Backup Service for Compliance and Risk Mitigation
Counterparty Risks?
Backup your ONLY copy
Xero Business
Cin7 Omni
Don’t let SaaS vulnerabilities leave you stranded – secure your data with backups today!
SaaS platforms, while offering flexibility and scalability, introduce supply chain risks due to their reliance on third-party providers and interconnected services.
If a SaaS platform uses the likes of AWS or Azure for its cloud infrastructure, any security vulnerabilities or outages within those providers can directly impact the SaaS platform's availability, data integrity and disrupt operations, impacting the entire ecosystem.
Adhering to a SaaS provider's Terms of Use is crucial as it legally binds both parties, outlining permissible usage, data handling, and liability. Non-compliance can lead to service termination
Non-compliance can lead to service termination, legal disputes, and reputational damage, highlighting the importance of understanding and upholding these agreements to ensure a secure and successful SaaS partnership.
User errors, such as accidental deletions, overwrites, or incorrect data entry, are a leading cause of data loss. Highlighting the importance of robust backup and recovery solutions
Even seemingly minor mistakes can have significant consequences, highlighting the importance of robust backup and recovery solutions to mitigate the risks associated with human fallibility.
Ranging from ransomware to data breaches, Cyber Attacks pose a serious threat to businesses...
...potentially leading to catastrophic data loss or prolonged service outages. These malicious attacks can cripple operations, compromise sensitive information, and result in significant financial and reputational damage.
Imagine this: Your business data, the lifeblood of your operations, vanishes overnight. How would you function? Could you recover?
The harsh reality: It’s not just about the ‘what if.’ Many SaaS platforms require you to retain copies of your data. It’s in their terms of use – a legal obligation you might not even be aware of.
Don’t gamble with your business’s future. Protect your data.
In the realm of SaaS (Software-as-a-Service) platforms, a silent storm brews beneath the surface of seamless functionality. The very convenience of accessing software and data from anywhere, anytime, masks an unsettling reality – the inherent vulnerability of SaaS providers to the whims of third-party infrastructure giants like AWS and Azure.
The regular outages of these behemoths, such as the Crowdstrike incident and the AWS debacle that crippled Xero’s entire suite of products, serve as stark reminders of this precarious dependency.
Cin7, like Xero, finds itself in the same boat, entrusting its operations to AWS and Azure (verified through company statements and news reports). This shared reliance on external infrastructure exposes a chilling truth: even the most robust SaaS platforms remain at the mercy of events beyond their control.
While both providers explicitly state in their terms of use that end-users should back up their data, the harsh reality is that many fail to heed this warning. The false sense of security fostered by the cloud lulls users into complacency, leaving them exposed to the devastating consequences of outages, cyberattacks, and data breaches.
Recent attacks on SaaS providers, such as the ransomware attack on Kaseya, which offers IT management and security software for managed service providers (MSPs) and small to medium-sized businesses (SMBs) , impacted thousands of businesses, underscore the very real threat of data loss and disruption.
Microsoft’s recent security incidents are a reminder that even industry giants are not immune to cyber threats.
This compelling introduction highlights the urgent need for end-users to take proactive measures to protect their valuable data. Regular backups, regardless of provider assurances, become an indispensable safeguard against the hidden risks lurking within the SaaS landscape. In a world where downtime translates to lost revenue, productivity, and reputation, the onus falls squarely on users to fortify their digital fortresses.
The latest Xero outage, 31 July 2024, serves as a stark reminder that even the most robust SaaS platforms can be vulnerable to counterparty risk. By understanding and proactively managing these risks, both SaaS providers and their users can better prepare for and mitigate the potential impact of such incidents.
The Xero outage, directly linked to an issue with AWS, vividly illustrates the concept of counterparty risk, also known as supply chain risk, in the context of cloud-based services.
The recent CrowdStrike incident highlights again, the inherent fragility within the SaaS sector, particularly for platforms that rely heavily on their supply chain for maintaining uninterrupted service. While the CrowdStrike incident wasn’t a malicious cyberattack, it exposed a critical single point of failure: the operating system (OS) upon which many SaaS platforms, including Xero, depend. Xero did not escape unscathed during the Crowdstrike incident.
