What happens when you delete everything? Three minutes, or thirty hours.

Last year, at the annual conference for an open source framework you've definitely heard of, I walked up to the founder in a room outside the main stage. He was hunched over his laptop, frantic. We've known each other for a few years.

"What's going on? Is everything okay?"

He looked up with the specific shade of white people only get when they realize they've made a big mistake.

"I deleted everything."

Not "something broke." Not "I think there's a problem." He had wiped out the environment he'd spent considerable time preparing. The version he was about to launch live from the stage in thirty minutes, in front of a couple thousand developers, plus the livestream.

Then his face shifted. He said, "Hold on. Upsun has automated backups."

One button. Three minutes later, everything was back. The demo, the data, the configuration. He had time before he walked out to add a slide to the deck thanking us for saving his ass.

I tell that story a lot. Usually as a funny conference moment. This week it stopped being funny.

New week, a different founder

A founder named Jer Crane runs a SaaS company called PocketOS. Last Friday, as covered in The Register, his AI coding agent, Cursor running Claude Opus 4.6, decided to fix a credential mismatch by deleting his production database on Railway. It took nine seconds. The agent found an unrelated API token with broad permissions, hit a Railway endpoint, and removed the volume. The volume-level backups went with it, because Railway stores them in the same volume.

Then Crane waited about thirty hours, mostly through the weekend, before Railway's CEO stepped in personally on Sunday evening to recover the data.

Read the postmortem. Crane handled it well. He's honest about the human errors involved. Railway's CEO, Jake Cooper, was direct about what happened: "if you (or your agent) authenticate, and call delete, we will honor that request." Their API followed classical engineering semantics. You called destroy, it destroyed.

Crane summed up what changed: “An API key should only be accessed by a human, which is true and has always been the case. Now, when a computer is in control and you do not know what it is doing, what happens?”

What "enterprise safeguards" truly mean

The backup architecture is the headline, and not just a marketing spin. Upsun runs one automated backup per day for production environments by default, with a configurable schedule that can do more if you want. Those automated backups are always live, so they don't pause your site to run. And here is the part that matters for this situation, quoted directly from the physical storage location section of the docs: "Backups are stored as binary large objects separate from your environments. This storage is replicated over multiple data centers in different locations within the region your project is hosted in."

Read that again. Separate from your environments. Replicated across data centers. That is the structural difference. The framework founders’ "delete everything" was a destructive operation against his environment. The snapshot of his environment was not in the same storage, so it survived.

There is a second layer of protection beneath that. When a project is deleted on Upsun, the platform takes a final "tombstone" backup of active environments and the Git repository, retained for between 7 days and 6 months. Even a complete project deletion leaves a recovery path.

Byte-level environment cloning is the related capability for preview and staging work. Every Git branch or pull request can spin up a byte-level clone of production, data and services included, so your testing surface matches your production surface. The same architecture that makes that fast is the architecture that makes restoration fast.

Compliance and certifications held directly by Upsun: ISO 27001, SOC 2 Type 2, PCI DSS Level 1, HIPAA, and TX-RAMP, plus validation for IBM Cloud Financial Services. Are the reason your security team will let you ship.

None of that is novel. Every one of those features exists because someone, somewhere, ten years ago, had a Friday evening just like Crane's and we built the thing that would have helped prevent this from happening.

The trade-off the AI era exposes

AI augmented coding platforms optimize for one thing, which is the speed of a developer (or an agent) going from intent to running code. They do that well. The cost, until recently, was that the surface area of "a destructive action" was small enough that a careful human could keep track of it.

The agent changed the math. An autonomous coding agent can issue more API calls in nine seconds than a human will issue in a week. It will find tokens you forgot you generated. It will read documentation you forgot you wrote. And it will, occasionally, decide to delete your production database to fix a typo.

The question is not whether your platform's marketing says it is safe. The question is whether the platform's API treats a destructive call from your agent the same way your enterprise security policy treats a destructive call from an intern. If the answer is "the same," you have a problem your contract did not warn you about.

Upsun has been running production workloads for enterprises for more than a decade. The reason we have automated backups, isolated snapshot storage, byte-for-byte cloning, and YAML-defined infrastructure is not because it sounded good in a pitch deck. It's because we have watched enough Friday nights go sideways to know what protects you from them.

Three minutes

The framework founder walked on stage that day. He launched his project. He thanked us from the stage in front of his community. The bit about the deletion became part of his keynote because, in his telling, the recovery was the most boring possible thing that could have happened. Push the button, wait three minutes, keep going.

That is the bar. Not zero failures, because anyone who promises zero failures is selling you something. Recovery is so boring, it becomes a slide.

Crane said something at the end of his postmortem that I keep thinking about. "The appearance of safety, through marketing hyperbole, is not safety." He is right. The safeguards are the safeguards, or they are not. They work on a Friday at 5pm or they do not.