What is the 3-2-1-1 backup rule?

The 3-2-1-1 backup rule: 3 copies of your data, on 2 different storage types, with 1 copy offsite, and 1 immutable copy that cannot be encrypted or deleted by ransomware. The "1 immutable" is the critical addition beyond the original 3-2-1 rule for ransomware protection.

How often should Canadian businesses test their backups?

At minimum monthly for file-level restoration tests, and at least annually for full disaster recovery tests. Silent backup failures (backup jobs reporting success while writing corrupt data) and incompatible restore environments are common — untested backups are unreliable backups.

Where should Canadian businesses store backups for PIPEDA compliance?

Backups containing personal information should be stored in Canadian data centres to maintain PIPEDA protections and avoid US CLOUD Act concerns. Microsoft Azure's Canadian data centres (Canada Central in Toronto, Canada East in Quebec City) are suitable for PIPEDA-compliant backup storage.

What Is BDR (Backup and Disaster Recovery)?

BDR — Backup and Disaster Recovery — combines two related but distinct capabilities: backup (creating secure, restorable copies of data) and disaster recovery (the plan and infrastructure to restore business operations after a major incident). For Canadian businesses, BDR is foundational for ransomware protection, PIPEDA compliance (which requires appropriate safeguards for personal information), and business continuity in the event of hardware failure, natural disaster, or cyberattack.

Backup vs. disaster recovery: what's the difference?

Backup: the process of creating additional copies of data that can be restored if original data is lost or corrupted; protects against data loss
Disaster recovery: the plan, processes, and infrastructure to restore business operations — including applications, servers, and network — after a significant disruption; protects against downtime
BDR combines both: a BDR solution creates backups that can be restored quickly enough to meet your RTO with a data loss acceptable within your RPO

The 3-2-1-1 backup rule for Canadian businesses

The 3-2-1 backup rule — 3 copies, 2 different media, 1 offsite — has been updated for ransomware to the 3-2-1-1 rule:

3 copies of your data (original + 2 backups)
2 different types of storage media (e.g., local NAS + cloud)
1 offsite copy in a geographically separate location (cloud backup to Canadian data centre)
1 immutable copy — a backup that cannot be modified, encrypted, or deleted by ransomware, even if attackers gain admin credentials; stored in air-gapped or WORM (Write Once Read Many) storage

The immutable copy is the critical addition for ransomware protection. Without an immutable backup, ransomware that gains admin access can encrypt or delete all your backups before triggering the main encryption event.

BDR testing: the most overlooked requirement

Most Canadian businesses test their backups less than quarterly. This is a critical gap:

Backups fail silently — a backup job may show "completed" while writing corrupt data
Restoration is different from backup — the backup process may work while the restore process fails
Environment changes cause restore failures — the restored environment may be incompatible with current application versions

Outsource IT Canada tests backup restoration monthly for all managed clients — restoring a random set of files and verifying application integrity. Full DR tests are performed annually to validate that complete system recovery meets RTO targets.

Canadian data residency for BDR

For PIPEDA compliance, personal information must be protected with appropriate safeguards — including during backup storage and transfer. Canadian data centre backup ensures:

Data remains subject to Canadian privacy law during transit and at rest
No US CLOUD Act concerns about US government access to Canadian personal information
Compliance with Quebec Law 25 (which requires PIAs for cross-border transfers)

Outsource IT Canada uses Canadian data centre backup locations — Azure Canada Central (Toronto) and Azure Canada East (Quebec City) — for all managed client backups.

BDR solutions for Canadian businesses (2026)

Datto SIRIS — on-premise appliance with journaled backups and cloud sync; instant VM spin-up; strong for businesses needing sub-1-hour RTO
Veeam Backup — flexible backup for VMware, Hyper-V, and Windows; integrates with Azure; widely deployed by Canadian MSPs
Azure Backup — Microsoft's cloud backup service; Canadian data centres; integrated with Azure VMs and Microsoft 365
Acronis Cyber Protect — backup + cybersecurity combined; good for SMBs wanting a single vendor

Related glossary terms

How Outsource IT Canada can help

Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
PIPEDA Compliance — privacy impact assessments and breach notification procedures
Get a free assessment — call (416) 623-9677

Ready to transform your IT? Call (416) 623-9677 for a free assessment.