Having comprehensive plans in place for data backup, failover, and recovery can minimise downtime and data loss in case of a major incident.
In essence, counterparty risk refers to the potential for one party in a business relationship to fail to meet its obligations, thereby negatively impacting the other party. In Xero’s case, AWS acts as a critical counterparty (or supplier) within Xero’s supply chain, providing the essential cloud infrastructure that underpins Xero’s service delivery.
How the Xero Outage Exemplifies Counterparty Risk:
Key Takeaway:
The Xero outage serves as another reminder that even the most robust SaaS platforms can be vulnerable to counterparty risk. By understanding and proactively managing these risks, both SaaS providers and their users can better prepare for and mitigate the potential impact of such incidents.
July 31, 2024, Xero was experiencing a major outage, leaving users globally unable to log in and navigate the platform. Xero identified that the issue impacting customers was related to an issue with AWS, a third-party provider (counterparty) to whom Xero’s platform relies upon. The AWS team investigated the matter with urgency – Xero have no control over their AWS hosted service
July 19, 2024, A faulty CrowdStrike update triggered a global IT disruption, causing the infamous “Blue Screen of Death” on millions of Windows devices. This impacted various sectors, including SaaS providers like Xero and Cin7. The outage disrupted their services, causing potential delays in data processing, invoicing, and inventory management for their customers worldwide, highlighting the interconnectedness and vulnerability of the digital ecosystem.
You not only have Counter Party Risk to contend with, you also have obligations as a User of Xero to adhere to their rules. So which one in particular is the MOST important…?
Many Xero users, and their trusted accountant, are unaware that they are in breach of Xero’s Terms of Use by not maintaining a local backup of their financial data. This oversight exposes them to significant risks:
Breach of Contract: Xero’s Terms of Use are a legally binding contract that outlines the rights and responsibilities of both Xero and its users.
By using Xero, your clients agree to abide by these terms, which explicitly state that users are responsible for maintaining their own backups.
Failing to comply with this term could result in limitations on their ability to use Xero’s services or even account termination.
Xero Partners not having a backup in place or not obtaining informed consent demonstrates a blatant disregard for the integrity of the agreement and exposes their clients to significant risk. In the event of data loss, they will have no recourse against Xero, as they have violated the terms of service they agreed to upon signing up.
If you are a user of Xero, ‘you’ are responsible for backing up your data.
Here is a sample of what our customers had to say. For a full list, please click on any of the reviews to take you to the Xero App Store rating.
Xero Partners: Ensure Your Clients’ Informed Consent Now
Are you just a Xero Partner, or a ‘Champion’ – Informed consent is non-negotiable. It means that you have informed your clients so they fully understand the Xero subscription Terms of Use, including potential data privacy, security risks AND backing up, before they commit. This is your responsibility as their trusted advisor.
Failing to secure informed consent exposes your clients to unnecessary risk and is a direct violation of your duty of care.
If you’ve recommended Xero, make absolutely sure your clients are aware of their obligation to back up their data. Non-compliance with Xero’s Terms of Use is a serious matter.
Lead by example:
Don’t wait. Protect your clients and your practice. Prioritise informed consent today.
Leading by example, be a true ‘Champion’! Here is a sample of the action taken by a couple of reputable, trusted advisors…
Greg Millar & Vanessa Williams – Directors
ALLIOTT NZ LTD
“When we recommend Xero to our clients our reputation is on the line. We use Control-C which is an additional back up of their data as a way to protect our goodwill and also give clients the peace of mind that their data is protected, safe and that we are looking after them.
Control-C is a great way to safeguard against the “uncontrollable” events in life.
In a world where we’re all future-proofing our businesses, we use this tool as another way to prove to our clients that we’re proactive and looking after their best interests.”
Did you know Xero’s terms of use requires you to keep your own back-up of data stored within Xero?
