Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Salesforce Architect
medium

How do you architect disaster recovery for Salesforce?

Disaster Recovery (DR) = restoring service after major incident: data center failure, ransomware, severe data corruption, prolonged outage.

Salesforce-provided DR:

  • Multi-region replication — Salesforce replicates between data centers.
  • RPO (Recovery Point Objective) ~4 hours.
  • RTO (Recovery Time Objective) ~12 hours.
  • Disaster scenarios Salesforce handles: data center outage, regional failure.

If standard DR meets your needs: trust Salesforce.

When you need more:

  • Customer-data corruption — Salesforce replicates the corruption. Need point-in-time recovery from before corruption.
  • Ransomware / malicious deletion — bad actors with admin access can delete; DR needs prior version.
  • Legal hold — maintain pristine snapshot for litigation.
  • Compliance — RPO < 4 hours required.

Beyond-Salesforce DR:

1. Backup tools:

  • OwnBackup (Own Company) — most common.
  • Spanning — alternative.
  • Gearset — has backup features.
  • Custom export — Bulk API + S3.

2. Backup what:

  • Data (records).
  • Metadata (objects, fields, code).
  • Files / attachments.
  • Configuration.

3. Backup cadence:

  • Daily incremental typical.
  • Full weekly for completeness.
  • Continuous for highest-RPO needs.

4. Restore testing:

  • Annually at minimum.
  • Test restore to a sandbox without affecting production.
  • Validate restore procedures.
  • Document the runbook.

5. Compliance and retention:

  • Backups retained for required compliance period.
  • Encrypted at rest and in transit.
  • Access controlled.

6. Communication plan:

  • Who declares the disaster.
  • Communication tree.
  • Customer notifications.
  • Regulatory notifications (if required).

Common pitfalls:

  • Trusting Salesforce DR alone — adequate for some, not all.
  • No restore testing — backup that's never tested isn't a backup.
  • No runbook — confusion during incident.
  • Insufficient retention — couldn't recover from 3-week-old corruption.

Architectural decision:

  • Standard org with no special DR: trust Salesforce DR.
  • Mission-critical / regulated: backup tool + tested restores + runbook.
  • Highest-criticality (banking, life-safety): multi-org + active backups + drilled response.

Senior architect insight: DR is insurance — you don't need it until you do, then you really need it. Don't underinvest. The cost of inadequate DR during an actual disaster is catastrophic.

Test annually. Document. Train.

Why this answer works

Senior. The Salesforce-provided + extra layer framework and "test annually" discipline are mature.

Follow-ups to expect

Related dictionary terms