintaining lookup relationships.
Storage and Residency Options
Determine where backup data is stored. Customer-hosted options give you control over data residency and simplify compliance. Third-party storage introduces data processing agreements and transfer mechanisms.
Security Controls
Verify encryption standards (TLS 1.2+, AES-256), access controls, and audit logging. Review the vendor's security certifications — SOC 2 Type II demonstrates independently verified security controls.
Sesame Software maintains SOC 2 Type II certification, with progress toward ISO 27001. Our built-in security controls — encryption, role-based access, audit trails — are designed for organizations operating under GDPR, HIPAA, CCPA, and SOX requirements.
Compliance Documentation
Assess what documentation the solution provides for audit purposes. Look for automated logs, compliance reports, and evidence that supports your regulatory requirements.
In Conclusion: Taking Control of Your Salesforce Compliance Strategy
HIPAA and GDPR don't tell you exactly how to back up Salesforce. They require you to demonstrate that your backup and recovery practices protect data confidentiality, integrity, and availability. Meeting those requirements means going beyond Salesforce's native capabilities.
The key elements of a compliant backup strategy include: full data and metadata coverage, backup frequencies that match your RPO, granular recovery with relationship preservation, customer-controlled storage, encryption and access controls, and documentation that proves your controls work.
Sesame Software gives you the infrastructure to build this strategy. With 30+ years of enterprise data management experience, 15 proprietary patents, and SOC 2 Type II certification, we've helped organizations across healthcare, financial services, and government meet their compliance obligations while maintaining full control of their data.
If you're ready to take back control of your Salesforce data protection strategy, talk to a Sesame Software data expert today.
FAQs About HIPAA and GDPR Salesforce Backup
Does Salesforce provide HIPAA-compliant backup?
Salesforce offers a shared responsibility model and a BAA for Shield and Health Cloud customers, but native backup capabilities don't meet HIPAA's requirements for retrievable exact copies with documented recovery procedures. You need an independent backup solution to satisfy HIPAA Security Rule requirements for data backup and disaster recovery.
How often should I back up Salesforce for HIPAA compliance?
HIPAA requires backup frequency that matches your recovery point objective. For most healthcare organizations, daily backups are the minimum. Sesame Software supports near real-time replication — as frequently as every 5 minutes — to minimize potential data loss and meet strict RPO requirements.
What's the difference between data backup and metadata backup in Salesforce?
Data backup captures your records — accounts, contacts, opportunities, custom object records. Metadata backup captures the structure that defines those records — custom fields, objects, validation rules, workflows, and automation. Both are essential for complete recovery.
How do I handle GDPR deletion requests in backup data?
GDPR allows temporary retention of personal data in backups if deletion is technically difficult. Document your exception process, delete the data when backups cycle out, and ensure deletion occurs if you restore from backup. Granular deletion capabilities or automated retention policies help manage this requirement.
Can I store Salesforce backup data in my own environment?
Yes. Customer-hosted backup solutions like Sesame Software let you store backup data in your data center, your cloud tenant, or any storage location you control. This simplifies compliance by keeping data under your direct governance — your data stays in your hands.
What security certifications should a Salesforce backup vendor have?
SOC 2 Type II certification demonstrates that a vendor's security controls have been independently audited and verified over time. For healthcare, look for BAA availability. Sesame Software maintains SOC 2 Type II certification with progress toward ISO 27001.
How do I test my Salesforce backup and recovery procedures?
Schedule regular recovery tests that exercise different scenarios: individual record restore, object-level recovery, and full org recovery to a sandbox. Document results and remediate any issues. Sesame Software's sandbox seeding capabilities let you test recovery procedures while populating development environments.
What's granular recovery and why does it matter for compliance?
Granular recovery lets you restore specific records, objects, or time periods rather than your entire Salesforce org. This minimizes recovery time, reduces disruption, and avoids overwriting good data. Sesame Software preserves parent-child relationships during granular recovery, maintaining data integrity.

Found this post helpful? Share it with your network using the links below.



