Independence from Azure, immutability, compliance posture, and Australian data sovereignty — which fits the Essential Eight requirement better.
Independent cloud, immutable by design.
Self-managed backup software.
Keepit and Veeam solve the same problem with completely different architectures. Keepit is a managed SaaS service — you buy a seat count and the vendor runs everything in an independent cloud. Veeam is self-managed software — you run the servers, you choose the storage, you own the operational responsibility. The Essential Eight and data sovereignty story points to Keepit; the customise-everything story points to Veeam. This page helps you decide which lens applies to your organisation.
Keepit is a pure-SaaS backup platform that stores Microsoft 365 data in its own blockchain-verified cloud — completely separate from Azure. There is nothing to install, nothing to patch, and the infrastructure that holds your backup is owned and operated by a vendor with no commercial dependency on Microsoft.
Veeam Backup for Microsoft 365 is self-managed backup software. You deploy it on a Windows server (on-premises or in Azure/AWS), point it at Microsoft 365, and choose where to store the backups — local disk, object storage, tape, or via the VCSP programme. Mature, flexible, and widely deployed.
| Feature | KKeepit for Microsoft 365 | VVeeam Backup for Microsoft 365 |
|---|---|---|
| Architecture | Pure SaaS — no infrastructure to run | Self-managed software on Windows Server |
| Independent of Azure | Fully — runs on Keepit's own cloud infrastructure | Only if you choose to store backups outside Azure (which you must configure) |
| Immutability | Immutable by design — blockchain-verified, cannot be disabled | Available via hardened repo or S3 Object Lock — requires configuration |
| Scope of protection | Exchange, OneDrive, SharePoint, Teams, Entra ID, Power Platform, Dynamics 365 | Exchange, OneDrive, SharePoint, Teams |
| Deployment time | Hours — sign up, connect tenant, done | Days — provision server, install, configure repository, run baseline |
| Storage cost | Included in per-user subscription — unlimited retention | Pay for the storage you provision separately |
| Australian data residency | Yes — certified AU data centres | Wherever you configure the repository to live |
| Operational responsibility | Keepit — vendor-managed | Customer — you patch, monitor, scale |
| Customisation of backup jobs | Policy-based, limited to what the SaaS exposes | Full — scripting, REST API, any retention logic |
| Integration with existing Veeam estate | Standalone — separate portal | Native — same management lens as Veeam B&R |
Highlighted cells show where one product has a clear advantage for the majority of Australian mid-market and MSP use cases. Ties are unhighlighted.
Microsoft does not back up your Microsoft 365 data in the sense a traditional backup team would recognise. The Microsoft Services Agreement is explicit: customers are responsible for data protection against their own mistakes, compromised credentials, malicious insiders, and retention beyond what the service natively offers. Microsoft provides high availability for the service itself — not backup of your content.
For Australian organisations subject to the ACSC Essential Eight, APRA CPS 234, or the Privacy Act, this gap has to be filled. Both Keepit and Veeam fill it — the question is how much of the operational responsibility you want to own.
The strongest argument for Keepit comes from a simple question: if Microsoft 365 is the platform you need to recover from, does your backup depend on Microsoft? This matters in two scenarios:
1. A cyber incident that uses your Microsoft tenant as the attack surface. If the attacker has compromised your Entra ID, spread laterally via compromised service principals, and gained access to storage accounts inside your Azure subscription, any backup stored inside that same subscription is potentially reachable by the same attacker. Veeam gives you the option to put the backup outside Azure — but it's an option, and option-based architectures fail when people configure them wrong. 2. A commercial or contractual dispute with Microsoft. This is rare but real. If the worst case is your tenant being suspended or terminated, you want backups that can be restored into a different tenant, or into a different platform entirely, without needing access to anything inside the original Azure account.
