Assume Breach: How to Keep a SaaS Platform Secure

Every SaaS company makes the same promise to its customers, whether it says so out loud or not: your data is safe with us. In construction, where our platforms hold buyer choices, contracts, and project data that took years to assemble, that promise is the product. So it's worth being precise about what "safe" actually means — because most conversations about SaaS security stop at the login screen, and that's exactly where the real work begins.

The mindset shift that matters most is simple: assume breach. Perimeter defenses fail. A credential gets phished, a token leaks, a dependency ships a vulnerability. None of these are exotic events — they're Tuesday. The question that separates resilient platforms from fragile ones is not "how do we prevent every incident" but "how do we make sure no single failure is catastrophic".

Start with backups, because that's where modern attacks start too. Ransomware operators don't encrypt your production database first — they go after your backups, because a victim who can restore doesn't pay. That's why backups need to be immutable: written once, then locked so that nobody — not an attacker with stolen admin credentials, not even your own operations team — can alter or delete them until their retention period expires. A backup that an administrator account can delete is not a safety net; it's a single point of failure with extra steps.

Retention deserves the same rigor. One nightly backup overwritten every day protects you against yesterday's mistake and nothing else. Breaches are routinely discovered weeks or months after the initial intrusion, so a serious retention policy is tiered: daily snapshots for recent history, weeklies and monthlies reaching further back — kept long enough that you can recover to a state from before the attacker got in, not just before you noticed.

Between those snapshots sits point-in-time recovery. With continuous transaction logging, you don't restore to "last night at 02:00" — you restore to 14:31, two minutes before the bad migration ran or the malicious script fired. For a platform where buyers are configuring homes and sales teams are signing contracts all day, the difference between losing twelve hours of work and losing two minutes is the difference between an incident and an anecdote.

And none of it counts until you've tested it. A backup that has never been restored is a hope, not a guarantee. Restore drills — actually rebuilding the environment from backup, on a schedule, with a stopwatch running — are the only way to know your recovery point and recovery time are real numbers instead of aspirations in a document.

Then there are the accounts that can bypass all of it: administrators. Admin credentials are the master key to a SaaS platform, and they deserve a stricter regime than everything else. Two-factor authentication for admins should be enforced by policy, not offered as an option — and it should be phishing-resistant, meaning hardware keys or passkeys rather than SMS codes that can be intercepted or socially engineered. Add to that: no shared admin accounts, admin identities separated from day-to-day accounts, and standing production access for no one. Elevated rights should be granted just-in-time, scoped to the task, and logged.

Logging is its own pillar. You cannot respond to what you cannot see, and you cannot trust logs an attacker can edit. Every administrative action, every authentication, every data export should land in an append-only audit trail that lives outside the system it observes. When something does go wrong, that trail is the difference between reconstructing the incident in hours and guessing for weeks.

The unglamorous fundamentals carry the rest: dependencies patched promptly, secrets in a vault instead of in code, encryption in transit and at rest, and strict isolation between tenants so one customer's incident can never become another's. None of this is a feature you ship once. It's a posture — reviewed, drilled, and budgeted for, year after year.

That's how we approach security across Alpha and every custom platform we build: not as a checkbox on a sales sheet, but as an architecture decision made before the first line of code. Because the honest version of "your data is safe with us" is longer and less catchy: even on our worst day, your data survives, your history is intact, and we can prove it.