Does GDPR require database backups to be encrypted?

GDPR Article 32 requires 'appropriate technical measures' including pseudonymization and encryption of personal data. Regulatory guidance consistently treats AES-256 encryption of backups containing personal data as a minimum required control. Unencrypted backups storing EU personal data create significant GDPR liability.

What are the HIPAA backup requirements for databases?

HIPAA Security Rule 164.308(a)(7) requires a data backup plan as part of contingency planning. Specific requirements include: regular backups of ePHI, encryption of backup media (164.312(a)(2)(iv)), access controls (164.312(a)(1)), and audit logs of who accessed backup data (164.312(b)). Covered entities must also test restore procedures.

What backup controls does SOC 2 require?

SOC 2 Trust Service Criteria CC9.1 requires availability and backup controls. Specific expectations include documented backup procedures, regular backups with defined RPO, tested restore procedures, access controls on backup data, and monitoring for backup failures. Annual restore testing is a common auditor expectation.

How long do I need to retain database backups for compliance?

Retention requirements vary by framework: HIPAA requires 6 years for ePHI records. PCI DSS requires 1 year for cardholder data audit logs. SOC 2 has no mandated retention period but auditors typically expect 90 days minimum with documented policy. GDPR's data minimization principle means you should not retain backups longer than necessary.

Does a SaaS backup tool help with compliance audits?

Yes. A SaaS backup tool provides auditors with documented backup procedures (the tool's configuration), automated backup logs showing consistent execution, encryption confirmation for every backup, access control records (who configured and managed backups), and restore verification logs proving backup recoverability.

← Back to Blog

SecurityApril 20269 min read

Database Backup Compliance: GDPR, HIPAA, and SOC 2 Requirements

Quick Answer: Database backups must be encrypted (AES-256 minimum), access-controlled, logged, and regularly tested for restore under GDPR, HIPAA, and SOC 2. The most common audit finding is untested backups — organizations have encryption but cannot demonstrate their backups actually restore.

Why Compliance Teams Focus on Backups

Database backups are a compliance hot spot for a simple reason: they contain the same sensitive data as production, but often with weaker controls. A backup file sitting on an unencrypted server or publicly accessible S3 bucket is a breach equivalent in scope to the production database itself.

Regulators and auditors have become more specific about backup requirements over the past few years. Vague policies like "we back up regularly" are no longer sufficient. Auditors want evidence of encryption, tested restores, and access controls.

GDPR Requirements

Relevant article: GDPR Article 32 — Security of processing

GDPR does not prescribe specific technical standards, but Article 32 requires "appropriate technical and organisational measures" including:

Pseudonymization and encryption of personal data
Ability to restore availability and access to data in a timely manner
Regular testing and evaluation of technical measures

What this means for backups:

Control	Requirement	Implementation
Encryption	Encrypt all backups containing personal data	AES-256-GCM before data leaves server
Access controls	Limit who can access backup files	S3 bucket policies, IAM roles
Retention limits	Don't retain longer than necessary	30-90 day retention policy with automated expiry
Restore testing	Demonstrate ability to restore	Automated or quarterly manual restore tests
Incident notification	Know when backups are breached	Alerting and audit logs

GDPR-specific risk: If an unencrypted backup is accessed by unauthorized parties, this is a personal data breach requiring notification to the supervisory authority within 72 hours.

HIPAA Requirements

Relevant section: HIPAA Security Rule 164.308(a)(7) — Contingency Plan

HIPAA is more prescriptive than GDPR on backup requirements:

Required Implementation Specifications

Data Backup Plan (Required): Must create and maintain retrievable exact copies of ePHI (electronic Protected Health Information). This requires documented backup procedures and regular execution.

Disaster Recovery Plan (Required): Must have procedures to restore lost data, including from backup. Regulators expect you to have tested this.

Emergency Mode Operation Plan (Required): Procedures to enable continued operation during system failures.

