These are direct quotes from Intuit's published QuickBooks Online Terms of Service — not paraphrased.
"You are responsible for any lost or unrecoverable Content and for keeping backups of any Content you provide through your use of the Services."
Intuit QuickBooks Online Terms of Service — User Responsibility Clause
"Intuit is not responsible for any of your Content that you submit through the Services."
Intuit QuickBooks Online Terms of Service — Disclaimer of Responsibility
Intuit's total liability is capped at "the greater of fees paid in the prior 12 months OR $100" — even if you lose years of financial records.
Intuit QuickBooks Online Terms of Service — Aggregate Liability Cap
The shared responsibility model: Intuit protects their infrastructure from data-centre-level failures. You must protect your company data from human error, rogue access, third-party app corruption, and credential theft. These are different risks, and Intuit covers only one of them.
QBO has no recycle bin. Deleted customers, voided transactions, and bulk re-categorisations are permanent. There is no undo button for bulk operations. Users report losing months of data during chart of accounts reorganisations and CSV import mistakes.
Apps with QBO API access (Shopify, Stripe, payroll tools, CRMs) can overwrite records via "full update" API calls, create thousands of duplicate entries, write transactions to closed periods, or corrupt transaction amounts during a failed partial sync. No native rollback exists.
An admin-level user can systematically delete invoices, alter vendor bank details (redirecting ACH payments), or void months of transactions. Research shows most businesses take weeks to revoke ex-employee access. Without a backup, these changes are irreversible.
Ransomware campaigns specifically target accountants via phishing emails impersonating Intuit. Once credentials are stolen, attackers export or delete all QBO data. In QBO, ransomware means account takeover — not file encryption. There is no local file to recover from. Your cloud data is only as safe as your login credentials.
Importing a malformatted CSV into QBO can overwrite existing records, create duplicates, or assign transactions to wrong accounts across an entire date range. QBO's import tool does not validate against existing data — it just writes whatever is in the file.
Even if you're on QBO Advanced ($200/mo) with backup enabled, the native backup excludes: custom reports, bank rules, reconciliation history, payroll records, recurring transactions, invoice templates, budgets, inventory adjustments, and more.
Modern cyber insurance applications (from carriers including Chubb, AXA, Travelers, Beazley, and Coalition) now explicitly ask whether you maintain backups that are independent, immutable, and regularly tested.
If you suffer a data loss event and your only "backup" was Intuit's platform-level disaster recovery — which you don't control and cannot restore from — insurers can deny your claim on grounds of failure to implement adequate data protection controls.
The 3-2-1 Backup Rule is now a de facto standard in cyber insurance underwriting: 3 copies, 2 different media, 1 offsite. QBO alone satisfies none of these for your individual data.
Independent from primary system
QBO alone: QBO's backup is controlled by Intuit
Immutable (WORM-protected)
QBO alone: No protection against deletion or encryption
Encrypted in transit and at rest
QBO alone: Intuit-managed encryption, not user-controlled
Regularly tested with documented restoration
QBO alone: No individual company restore testing capability
Independent of employee access
QBO alone: A deleted record stays deleted
All 5 requirements met with WOW Backup
Why backup QuickBooks