Keepit's architecture takes the question off the table. The backup lives on Keepit's own infrastructure: a separate cloud, a separate vendor, and a separate billing relationship you could still pay if your Azure tenant went dark tomorrow. The blockchain-verified storage layer makes immutability structural rather than configurable. There is no 'turn off immutability' toggle because the system can't rewrite history in the first place.
Veeam's pitch is the other side of the same argument: you own the backup infrastructure, so you own the keys to your recovery. For organisations that already run Veeam Backup & Replication for their VMs and databases, adding Microsoft 365 protection as a second workload in the same product keeps the stack simple. Same vendor, same management plane, same runbook.
Veeam is also more flexible. You can:
The trade-off is operational: you patch the Windows Server, you size the repository, you monitor the jobs, you upgrade when a new major version ships. Keepit takes that entire column off the table, but you give up some flexibility to get there.
The ACSC Essential Eight maturity model has explicit requirements around backup: daily, off-site, immutable, and regularly tested. At Maturity Level 2, backups must be stored immutably and separately from the primary system for at least 3 months. At Maturity Level 3, they must be stored immutably and tested regularly, with access restricted to break-glass accounts.
Keepit maps to both levels out of the box. The backup is immutable by design, the storage is a completely separate cloud, and the role-based access model is built around break-glass patterns. You don't configure your way to ML3. It's the default.
Veeam maps to both levels if you configure it correctly. Hardened Linux repositories give you immutability. Offsite storage via S3 Object Lock gives you geographic separation. Break-glass access is an RBAC configuration inside the product. All supported, all well documented, all things you have to set up and get right. When an auditor asks 'describe your immutability architecture', the Keepit answer is 'here's the contract'. The Veeam answer is a 12-page runbook.
If you're in financial services, health, or government, the Keepit story is simpler to defend in an audit. If you're a mature IT shop with deep Veeam expertise and solid change-control practices, the Veeam story holds up fine too.
Microsoft 365 is no longer just Exchange, OneDrive, SharePoint, and Teams. Entra ID holds your identity and authentication configuration. Power Platform holds your low-code business applications and their associated data. Dynamics 365 holds your CRM and ERP records. Each of these is a separate recovery story, and Microsoft's native retention is different for each.
Keepit covers all of them. The same product backs up Exchange, OneDrive, SharePoint, Teams, Entra ID, Power Platform (flows, apps, environments), and Dynamics 365 (records, customisations, data model). One portal, one contract.
Veeam Backup for Microsoft 365 covers Exchange, OneDrive, SharePoint, and Teams. For Entra ID, Power Platform, and Dynamics 365 you either accept the gap or buy a second product. Veeam has been signalling Entra ID coverage for some time but at time of writing it is not shipping.
If Power Platform or Dynamics 365 are business-critical for your organisation, this gap matters.
Direct dollar comparisons are hard because the two products price differently. Keepit is per user per month, with unlimited retention and storage included. You know exactly what the bill will be for a given seat count.
Veeam has per-user licensing too, but storage and compute are separate. A realistic Veeam Microsoft 365 deployment includes:
For a 200-user tenant with 1-year retention, the Veeam total cost is typically in the same ballpark as Keepit once you add up all the line items. For 10-year retention (common in legal, health, and financial services), Veeam's storage bill grows linearly while Keepit's subscription stays flat — Keepit is generally cheaper at long retention horizons.
For short-retention requirements and organisations that already have Veeam infrastructure, Veeam is often the cheaper option. For long-retention, regulated, or greenfield deployments, Keepit is usually cheaper once you include operational cost.
Licensing, multi-tenancy, pricing, and deployment decisions for MSPs building a backup-as-a-service practice in Australia.
Both are SaaS-delivered. One runs on Azure. One does not. Here is why that matters, and where each product actually wins.
Two serious SaaS backup platforms, different architectures, different trade-offs. Here is where each one wins.
15+ SaaS workloads. Independent cloud. More shipping every quarter.
Top-Rated Backup, Ransomware Recovery, and Disaster Recovery
Simple, Affordable Storage Optimisation and Disaster Recovery Protection