Technical Security Controls for Backup (164.312)


164.312(a)(1)  Access Control — backup files must be access-controlled
164.312(a)(2)(iv)  Encryption — backup media must be encrypted
164.312(b)  Audit Controls — log access to backup data
164.312(c)(1)  Integrity — verify backups haven't been altered

HIPAA-specific requirement: Covered entities and their Business Associates (including SaaS backup providers) must have a signed Business Associate Agreement (BAA). If you use BackupAgent to back up ePHI, a BAA is required.

Retention: HIPAA requires 6 years

Medical records and related documentation must be retained for 6 years. This applies to documentation of your backup and recovery procedures, not necessarily the backup files themselves — but many healthcare organizations retain actual backup data for 6 years as well.

SOC 2 Requirements

SOC 2 Type II audits evaluate backup controls under the Common Criteria (CC) and Availability (A) Trust Service Criteria.

Key criteria for backup:

CC9.1 — Business disruption risk management: Controls to protect against disruptions, including backup and recovery procedures.

A1.2 — Environmental protection and recovery: Procedures to recover from environmental disruptions.

A1.3 — Recovery testing: Regular testing of recovery procedures.

What SOC 2 auditors typically look for:

Documented backup policy — written procedure covering frequency, encryption, storage, and retention
Evidence of execution — backup logs showing consistent performance against policy
Encryption confirmation — evidence that backups are encrypted (key management documentation)
Access controls — who can access backup data and how access is managed
Restore testing — evidence that backups were successfully tested, typically at least annually for Type II
Alerting — evidence that backup failures are detected and responded to

The most common SOC 2 finding related to backups: organizations have backups and encryption, but cannot demonstrate that they test restores. Automated restore verification with BackupAgent closes this gap by generating a restore verification log for every backup.

PCI DSS Requirements

Relevant requirement: PCI DSS Requirement 3 — Protect stored cardholder data

If your database contains cardholder data, backups fall under PCI DSS scope:

3.4: Render PAN unreadable anywhere it is stored, including backups. AES-256 with proper key management satisfies this.
3.7: Protect cryptographic keys used to secure cardholder data. Keys must not be stored with encrypted data.
10.5: Protect audit logs (including backup logs) from modification.
12.10: Incident response plan must include backup and recovery.

PCI DSS Requirement 12.3 also requires backup media to be physically secured — relevant for on-premise backup media but applicable to cloud storage access controls as well.

The Compliance Checklist

Use this as a self-assessment or audit preparation:

Encryption

[ ] All database backups encrypted with AES-256 or stronger
[ ] Encryption applied on the source server before data leaves the network
[ ] Encryption keys stored separately from backup data
[ ] Key management documented (rotation schedule, storage location)

Access Controls

[ ] Backup storage access controlled by IAM/RBAC (not open to everyone)
[ ] Principle of least privilege applied to backup credentials
[ ] Service accounts used for backup agents (not personal accounts)
[ ] Access logs enabled for backup storage

Backup Execution

[ ] Backups running on documented schedule (not ad hoc)
[ ] Backup execution logged and retained
[ ] Alerting configured for backup failures
[ ] Backup size anomaly detection enabled

Restore Testing

[ ] Restore procedure documented in writing
[ ] Restore tested at least quarterly (annually minimum for SOC 2)
[ ] Restore test results logged with date, who performed it, and outcome
[ ] Automated restore verification running after each backup (ideal)

Retention

[ ] Retention policy documented
[ ] Old backups automatically expired (not manual cleanup)
[ ] Retention period meets applicable regulatory minimums
[ ] Backups stored in separate account/subscription from production

How BackupAgent Supports Compliance

BackupAgent addresses the technical controls directly:

Encryption: AES-256-GCM on every backup, key stored encrypted in the dashboard
Access controls: RBAC with owner/admin/member/viewer roles, full audit log
Restore verification: Every backup restored in ephemeral Docker container, results logged
Alerting: Immediate notification on backup failure or anomaly detection
Dashboard: Centralized view of all backup activity with exportable logs for auditors

For HIPAA-covered entities, contact us to discuss Business Associate Agreement requirements.

Ready to try BackupAgent?

AI-verified database backups in under 5 minutes. Free forever.