I suppose that the most popular question I get when introducing Exchange Online or SharePoint Online to a company, is: do I need a backup solution? Let me start off by saying: applications don't need backup, the data in it does. Many might at first think that Office 365 saves the IT department from the backup burden. Unfortunately, it doesn't. Actually, it makes it slightly worse. Not so much from the technical point of view, but rather from the architect's view.
Backups are implemented because of a combination of these three elements:
As the supplier, Microsoft is responsible for some of the parts. However, it remains the customer who should have a backup plan containing all three.
The technical concerns are compromised of availability, resiliency and disaster recovery. Microsoft has taken care of this. For example, each Exchange Online mailbox has three database copies and one lagged database copy across multiple datacenters. SharePoint Online operates on an active/active failover set-up: there are always two farms available per tenant. Sites are backed up twice a day. Microsoft guarantees 99,9%, but typically achieves 99,98%. No one knows how these numbers are computed and what they exactly mean: we just have to take them for granted ✌. So, apparently, not much need for a plan here.
To the end user, the functional backup needs are most important. Most backup restores tend to have a root cause in the end user: ransomware, accidental deletes, etcetera. Item-level recoverability by the end user is key here and Exchange Online and SharePoint Online provide builtin functions for this. The legendary SharePoint two-staged recycle bin stores deleted files for 90 days. File version history is enabled by default and keeps 500 copies. Exchange Online comes with single item recovery enabled. The recycle bin has no deletion policy, so items are preserved indefinitely. When items are permanently deleted, they are moved to the recoverable items folder for 14 days (change it to 30 using PowerShell!). The beautiful part here is that these recoveries require no IT personnel interventions 🎉 The users are able to restore items.
The above notwithstanding, it only provides solid pretection for a short retention period and only against accidental deletes. If a user deliberately would like to delete a file or e-mail, s/he can bypass the recycle bin or the recoverable items folder and boom it's gone. This might be a risk you might be willing to accept. Also, point-in-time recovery is currently only available for OneDrive for Business.
So I suppose the functional part is in many ways better than before, in particular when comparing SharePoint Online to a regular fileserver.
Soooo, here it is where it finally gets tricky - and the answers get more vague. A SaaS-supplier can't really help you with your organisational requirements. What if you require 99,95% uptime? Or you have specific retention policies because of laws, audits or branche-specific regulations (healthcare, construction). Perhaps your enterprise architecture specifies a rule that certain data classifications require an offsite backup. And there is always someone who adds to the discussion that the enormous Office 365 vendor lock-in is indeed a risk.
Office 365 Enterprise editions come with additional retention functionalities such has litigation hold and in-place hold. Microsoft has been working hard and succesfully to streamline the segregated retention policies into Office 365's Security & Compliance Center. This allows you to store financial documents across all Office 365 apps for many years without the risk of loosing them. The advanced retention functionalities in Office 365 Enterprise do not cover all organisation requirements you might have. And perhaps your IT manager is not willing to pay the extra license costs.
As we have seen, Microsoft has taken care of much of your availability, resiliency and recovery needs. But you are not automatically protected from deliberate deletes, vendor lock-in, retention needs, RTO, RPO and other organisational requirements. You need to make your plan: identify the requirements, determine the risks and propose the remedies.
So what about other Office 365 apps, such as Planner and Flow? Some apps are stored in Exchange Online and / or SharePoint Online (Planner, parts of Teams, OneNote, Delve, ...) and are protected by the resiliency of these underlying services. Others, such as Flow and Forms, are a bit shady: Microsoft hasn't mentioned it in any document. We may assume technically it is top-notch, but item-level restore of a deleted Flow for example is not arranged for.
Should you require more than what Office 365 offers out-of-the-box, there is good news. A lot of partners have developed products that provide backup for SharePoint Online and Exchange Online (SkyKick, Spanning, CloudAlly, AvePoint, just to name a few). I have yet to see the holy grail of Office 365 backup solutions, since the ones that are currently available are - well eh - in development. Go for a solution that you can backup to AWS or on-premises and provides granular restore. This thread on Tech Community provides a good discussion of the backup products available. Most products don't offer protection for other Office 365 apps, such as Teams or Flow.
In conclusion, my short answer to do I need backup for Office 365? Yes you do, but save yourself the headache at this moment. Your on the safe side from the technical and functional perspective. There are no good fully integrated and comprehensive solutions on the market right now, giving you a false sense of protection. Make a good plan instead. As a closing reminder: applications do not need backup, what you store in it does.