The deployment of a modern Cloud Backup and Data Governance solution requires a clear division of operational tasks. This matrix outlines the respective responsibilities of Druva, your Corporate IT Administrators, and your End Users to ensure end-to-end data resiliency, security, and compliance.
1. Druva (The SaaS Provider)
Druva (including Cloud Operations and Global Technical Support) is responsible for the overall availability, security, and continuous maintenance of the cloud platform itself.
Cloud Infrastructure & Global Availability: Architecting and maintaining the global, multi-tenant cloud microservices platform (built on AWS). Druva ensures the scaling of backend computing resources, auto-scaling backend storage, and providing geo-redundant storage options to meet explicit regional SLAs.
Data Immutability & Air-Gapping: Physically and logically isolating backup data stores from the customer’s live production network. Druva ensures all endpoint data ingested is non-rewritable, non-deletable, and fully air-gapped to neutralize the impact of lateral ransomware movement or compromised tenant keys.
Important - Data retention lifecycles, lifecycle compactions, and explicit data deletions remain under the exclusive operational control of authorized customer administrators.Platform Security & Global Compliance: Securing the core Druva Cloud Platform backend. Druva maintains global security certifications (including SOC 2 Type II, ISO 27001, FedRAMP, HIPAA, and PCI-DSS) and ensures end-to-end data encryption—protecting data in transit (TLS 1.2/1.3) and at rest (AES-256) via envelope encryption.
Backend Software Maintenance: Performing non-disruptive, automated software updates, optimization patches, and zero-downtime microservice upgrades to the Druva Cloud Platform Console.
Technical Support Operations: Offering 24/7/365 global technical assistance for platform-level anomalies, infrastructure storage faults, public API credential issues, and general product troubleshooting.
2. Druva Administrators (Customer Side)
Customer Administrators logging into the Druva Cloud Platform Console or inSync Management Console have ownership over data governance, access controls, endpoint configurations, and legal compliance.
Client Lifecycle & Mass Deployment: Managing the packaging, distribution, and installation of the Druva inSync Client across corporate laptop/desktop fleets using Integrated Mass Deployment (IMD) parameters via endpoint management tools (e.g., Microsoft Intune, SCCM, Jamf).
Identity Provisioning & Access Control (RBAC): Synchronizing and integrating enterprise identity providers (Active Directory, Entra ID, Okta, SCIM) for automated user onboarding/offboarding. Enforcing Single Sign-On (SSO), Multi-Factor Authentication (MFA), and configuring custom Role-Based Access Control (RBAC) (For example, Cloud Admins, Help Desk Admins, Legal Admins).
Data Protection Profiles & Exclusions: Architecting inSync "Profiles" that define corporate backup boundaries. This includes selecting which target paths to back up (For example, Desktop, Documents, System Settings), setting custom retention/compaction periods, defining backup intervals, and enforcing file-type or size exclusion rules.
Legal Hold & eDiscovery Orchestration: Managing the corporate legal hold lifecycle. Administrators create Legal Hold policies, designate up to 500 custodians at a time via CSV imports, isolate specified user data from standard retention compaction, and securely provision WebDAV access links or export utilities (.eml, .ics, .vcf formats) for legal counsel review.
Data Loss Prevention (DLP) & Security Monitoring: Defining proactive security parameters, such as triggering remote data wipes for lost/stolen endpoints, reviewing comprehensive admin audit trails, and monitoring the dashboard for non-compliant or non-backed-up devices.
3. End Users (The Device Owners)
The corporate employee on whose endpoint the inSync Client is actively running serves as the day-to-day custodian of their device connectivity and local data integrity.
Device Power & Network Connectivity: Ensuring that corporate laptops/desktops are routinely powered on and connected to a viable internet path (corporate network, home Wi-Fi, or cellular hotspot) to allow automated, background backup intervals to execute uninterrupted.
Self-Service Data Recovery: Leveraging the intuitive inSync Client interface or the secure inSync Web portal to execute self-service folder, file, or historical snapshot restores without opening a ticket with corporate IT.
Client Activation & Authentication Validation: In case of device user’s involvement, activating the agent or logging back into the agent using corporate credentials (SSO) if prompted following security token expirations or device upgrades.
Compliance with Agent System Prompts: Interacting with necessary OS-level permissions when prompted by the client (e.g., granting "Full Disk Access" on macOS or responding to mandatory privacy alerts). Users must understand that ignoring critical client prompts can cause backups to pause.
Basic Status Reporting: Acting as the first line of sight by reporting explicit agent errors, persistent visual backup failures (red client status indicators), or localized hard drive space alerts to the internal Corporate IT Help Desk.