Clause 37. of Xero’s terms of use states: “Data loss is an unavoidable risk when using any technology. You’re responsible for maintaining copies of your data entered into our services.”
If Xero has a system issue, their priority is to restore their data, not yours.
And furthermore, while IRD legislation allows financial data to be stored on international cloud-based accounting platforms such as Xero, you are also required to have a copy of your financial data available on hand should you lose access to such cloud-based services.
In light of this, we think it is very important to retain an independent copy of your financial data such that if the worst was to happen, you have a local copy available.
That’s where Control-C comes in. Control-C offers a simple automated back-up solution for Xero data users to maintain compliance with Xero’s terms of use and IRD’s electronic data retention requirements.”
As a business owner using Xero, you should absolutely be backing up or taking copies of your data.
While Xero does have robust security measures in place and performs regular backups, their Terms of Use clearly state that:
You’re responsible for maintaining copies of your data entered into our services.
This means that Xero doesn’t guarantee against data loss and that the responsibility for safeguarding your data ultimately lies with you.
Why backing up your Xero data is crucial:
How to back up your Xero data:
Recommendations:
By taking these proactive steps, you can protect your valuable financial data and ensure the continuity of your business operations, even in the face of unexpected events.
While Xero does perform regular backups of their system for disaster recovery and data integrity purposes, you as the business owner are ultimately responsible for backing up your own Xero data.
This is explicitly stated in Xero’s Terms of Use, which emphasizes that you are responsible for maintaining copies of your data entered into their services.
Why Xero doesn’t take full responsibility:
How to ensure your data is backed up:
By taking proactive measures to back up your Xero data, you can ensure that you have a copy of your valuable financial information readily available in case of any unforeseen events. This will help you maintain business continuity and avoid potential losses due to data loss.
Even if your accountant is the subscriber to your Xero account, the responsibility for backing up the data ultimately rests with YOU, the business owner.
Here’s why:
Data Ownership: While your accountant may manage the Xero subscription and have access to the data, the financial information in Xero belongs to your business. It’s your responsibility to ensure its safe keeping and availability.
Xero’s Terms of Use: Xero’s Terms of Use explicitly state that users are responsible for maintaining their own copies of the data entered into the service. This applies regardless of who the subscriber is.
Business Continuity: Backing up your data is a critical part of your business continuity plan. In case of data loss due to technical issues, accidental deletion, or even a dispute with your accountant, having your own backup ensures that your business operations can continue uninterrupted.
Accountant-Client Relationship: While your accountant may offer assistance in setting up backups or recommend backup solutions, it’s not their sole responsibility to ensure your data is backed up. Their primary role is to provide accounting and financial services, not data management.
How to address the backup responsibility:
Discuss with your accountant: Have an open conversation with your accountant about data backups. Clarify who is responsible for performing backups, how often they should be done, and where the backups will be stored.
Establish a backup process: Decide on a backup method that works for your business. You can either manually export data from Xero or use a third-party backup solution that integrates with Xero.
Regularly review and test backups: Ensure that your backups are being performed as scheduled and that you can successfully restore the data if needed.
Consider a written agreement: If necessary, create a written agreement with your accountant outlining the responsibilities for data backups and other aspects of your Xero subscription management.
By taking these proactive steps, you can ensure that your business’s financial data is protected and readily available,regardless of who manages the Xero subscription.
Xero partners should definitely read and understand the Xero Terms of Use. It’s a crucial part of their responsibility as trusted advisors to their clients.
Why it’s important for Xero partners to understand the Terms of Use:
Why sharing this information with clients is important:
Best practices for Xero partners:
By taking these steps, Xero partners can ensure that their clients are well-informed and protected, while also fulfilling their own legal and ethical obligations.
“…(Xero) backups aren’t designed to be used by individual organisations to undo/reverse data changes performed by users in the organisation…”
They are only used by Xero “…for Data Corruption and any hosting service failure”
i.e. Xero internal issues only, not for your mistakes or cyberattacks etc.
