Druva Announces $10 Million Data Resiliency Guarantee

A padlock joining two sides of a gate lock.

Druva has announced a $10 million data resiliency guarantee for its software-as-a-service data protection suite.

Customers can claim up to $10 million if Druva fails to live up to five major SLAs. The SLAs cover five categories that Druva has identified: confidentiality, immutability, reliability, durability, and availability and have clearly defined metrics.

Druva’s five SLA categories for the guarantee. (Source: Supplied)

Druva has published the text of the terms and conditions on its website so you can check for yourself what’s covered and what isn’t. The language is relatively straightforward, compared to the dense legalese of many vendor guarantees. It can be hard to figure out if you’ll ever actually be covered by the guarantee, so to Druva’s credit, they’re trying to make it easier for customers to feel confident and safe.

“One of the things that we tried to put into the language was things around immutability, that if you have the immutability option turned on, we’re saying that your last successful backup will be recoverable,” said Stephen Manley, chief technology officer at Druva.

Stephen Manley, chief technology officer, Druva (Source: Supplied)

“Regardless of whether the cause was an external ransomware attack, an internal rogue administrator, or a socially engineered ransomware attack, what we tried to do was sort of stay away from classifying what the nature of the attack was,” said Manley. “We really wanted to focus on the result, which is you’re gonna get your data back.”

Analysis

When I see a guarantee, the question I like to ask is a vendor is: When you fuck up, what do I win?

Blunt, yes, but it gets to the heart of the matter.

I’m very skeptical of guarantees, because they’re not promises that nothing will ever go wrong. Guarantees are promises about what will happen if a vendor doesn’t live up to its end of the bargain. Rarely does that promise amount to “we’ll make everything better”. Far more often it’s something like “we’ll give you a bit of your money back” or “you’ll give us a chance to fuck up again, but for free this time”.

Guarantees are ultimately a kind of quality signal. They tell prospective customers how confident a vendor is that their product will live up to its promises. It’s a “put your money where your mouth is” kind of deal. Few of them actually put up that much money, but here Druva does appear to be making a solid promise.

The headline figure is $10 million, but Druva isn’t offering that full amount to all customers. How much you’d get is based on your annual spend, and eligibility starts at an annual spend of $25,000. For that spend, if Druva misses its SLA, you’ll get $100,000 if the guarantee applies. 2-4 years worth of spend back is a decent amount of cash.

The value of data

But the value of data may have no relationship to the amount you spend to back it up. Some very valuable information, such as the combination to your personal safe, don’t take up very much space at all. If data is lost or corrupted, the cost impact may be many times even the maximum $10 million payout.

This isn’t a criticism of what Druva is doing. It’s a reminder that you need to do your own risk analysis, and have a plan B for if the worst happens. You are making a bet, and if you bet wrong, you are the one who will need to deal with the consequences. Vendors may try to help, but no one cares about your data as much as you do.

Ransomware crews are adapting to what will get them the most money. If they know you’ve got a juicy cyber-insurance policy that will cover the ransom, they’re more likely to ask for a lot of money. If they know they’ll get more money blackmailing you over releasing information publicly, rather than depriving you of access to you data by encrypting it, they do that too.

Backups are just one piece of the puzzle. An important piece, yes, but not a panacea.

Stand by your product

One thing I will unreservedly praise Druva for is putting their money where their mouth is, and providing a real guarantee with a compensation prize you can actually win. I wish more companies had this kind of courage.

Faux guarantees with a zillion qualifiers buried in fine print are worse than no guarantee at all. They tell me that you have contempt for your customers and make we wonder what other nasty surprises are lurking in the billion pages of legalese you bombard us with.

Clear and understandable promises about what you’ll do and what you won’t are what I look for, and I hope that more companies follow Druva’s lead here.