Zoho Books stores your books in the cloud, but you should still maintain your own backups, configure the audit trail, and harden security settings. Five minutes per month prevents 50 hours of regret.
What you'll learn
→ Periodic backups → Audit trail configuration → Security hardening → Disaster recoveryPeriodic backups
Settings → Data Backup → Schedule Backup. Configure monthly automatic backup to download a full data export, chart of accounts, transactions, masters, attachments. Save to your own cloud storage (Google Drive, Dropbox, OneDrive) for an off-platform copy.
Quarterly, manually verify a backup by opening the export and spot-checking samples. The discipline catches export errors silently otherwise. Auditors increasingly ask for evidence of a backup process, five minutes a quarter satisfies the question.
Audit trail configuration
Settings → Audit Trail → Enable for All Modules. Records every change to every transaction. Mandatory for FTA-audit defence and best-practice for internal control. Storage is unlimited at no extra cost.
Lock periods after filing VAT or CT, Settings → Period Locking. Once locked, transactions in that period cannot be edited without an admin unlock. Combined with the audit trail, you can prove no retrospective changes were made.
Security hardening
Two-factor authentication for every user (mandatory). Strong password policy (Settings → Security → Password Policy → 12+ characters, mixed case, numbers, symbols). Single Sign-On via SAML for organisations with identity providers (Okta, Azure AD).
IP whitelisting (Premium plan) restricts Zoho login to your office network and approved remote IPs. Useful for sensitive operations; overkill for most SMEs. Session timeout 30 minutes. Auto-logout on browser close.
Disaster recovery
Zoho's own DR is robust, multiple data centres, daily replicated backups, 99.95% uptime SLA. Your DR is about losing access (account compromise, lapsed subscription) more than data loss.
Maintain a written recovery procedure: who has admin access, where the backups are stored, who handles a security incident. Walk through it annually. The first test of a DR plan should never be during an actual incident.
This guide is general information, not professional advice. For situations that involve specific facts, talk to your accountant, or hire one of ours from the marketplace.