Blog post

Trusting SaaS With Your Data, eh?

By Erik Heidt | June 19, 2014 | 2 Comments

Risk ManagementReal World Information SecurityCloud Risk Management

Two significant SaaS data loss events is short order…

May 6th,, a SaaS solution for qualitative research announced a major data loss event and today (June 19) announced that they are down,  have lost significant amounts of client data, and may be out of business.

What should current or prospective SaaS users learn from this right away?

  1. Take responsibility for having copies of your data! 
  2. Establish regular and routine procedures for backing up your data.
  3. Ensure you can use those backups!
  4. Be prepared to accept the consequences of provider failure.

Both of these services provided mechanisms for their customer to create their own backups – but how many users used them? In the case of codespaces, there primary service was providing svn based code repositories and svn tools for creating backups are commonly available. Dedoose offers an export to excel capability.

Many SaaS providers make no commitment about the availability of your data – none. For those providers that do, and that you might have a contract with, you can’t get data (or a settlement) from a company that doesn’t exist anymore.

It’s a simple rule, if you care about that data, make sure you have copies of it.

If a supplier can’t provide you with a means to get copies of the data, then you need to have a contingency plan for when they are no longer able or willing to provide it. The most important component of any supplier relationship is a solid exit strategy.

Note, that it doesn’t appear that the root cause of either of these events was an infrastructure failure. It sounds like, it was a operations failure for Dedoose and a security failure for codespaces (similar to Wizard Lays Waste to Acme Data Analytics with Chef Spell…). 



P.S. Here is a quote from

“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility.”

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • TechYogJosh says:

    Didn’t these SaaS providers have “data recovery” or “backup” sites? Are they saying they were running one instance of the database? That is not possible. How did they lose the data, some sites might have gone down or database/storage might have become corrupted, but their must be other copies of the data that could be restored. I don’t know how this has happened. And if this has, should their be a regulator for these SaaS companies who inspect their data management strategies. Not many customers would be aware of the data protection mechanism of these SaaS providers.

    • Erik T. Heidt says:

      TechYogJosh –

      In both of these cases I have only the information that is posed by these organizations. At any rate, it appears that in both cases they had flaws in their design of risk and security controls. In the case of CodeSpaces, it appears that, even if they were using multiple regions to store the data, that all of the data was administrated from a single powerful administrative account – which they lost control of.

      Again, at this time the only data that I have is the narratives that these organizations have self-reported.

      Thanks, Erik