Datto SaaS Protection
SALES & TECHNICAL GUIDE — SOURCED FROM DATTO PARTNER TOOLKIT
Datto SaaS Protection
Automated 3x daily backup and one-click restore for Microsoft 365 and Google Workspace — mail, Teams, SharePoint, OneDrive, Drive, Calendar, and Contacts. Independent of Microsoft and Google infrastructure.
Datto / Kaseya
NTG context: SaaS Protection is already deployed across NTG's client base for M365 backup. SaaS Protection+ bundles SaaS Defense (advanced threat protection) on top. Microsoft's own service agreement states they will delete customer data 90 days after subscription termination with no liability — that's the sales conversation.
Why clients need this — the numbers
70%
of businesses will suffer unrecoverable SaaS data loss (Gartner)
47%
of cloud data loss is caused by end user deletion (Aberdeen Group)
$18K–$35K
cost of even a small data loss incident including productivity and reputation damage
90 days
then Microsoft deletes your data — in writing, no liability
Best-fit clients
Strong fit
- Every M365 and Google Workspace client — no exceptions
- Law firms with client file and email retention requirements
- Healthcare with HIPAA data retention obligations
- Financial services with email archiving requirements
- Any client post-ransomware or accidental deletion incident
- Clients with recent employee departures or high turnover
- Clients with litigation exposure or legal hold requirements
Decent fit / upsell opportunity
- Clients who believe M365 handles backup natively
- SMBs with no documented retention policy
- Clients migrating to M365 from on-prem
- M365 or Google Workspace renewal conversations
- Clients heavily using Microsoft Teams for collaboration
- Clients already on SaaS Protection → upsell to Protection+
What's in the box
3x daily automated backup
Backups run three times a day automatically with no admin intervention required after setup. Stored independently of Microsoft and Google infrastructure.
One-click restore
Restore individual items, entire mailboxes, or whole sites with a single click. Granular recovery — not a dump of everything like Microsoft's native restore process.
Departed employee data retention
Retain data from departed employees without keeping an active M365 license. Cheaper to store in backup than maintain a live seat — and the data is actually recoverable.
Offline export
Export M365 and Google Workspace files for offline access — keeps clients productive even during a Microsoft or Google outage.
Teams backup
Covers Microsoft Teams public channel content, conversations, and calendar meetings — an often overlooked gap that most clients assume is protected.
3-2-1 backup compliance
Stored in Datto's private cloud — a true independent copy separate from the SaaS provider. Enables the 3-2-1 backup strategy (3 copies, 2 formats, 1 offsite) that best practices require.
Sales pitch
TALKING POINTS — SOURCED FROM DATTO PARTNER TOOLKIT & MSPEASY SERIES
Lead with a question, not a feature. Datto's own partner guidance: "Anyone you talk to will say their business email is important. Ask them: Is your email backed up? What would happen if someone deleted all their emails and walked out the door?" Make it personal and industry-specific before you mention the product.
Conversation openers by client type
Law firm
"Without an independent backup, you could lose all information associated with an active case if a user accidentally deletes a file or email related to that case. Microsoft won't recover it for you — that's documented in their service agreement."
General SMB
"Is your email backed up? What would happen if someone deleted all their emails and walked out the door? 85% of a company's intellectual property flows through Outlook. Without backup, that data is one user action away from being gone permanently."
Core talking points
Microsoft says so — in writing
Microsoft's own service agreement states: "After the 90-day retention period ends, Microsoft will disable Customer's account and delete the Customer Data. Microsoft has no liability for the deletion of Customer Data." That's not our interpretation — it's their contract language. Microsoft's own documentation recommends using a third-party backup solution.
OneDrive is not a backup — it makes data loss worse
OneDrive is a sync tool. If a file is deleted or infected on a local device, that change automatically syncs to OneDrive — meaning both copies are gone or compromised simultaneously. Most clients don't realize this until it's too late. A real backup stores an independent copy that sync can never touch.
Native retention limits are dangerously short
Exchange Online allows 30 days to recover deleted data. OneDrive gives 93 days. Google Drive auto-deletes trashed files after 30 days. After those windows close, data is purged permanently. And recovery within those windows is a cumbersome manual process — not the one-click restore clients expect.
47% of data loss is caused by the people you trust
Accidental deletion, malicious deletion by a disgruntled employee, ransomware, operational errors, and canceled app licenses — these are the real causes of SaaS data loss. SaaS vendors can't distinguish intent from accident. You can, with a real backup that captures point-in-time snapshots three times a day.
Teams is a major unprotected gap
Microsoft Teams now has hundreds of millions of daily active users. Most clients assume Teams data is safe — it isn't. SaaS Protection covers Teams public channel content, conversations, and calendar meetings. Without backup, a Teams outage or accidental deletion is unrecoverable.
