Microsoft's native retention is not a backup — it is a soft-delete window. We deploy third-party backup with point-in-time restore, ransomware-resistant immutability, and a verified recovery drill that proves the RPO/RTO targets you wrote down.
Veeam / Acronis / Keepit / Barracuda
EU-resident, immutable, encrypted-at-rest
Sub-hour for mailbox / file
Sub-30-min granular / 4-12h full
If two of these sound familiar, this service is scoped for you. If none of them do, the discovery call is short and we will tell you which service actually fits.
Default M365 retention covers "oops I deleted a file" — not "a domain admin account got compromised at 03:00".
Granular restore of a single email, file or Teams chat from 6 months ago is impossible without tooling.
Nobody has actually tested a recovery in 12+ months and nobody wants to find out the hard way.
No hand-waving. If it is on this list, it is in scope from day one. If it is not, it lives in the out-of-scope section further down or is a separate engagement we will tell you about up front.
Three phases. Named owners per phase. Documented hand-offs. You always know which week of the engagement you are in.
Workload inventory, BIA tiering, current-state assessment of native M365 retention. Vendor selection between Veeam, Acronis, Keepit, Barracuda based on tenant scale, sovereignty needs, and budget.
Backup stack deployed with EU-resident immutable storage. Retention tiers configured. First restore drill executed end-to-end on three real artifacts. Stakeholder sign-off.
Every tier ships the same technical depth — the difference is whether we hand the keys back, keep them, or build you a sovereign exit kit. Final scope and fee are quoted after a short discovery call. No hourly billing.
Companies under 100 seats wanting third-party backup with one restore drill at deployment.
We do not resell from a price-comparison engine. Every vendor in this service has a direct partner relationship with us — meaning support tickets escalate, license terms are honoured, and the margin stays inside the same vendor list price you would pay direct.
Honest exclusions are how we keep delivery fast. If something you need is in the out-of-scope column, we will tell you which service or partner picks it up.
REF.ENG_MATRIX // STANDARD_BOUNDARIES_APPLY
Microsoft is explicit in its shared responsibility model: data preservation is the customer's job. Native retention covers accidental deletion windows, not malicious deletion, tenant-wide compromise, or compliance-driven legal hold.
Independent EU-resident object storage (typically Frankfurt or Amsterdam region), separate from your Microsoft tenant, with customer-held encryption keys where the backup vendor supports BYOK.
Granular mailbox restore: under 30 minutes. Full tenant restore from a ransomware scenario: 4-12 hours depending on data volume, validated in the drill.
30-minute discovery call. We tell you whether this service fits, what the scope looks like, and what the next 4 weeks would deliver. No high-pressure pitch.
Prefer a written scope before a call? Email us
Backup health monitoring, quarterly restore drills, annual ransomware tabletop, retention tier reviews. We are the first call when an incident requires recovery — DR is a capability, not a checkbox.
Teams of 100-500 needing operational backup + quarterly drill cadence + monitored backup health.
Financial entities (DORA), healthcare, and regulated organizations needing audit-grade restore records and 7-year retention.