Skip to content

Backup SLA policies

Afi SaaS backup for Google Workspace uses a concept of a backup SLA policy to protect resources (users and Shared drives) and configure custom backup settings such as frequency, scope and exclusion rules, retention and archiving settings, and encryption keys (Afi- or customer-managed). A resource or a set of resources can be protected by an SLA policy directly on the Service → Protection screen or an SLA policy can be assigned to a group of resources on the Service → Protection → Organizational Units or Service → Protection → Google Groups tabs, in particular, to automatically protect resources that are added to the group.

Backup SLA policies are managed on the Service → Settings → SLA tab in the Afi portal. Afi automatically creates a set of predefined backup SLA policies upon a tenant onboarding (Gold, Silver, Bronze, Manual), but administrators can create any number of additional SLA policies, customized to their needs, to protect different sets of resources in a tenant with different settings. The service cost doesn't depend on which backup SLA policies are used, so you can select or configure any SLA policies that you see fit for your use cases.

Backup SLA policy management

Backup SLA policies for a tenant are configured and managed on the Service → Settings → SLA tab in the Afi portal.

You can view and change an SLA policy settings by clicking on its tile in the policies list or create a new SLA policy by clicking on the Add new SLA button in the top-right corner of the screen.

The SLA policy settings available for configuration are explained below.

Data to backup

This section allows you to configure which Google Workspace workloads will be backed up by the Afi service for resources which are protected by an SLA policy. Detailed description of Google Workspace workloads supported by Afi is provided in this article.

You can enable or disable backup of specific workloads based on your use cases, for example, it allows you to create custom SLA policies that include only email data (Emails checkbox) or only Google Drive data (Drive & Computers checkbox).

You can assign a configured SLA policy to any resource, regardless of its type and workloads that it might contain. For example, you can assign an SLA policy that includes email data backup to a Shared drive - the Afi service will synchronize workloads available for this particular resource and skip workloads that are not applicable. This allows you to use a single SLA policy for all resources in your tenant in a generic way regardless of their types.

Info

If you disable backup for a specific workload (for example, Emails) in an SLA policy settings, the service will stop synchronizing data for this workload for resources protected with this SLA policy, but old data for this workload will remain in the corresponding backups. If you want to delete already synchronized emails or files after you have disabled the corresponding workloads in the SLA policy settings, you can add custom item-level retention rules to this SLA to delete emails or files older than the retention window.

Exclusion rules

Afi allows users to configure rules that exclude the specified labels from Gmail backup and files with the specified file extensions from Google Drive backup. This can help you optimize the backup storage footprint and slow down backup storage growth by excluding unnecessary items that might consume a significant amount of storage, such as video recordings, images, and binary files.

Gmail

To exclude a label from backup, please add it in the exclusion list. After the configuration, the Afi service will stop synchronizing all emails that have any of the excluded labels assigned, even if they have other labels, not included in the exclusion list. For example, if an email has the Inbox and Personal labels and the Personal label is excluded from backup, such email won't be synchronized. If a backup already contains emails with labels from the exclusion list, such emails will still remain both in old and new backup snapshots.

You can add default Gmail labels (for example, Trash or Spam) to the exclusions as well as the user-created ones. When a label to be excluded is located inside another label in the label hierarchy (for example, the Personal label inside the Other label in the mailbox root), please specify the full path to the excluded label (Personal/Other).

Google Drive

To exclude files from Google Drive backup by a file extension, please add the extension (mp4, mp3, avi, etc.) in the exclusion list. After the configuration, the Afi service will stop synchronizing files with the specified extensions.

You can apply the configured file extension exclusion rules to the historical backup snapshots by checking the corresponding option below the rule. In this case, all file versions with the specified extensions will be wiped from all backup snapshots during the next periodic backup, freeing the backup storage that they occupy. Otherwise, such files will still remain both in old and new backup snapshots, but won't be updated any longer in the new backup snapshots in case of changes.

Notice

Excluding files/folders from backup by path or file mask is not supported at the moment.

Schedule

SLA schedule settings allow you to define how often you want to run backups for resources protected with this SLA policy. The service can either run backups automatically once or 3 times per day or you can select the Manual frequency to launch backups manually from the Afi portal. In case of the Manual frequency, the Afi service won't launch any backups for the corresponding resources automatically. In most cases it is recommended to use once or 3 times per day backups managed by the Afi service to make sure that your data is being backed periodically and in a timely manner.

For a backup SLA policy with periodic backup frequency the Afi service triggers backups within backup windows that span several hours:

  • One 9-hour long backup window for once per day backup frequency. The backup window start can be configured when the once per day backup frequency is selected.
  • Three 6-hour long backup windows within a day for 3 times per day backup frequency.

Spreading backup start times across a backup window is important to avoid peak loads on the Microsoft 365 services and don't cause API throttling.

Retention

By default, Afi keeps all backup snapshots and item versions for each backed up resource indefinitely, but you can configure custom data retention rules for an SLA policy to limit how long backup snapshots or items of a specific type (email/files) are kept by the service. Available data retention rules are described in the following article.

If you decide to limit how long backup data is stored by the Afi service, it is recommended to use backup version data retention rules. Item-level retention rules are better suited for compliance-related use-cases (for example, to keep email data for 7 years and delete all emails older than 7 years) and should be used with caution.

Please note that the Afi service applies retention rules only to the backups that protected by an SLA policy and are backed up periodically. If a resource is not protected by an SLA policy, the service will continue to keep its backup together with all historical backup snapshots, but won't apply any custom retention or archiving rules.

Archiving

Archiving rules define how long the Afi service will keep a backup for a resource protected by an SLA policy after it is marked as Archived on the Afi side. A resource becomes Archived when the service can no longer synchronize its data with Google Workspace - either when a resource is deleted on the Google Workspace side or, in the case of a user, when it becomes suspended or archived. Archiving rules are described in detail in the following article.

Encryption

By default, all Afi backups are encrypted with per-tenant Afi-managed encryption keys. Afi also supports configuring customer-managed cloud KMS encryption keys that allow an administrator to comply with regulatory requirements and have an additional layer of control over their backup data. Customer-managed (BYOK) encryption setup is described in this section.

Protecting resources with a backup SLA policy

Once you selected or configured a backup SLA policy that you plan to use, you can assign it to a resource or a set of resources on the Service → Protection tab. When a resource is protected with an SLA policy, you can trigger its backup by clicking on the Backup now button.

You can also assign a backup SLA policy to a group of resources and automatically protect all resources that are added in this group on the Service → Protection → Organizational Units or Service → Protection → Google Groups tab. Please see the following guide for more details.