Departing employees = hidden data risk
When an employee leaves and their account is deleted, their mailbox, files, and Teams history disappear. SaaS Protection lets you retain that data without maintaining an active M365 license — significantly cheaper, and the data is actually recoverable when you need it months later.
Small incidents cost $18,000–$35,000
Even a minor data loss incident — productivity loss, IT recovery time, reputation damage — costs businesses between $18,000 and $35,000. SaaS Protection is a fraction of that cost and prevents the incident entirely. Frame it as insurance: the premium is small, the protection is significant.
Objection handling
COMMON PUSHBACK AND HOW TO RESPOND — SOURCED FROM DATTO PARTNER TOOLKIT
"Microsoft backs everything up — I pay for M365."
Microsoft's Shared Responsibility Model explicitly states that data protection is the customer's responsibility. They provide infrastructure uptime — not data recovery. Their own service agreement says they'll delete your data 90 days after termination with no liability, and their documentation actively recommends third-party backup. We can show you that language directly.
"We have version history and recycle bins."
Those are retention features, not backup. Version history doesn't protect against ransomware — ransomware overwrites all versions and syncs the encrypted copies through OneDrive. Recycle bins expire. Neither creates an independent copy stored outside Microsoft's infrastructure. That's what backup does: a separate, point-in-time copy that no user action or ransomware can reach.
"We use OneDrive — that's our backup."
OneDrive is a sync tool, not a backup. If a file is deleted or infected locally, that change syncs automatically — both copies are gone simultaneously. One Datto partner put it well: "If you have 250 folders in your email and it gets accidentally deleted, I can recover all the emails from Microsoft, but it comes back as if I took that entire file folder and dumped it all over your desk. Is that any good for you?"
"We've never lost data before."
Most clients who lose data thought that too. A real MSP partner shared this: a client needed data associated with a deprovisioned employee months after they left. Because backup was in place, they recovered it. "They were more than thrilled. We looked like heroes." Without backup, that conversation ends very differently.
"Google Workspace keeps our data safe."
Google operates under the same Shared Responsibility Model. Google Vault — their own retention tool — explicitly warns against "irreversible purging of data from user accounts" associated with their own retention policies. Google Drive auto-deletes trashed files after 30 days. Independent backup is the only protection against permanent loss.
"What if they still refuse?"
Have them sign a declination waiver — a document stating they were offered the service, understood the risks, and declined. Datto provides a template in the partner portal. It protects NTG from liability and frequently converts the client. Nobody wants to sign a document acknowledging they chose to leave their data unprotected.
"Should I get cloud backup or BCDR?"
They solve different problems. SaaS Protection covers your cloud application data — M365, Google Workspace. BCDR covers your infrastructure — servers, endpoints, on-prem systems. With 85% of MSPs reporting attacks against SMBs, most clients need both. SaaS Protection is the cloud layer; BCDR is the infrastructure layer. They're complementary, not competitive.
What's covered
FULL COVERAGE BREAKDOWN FOR M365 AND GOOGLE WORKSPACE
Key differentiator: SaaS Protection backs up more than just email. Most clients think "email backup" — make sure they understand the full scope, especially Teams and SharePoint which are often overlooked and frequently the most business-critical data.
Microsoft 365 coverage
Exchange / Mail
Full mailbox backup including folders, attachments, and metadata
Microsoft Teams
Public channel content, conversations, and calendar meetings
SharePoint
Sites, document libraries, lists, and pages
OneDrive
Personal files and folders with point-in-time recovery
Calendar
All calendar events and meeting data
Contacts
Full address book and contact records
Google Workspace coverage
Gmail
Full mailbox backup including labels, threads, and attachments
Google Drive
All files and folders with version history
Google Calendar
Events, recurring meetings, and shared calendars
Contacts
Google Contacts and directory data
Shared Drives
Team drives and shared folder structures
What is NOT covered
Important to set expectations: SaaS Protection does not cover Teams private channel content (only public channels), Planner tasks, or Power Apps data. SaaS Defense (bundled in Protection+) covers threat protection but is a separate product from backup. On-prem infrastructure is covered by BCDR, not SaaS Protection.
SaaS Protection vs. SaaS Protection+
SaaS Protection
Backup & recovery only
3x daily automated backup, one-click restore, independent Datto cloud storage. The complete data protection solution.
Best for
Clients who need data protection and recovery. The baseline — every M365 and Google Workspace client should have this.
SaaS Protection+
Backup + advanced threat protection
Everything in SaaS Protection plus SaaS Defense — real-time zero-day threat detection across Exchange, OneDrive, SharePoint, and Teams.
Best for
Clients with higher security requirements or who want a single bundled solution. One vendor, one dashboard, one billing line for backup and protection.
Sales strategy
HOW TO SELL IT — SOURCED FROM DATTO MSPEASY SERIES & PARTNER TOOLKIT
Best times to sell
M365 or Google Workspace renewal
Contract renewal is the best time to upsell. The client is already thinking about their subscription — adding backup as a line item is a natural extension. Lead with: "While we're reviewing your M365 licenses, let's make sure we have backup covered."
