Cloudback: SOC 2 Type II Azure DevOps Backups

Cloudback is a SOC 2 Type II compliant backup and restore platform for Azure DevOps repositories and pull requests. AES-256 encrypted ZIP archives, optional customer-managed encryption keys (RSA Lockbox / CMEK), bring-your-own-storage across ten configurations, and self-service restore. No support ticket required. Engineering, DevOps, and security teams use Cloudback for compliance audit prep, ransomware recovery, accidental-deletion rollback, and platform migration. Trusted by 1.7k+ customers to protect 14k+ repositories with 4M+ backups created.

Cloudback dashboard for Azure DevOps backups

Key benefits

For DevOps leads, platform engineers, engineering managers, IT directors, and security teams who need automated daily backups, on-demand restore, and audit evidence:

Run daily backups automatically with defaults applied on Azure DevOps connect.
Restore on demand from any retained backup, to the same or a different organization.
Encrypt with your own keys using customer-managed encryption (RSA Lockbox / CMEK).
Bring your own storage across ten configurations (Azure Blob, S3, OneDrive, Google Cloud, and more).
Receive backup notifications via email, Slack, Microsoft Teams, and Discord.
Produce audit evidence from a per-action audit log with 60+ event types and Vanta-synced access reviews, backed by Cloudback's SOC 2 Type II attestation.
Automatically discover and protect new repositories as your team grows.

What Cloudback protects

Cloudback captures the full state of your Azure DevOps repositories and pull-request data:

Repository content as a complete bare Git clone: all branches, tags, refs, and full commit history
Git LFS-tracked files fetched via git lfs fetch --all after the repository clone
Pull request details: title, description, status, source and target branches, merge status, draft status, creation and completion dates, and completion options (merge strategy, delete source branch, squash merge, bypass policy)
Pull request reviewers with vote status (approved, approved with suggestions, waiting for author, rejected) and required-reviewer flags
Pull request threads and comments with code-location context, thread status (active, fixed, won't fix, by design), comment timestamps, and users who liked each comment
Pull request labels with names and active status
Pull request attachments downloaded and stored alongside PR data in the archive
Work-item references linking pull requests to associated work items

Backups run on an automated schedule (daily by default, configurable to weekly, monthly, or custom intervals) with retention from 30 to 360 days. Each backup is a self-contained AES-256 encrypted ZIP archive that you can download and verify independently of Cloudback. Cloudback automatically discovers new repositories and starts protecting them, so backups follow your team as it grows.

Self-service restore

Restore any backup yourself from the Cloudback dashboard - to the same repository, a different repository, or a different Azure DevOps organization. A guided wizard handles authorization and target selection. For disaster-scale recovery, a single bulk restore covers many repositories at once. Download an encrypted archive any time to verify contents offline, run an external integrity check, or hold an immutable copy outside Cloudback.

Cloudback restore wizard for Azure DevOps backups

Encryption you control

Every backup is stored as a password-protected ZIP archive encrypted with AES-256. Cloudback uses a double-archive method that protects filenames as well as content.

For organizations that need to hold their own keys, Cloudback supports customer-managed encryption via RSA Lockbox (CMEK). You generate an RSA key pair and upload the public key. Cloudback encrypts each backup's password with that public key; the private key stays with you and is required to decrypt and restore. Rotating keys re-encrypts every existing backup's password envelope without rewriting or re-uploading the archives, so rotation is fast and storage-cheap.

Cloudback encryption provider configuration with RSA Lockbox

Storage you own

Pick from five Cloudback-managed regions (US, EU, UK, Sydney, Singapore) for quick setup with built-in data residency, or connect your own storage from any of these ten configurations:

Amazon S3 via access key
Amazon S3 via access point
Amazon S3 Glacier
Microsoft Azure Blob Storage
Google Cloud Storage
Wasabi
Microsoft OneDrive Business
Microsoft OneDrive Personal
Alibaba Cloud Object Storage Service (OSS)
OpenStack Swift

Configure composite storage to write each backup to multiple destinations at once for cross-cloud redundancy. Use Amazon S3 Object Lock for WORM-style immutability that survives compromised admin credentials. Cloudback also deduplicates storage by comparing each new backup with the previous one and skipping re-uploads when nothing changed.

Cloudback storage configuration for customer-managed providers

Notifications you can route

Backup status flows into the channels your team already uses:

Per-backup success and failure alerts delivered to Slack, Microsoft Teams, or Discord via webhook.
Daily summary of backup activity (total, successful, failed) aggregated per account and sent to the same channel at a time you choose.
Daily email listing every automatic backup that failed in the last 24 hours.

Display a Cloudback backup-status badge in your repository README so reviewers can confirm protection at a glance, without leaving Azure DevOps.

Compliance evidence on demand

Cloudback is SOC 2 Type II compliant and audited annually. Every backup, restore, schedule change, storage assignment, encryption key operation, and account access event is recorded in a tamper-evident audit log spanning 60+ event types. Export the log as CSV, or forward it to Datadog or another SIEM in real time.

Cloudback's Vanta integration syncs access review and control evidence into your compliance program, so you don't manually export reports for SOC 2, ISO, or GDPR audits.

Cloudback audit log with filterable event types

Microsoft integrations

Cloudback fits Microsoft-centric stacks:

Azure Marketplace billing: buy Cloudback under your existing Microsoft commercial agreement; usage rolls into your Azure invoice and consumes Azure consumption commitments where applicable.
Microsoft Azure Blob Storage as a customer-managed backup destination using your own storage account, container, and lifecycle policies.
Microsoft Teams: backup-status and restore notifications delivered to your Teams channels.
Microsoft OneDrive Business or Personal as an additional bring-your-own backup destination.
Azure DevOps: backups run against your organization without additional infrastructure, agents, or self-hosted runners.

Built for automation, not just dashboards

Manage Cloudback configuration the same way you manage the rest of your stack:

Terraform provider on the Terraform Registry: declare backup definitions, schedules, storages, retention policies, and encryption keys as code. Apply changes through CI/CD and roll back with standard terraform plan and terraform apply flows.
Operations API: programmatic access to backup state, restore operations, account management, audit log queries, and storage administration. Wire backup health into your existing observability or incident-response systems.
Model Context Protocol (MCP) server at myrtlelabs/cloudback-mcp on Docker Hub: any MCP-compatible AI assistant (Claude Code, Claude Desktop, Cursor, VS Code) can manage backups through natural language without bouncing into the dashboard.

Cross-platform protection

If your team also uses GitHub, GitLab, or Linear, Cloudback covers those from the same dashboard, with the same encryption, the same storage destinations, and the same retention policies. Cross-platform restore between GitHub and GitLab is supported for migration and disaster-recovery scenarios.

Pricing in brief

Cloudback charges per repository, not per user. Plans start at $10/month for 10 repositories (Basic) and scale to 1,000 repositories on the Enterprise plan. Pay-as-you-go variants are available, and 1, 2, and 3-year commitments include additional discounts. See the Plans & Pricing tab on this listing or the full breakdown on Azure Marketplace.

If you cancel: customer-managed-storage backups stay in your bucket; Cloudback-managed-storage backups follow your retention policy until deletion.

Get started

Click the install button above to add Cloudback to your Azure DevOps organization. A 30-day free trial starts immediately, no credit card required.

After install, authorize Cloudback to read your repositories. Cloudback auto-discovers them and enables daily backups using Cloudback-managed storage with 30-day retention. New repositories added later are automatically discovered and protected the same way.

Customize anything later from the dashboard: switch storage, change schedules or retention, enable customer-managed encryption (RSA Lockbox), or review the audit log.