Backup is one of the most neglected topics in African e-commerce: Bluehost / OVH offer backups, but often stale (D-7), with restorations taking 24-72h. For an e-commerce making 500K XOF/day, that's unacceptable. Here is the clean 2026 backup procedure.
TL;DR
- 3-2-1 rule: 3 copies, 2 different media, 1 off-site.
- Daily automatic backup + monthly long-term.
- Monthly restoration test (no test = no backup).
- Cost: €5-30/month for an SME.
The 3-2-1 rule
3 copies of your data:
- Original (production)
- Local copy (different server or disk)
- Remote copy (different cloud or different country)
2 different media (cloud + local disk, or DO Spaces + Hetzner Storage Box).
1 geographically off-site copy (in case main data center has a disaster).
Components to back up
| Component | Critical | Frequency |
|---|---|---|
| Database (Postgres, MySQL) | ✓✓✓ | Daily + continuous WAL |
| Source code (Git) | ✓✓ | Daily push GitHub/GitLab |
| User uploads (images, PDFs) | ✓✓ | Daily |
| Env configs (.env) | ✓✓ | Versioned separately (encrypted) |
| Critical logs | ✓ | Weekly |
| Cache (Redis) | × | Not critical |
Step 1 — daily Postgres backup
`bash
#!/bin/bash
# /opt/scripts/backup-postgres.sh
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR=/opt/backups/postgres
mkdir -p $BACKUP_DIR
# Dump compressed
docker exec postgres_container pg_dump -U postgres -F c -d mydb > "$BACKUP_DIR/db_$DATE.dump"
# Encryption (sensitive)
gpg --encrypt --recipient backup@kolonell.com "$BACKUP_DIR/db_$DATE.dump"
rm "$BACKUP_DIR/db_$DATE.dump"
# Upload to DO Spaces
s3cmd put "$BACKUP_DIR/db_$DATE.dump.gpg" "s3://kolonell-backups/postgres/$DATE.dump.gpg"
# Cleanup local > 7 days
find $BACKUP_DIR -name "*.dump.gpg" -mtime +7 -delete
`
Daily cron:
- 0 3 * * * /opt/scripts/backup-postgres.sh
Step 2 — user upload backup
If Cloudflare R2 / S3:
- Versioning + lifecycle (built-in, free)
- Cross-region replication (few cents/month)
If local storage:
`bash
# rsync to DO Spaces
rsync -avz /opt/uploads/ s3://kolonell-backups/uploads/$(date +%Y%m%d)/
`
Step 3 — long-term monthly backup
Daily = 30-day retention.
Monthly = 12-month retention.
`bash
# 1st of month, copy backup to long-term archive
0 4 1 * * cp /opt/backups/postgres/db_$(date +%Y%m01)_*.dump.gpg /opt/backups-monthly/
0 4 1 * * s3cmd put /opt/backups-monthly/*.dump.gpg s3://kolonell-archive/$(date +%Y)/
`
DO Spaces archive: "Standard-Infrequent Access" tier costs 30% less.
Step 4 — config backup
Env files, secrets, sensitive configs:
`bash
# Encrypted backup
tar czf - /opt/configs | gpg --encrypt --recipient backup@kolonell.com > config_$(date +%Y%m%d).tar.gz.gpg
# Upload
s3cmd put config_$(date +%Y%m%d).tar.gz.gpg s3://kolonell-backups/configs/
`
NEVER in public Git. NEVER in plain text on cloud.
Step 5 — restoration procedure
Scenario 1 — partial DB corruption
`bash
# 1. Stop app
docker stop my_app
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
# 2. Get backup
s3cmd get s3://kolonell-backups/postgres/20260514_030000.dump.gpg ./
gpg --decrypt 20260514_030000.dump.gpg > restore.dump
# 3. Restore
docker exec -i postgres_container pg_restore -U postgres -d mydb_new < restore.dump
# 4. Switch DB
# (rename mydb_new to mydb after verification)
# 5. Restart application
docker start my_app
`
Target time-to-recovery (TTR): <30 min.
Scenario 2 — full server loss
`bash
# 1. Provision new server (Hetzner CX31 - 30 sec)
# 2. Install Docker + Caddy + scripts (~10 min)
# 3. Retrieve DB + config + uploads backup
# 4. Restore DB (5-15 min per size)
# 5. Pull Docker images from registry
# 6. Start services
# 7. Update DNS if IP changes
`
Target TTR: <2h to restore full production.
Scenario 3 — ransomware / malicious code
`bash
# 1. Stop application immediately
# 2. Provision isolated server (clean room)
# 3. Restore PRE-incident backup (D-2 if bug detected D-0)
# 4. Reset all secrets (passwords, API keys)
# 5. Forensic on infected server before cleanup
# 6. Re-deploy verified source code from Git
# 7. Restore DB from clean backup
# 8. Reset 2FA on all admins
`
Step 6 — MONTHLY test (most important)
Without testing, you don't know if backups work. Monthly procedure:
`bash
# On staging server:
- Wipe staging
- Pull most recent backup
- Full restore
- Smoke test: login, product page, test order
- Document result in runbook
`
90% of broken-in-production backups are untested backups.
Typical monthly cost
| Component | Cost |
|---|---|
| DO Spaces 50 GB backups | $5 |
| DO Spaces archive 200 GB | $5 |
| Hetzner Storage Box 1 TB (off-site) | €4 |
| Cloudflare R2 (alternative) | $1.50 / 100 GB |
| Typical SME total | ~€15/month |
Recommended tools
| Tool | Use |
|---|---|
| restic | Backup CLI, dedup, encryption |
| borgbackup | Advanced backup CLI |
| pg_dump + cron | Simple Postgres |
| WAL-G | Postgres continuous backup (WAL) |
| Velero | Kubernetes backup (Enterprise) |
| Veeam | VM backup (Enterprise) |
For SMEs: restic or pg_dump + cron is enough.
Real case — incident resolved
Dakar fashion shop, summer 2025:
- Friday 6 pm: SQL injection detected → tables emptied
- Saturday 9 am: DB restoration from D-1 backup
- Saturday 11 am: forensic + flaw identification
- Saturday 3 pm: patch + redeploy
- Saturday 4 pm: back online
Losses: 1 day Friday evening to Saturday afternoon (~600K XOF revenue), but data preserved. Without clean backup: total loss + destroyed reputation.
FAQ
Q: Vercel / hosting backup enough?
A: No — host backup = backup at the same place as prod. Host theft/corruption = loss. Always off-site.
Q: How long to keep a backup?
A: 30 days daily + 12 months monthly + 5 years annual for tax compliance (DB-stored invoices).
Q: Encrypted backup mandatory?
A: Yes for GDPR/CDP compliance. GPG or age. Private key off the backup server.
Conclusion
Backup isn't a bonus — it's vital insurance. €15-30/month well-invested for complete protection. 3-2-1 procedure + monthly test + runbook documentation = 2026 standard of any serious African e-commerce SME. Ideal time to set this up: before the first incident.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