New client onboarding
When you take on a new client, you inherit their unknown risks. SaaS Protection should be part of every onboarding package — it protects NTG from liability and sets the right security posture from day one.
After a data loss event
If a client loses data — even a minor incident — the window for selling backup is wide open. Don't wait for a breach. Use near-misses and industry incidents as conversation starters before something happens to them.
When an employee departs
Every time a client asks you to delete a user account, that's a backup conversation. "Before I delete this account — do you want me to retain the data? Without backup, it's gone permanently."
Bundling strategy
Datto's guidance from the MSPeasy series: The vast majority of successful MSPs include SaaS Protection in some form of a security bundle for M365 or Google Workspace — not as a standalone a la carte item. When backup is a line item in the bundle, the conversation shifts from "do you want it?" to "here's what's included." Bundle it, don't pitch it.
Include it in your M365 bundle by default
The simplest close: SaaS Protection is automatically included in NTG's M365 management package. Clients who want M365 management get backup as part of the service. No separate pitch needed.
Use departing employee data as a cost savings angle
It's cheaper to maintain a departed employee's account in backup than to keep an active M365 E3 license running. Frame it as cost savings: "We can protect their data in backup for a fraction of what you're paying for the active license."
Upsell from Protection to Protection+
Clients already on SaaS Protection are the easiest Protection+ upsell. They've already bought in on the backup value — adding SaaS Defense (real-time threat protection) is one conversation about adding a shield to the backup they already have.
The waiver tactic
When all else fails: If a client refuses after a full pitch, have them sign a declination waiver — a document stating they were offered SaaS Protection, understood the risks of unprotected SaaS data, and declined. Datto provides a template in the partner portal. This tactic does two things: protects NTG from liability if they later lose data, and frequently converts the client — nobody wants to sign a document acknowledging they chose to leave their data unprotected.
Use data loss stories — not features
Make it real with industry-specific scenarios
Don't lead with "3x daily backup." Lead with: "A law firm lost all emails related to an active case because a paralegal accidentally deleted the shared mailbox. Microsoft couldn't recover it past the 30-day window. That firm is now your client's competitor." Make the risk concrete and industry-specific before you introduce the solution.
The hero story
An accounting firm needed data from a deprovisioned employee's mailbox months after they left. The MSP had SaaS Protection in place and recovered everything. "They were more than thrilled. We looked like heroes." Tell this story — it's more powerful than any feature list.
SaaS Protection vs. native tools
HOW TO EXPLAIN THE DIFFERENCE — SOURCED FROM DATTO PARTNER TOOLKIT
The core message: Native tools are designed for collaboration and productivity — not data protection. They do not create a secondary copy of data independent of the SaaS provider. That means a single point of failure. SaaS Protection is a true independent backup.
SaaS Protection vs. Microsoft native tools
Exchange Online recycle bin — 30 days, then gone
Exchange allows up to 30 days to recover deleted user data. After that window, data is purged permanently. Recovery within the window is a cumbersome manual process — and if the admin deleted the account, the window may have already closed before anyone notices.
OneDrive version history — syncs deletions, not a backup
OneDrive stores M365 files in the cloud — many clients mistake this for backup. But if a file is deleted or infected locally, that change automatically syncs. OneDrive version history allows up to 93 days of recovery but doesn't protect against ransomware that overwrites all versions simultaneously.
Microsoft's own words on account deletion
Microsoft's service agreement: "Except for free trials, Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration or termination of Customer's subscription so that Customer may extract the data. After the 90-day retention period ends, Microsoft will disable Customer's account and delete the Customer Data. Microsoft has no liability for the deletion of Customer Data as described in this section."
The granularity problem
Even when Microsoft's native recovery works, the results are often unusable. As one MSP put it: "If you have 250 folders in your email and it gets accidentally deleted, I can recover all the emails, but it comes back as if I took that entire file folder and dumped it all over your desk. Is that any good for you? No." SaaS Protection restores with full folder structure and metadata intact.
SaaS Protection vs. Google native tools
Google Drive trash — 30 days, then auto-deleted
Google changed their trash policy so any file in Google Drive Trash is automatically deleted after 30 days — previously they were retained indefinitely. This affects items trashed from any device and any platform. There is no warning before deletion.
Google Vault — warns against its own limitations
Google Vault, their own retention tool, explicitly cautions against the potential "irreversible purging of data from user accounts" associated with their own retention policies. Google's own tool acknowledges it can permanently destroy data. That's the documentation — not our interpretation.
The 3-2-1 backup rule
Many organizations follow the 3-2-1 backup approach: 3 copies of data, in 2 different formats, with 1 offsite copy. Native tools fail this standard — they don't create a secondary copy independent of the SaaS provider. SaaS Protection stores data in Datto's private cloud, purpose-built for backup and recovery, enabling true 3-2-1 compliance for SaaS data.