The market for Software as a Service (SaaS) is growing rapidly, with Gartner predicting that 85% of organizations will use SaaS for a majority of apps by 2018. The research firm also expects the SaaS market to grow 5x faster than traditional software.

However, that raises some questions about how data is collected and used by the vendors in their space, and how companies can protect themselves from any issues. At a breakout session during the 2017 AWS re:Invent conference, NetApp’s Spencer Sells led a breakout session titled Is Your SaaS Covered? explaining some of the principles behind SaaS data protection.

According to Sells, data is no longer locked away on devices and hidden by firewalls. It is now distributed, dynamic, and diverse; and that must inform a company’s approach to protecting that data.

SEE: Cloud computing policy (Tech Pro Research)

As companies move their data into SaaS applications, there are specific principles they need to be aware of, Sells said. Here are the three best practices for tech leaders to help prevent data loss in their SaaS applications.

1. Don’t assume your data is safe in a SaaS application

Just because you’ve signed a contract with a SaaS provider doesn’t mean they’re obligated to protect your data, Sells said. And there are some major issues plaguing organizations using these services.

Citing Aberdeen Group research, Sells said that 28% of SaaS users have experienced synchronization issues and 21% of end users purge their own data. He also noted that 16% have experienced a ransomware attack, 15% have experienced an insider threat, and 13% have dealt with a rogue administrator. So, be sure to take steps to secure your data within the SaaS application itself, possibly with the help of a third-party service.

2. Back up your SaaS data, because many SaaS providers don’t

According to Sells, the reality of SaaS is that many vendors simply don’t back up customer data in a way that is efficient for true disaster recovery.

However, if they are, Sells said it is also important to consider how they’re holding the data as a backup. For example, is it kept as a giant block of data, or can it be used to actually restore specific apps and services? This is a crucial consideration for companies looking into SaaS. And if the vendor’s plans don’t match the needs of the customer, the customer should consider an additional backup service.

3. Understand the reality of recovery

Even if a vendor can recover your data, Sells said, you might experience delays, restrictions, and fines for recovery. For example, he said, Salesforce charges a minimum of $10,000 to recover customer data and it can take several weeks to accomplish that recovery.

Additionally, he said, Microsoft supports recovery as part of E3 and E5 services but it is non-committal (it has no SLA) on the time frame for recovery. Overall, there are inconsistent policies across the board for SaaS vendors and their policies, Sells said, and interested customers need to strongly consider whether or not a given policy or vendor works for them.