Yes. According to Salesforce's adherence to the Shared Responsibility Model, customers are responsible for the backup and protection of their Salesforce data. Under this model, customers act as the “Controller” of their data, while Salesforce acts as the “Processor” of said data.
As processor, Salesforce assumes complete responsibility for application availability and provides extensive security measures to help keep your data safe. However, Salesforce is also obligated to add, delete or modify data as long as the request is authenticated by valid credentials. As a result, accidental, malicious or fraudulent deletions, in all cases, are the responsibility of the customer/controller.
For this reason, customers are encouraged to implement additional backup measures, such as Spanning Backup for Salesforce. Having a quality backup solution in place helps to ensure comprehensive and customized data protection, minimizing the risk of data loss and facilitating swift recovery in case of unforeseen events.