diff --git a/.dockerignore b/.dockerignore
index c79ca7b4..296537de 100755
--- a/.dockerignore
+++ b/.dockerignore
@@ -31,3 +31,4 @@
 LICENSE
 README.md
 data/
+docker/data/
diff --git a/apps/api/urls.py b/apps/api/urls.py
index 7d9edb52..4c92c70a 100644
--- a/apps/api/urls.py
+++ b/apps/api/urls.py
@@ -27,6 +27,7 @@ urlpatterns = [
     path('core/', include(('core.api_urls', 'core'), namespace='core')),
     path('plugins/', include(('apps.plugins.api_urls', 'plugins'), namespace='plugins')),
     path('vod/', include(('apps.vod.api_urls', 'vod'), namespace='vod')),
+    path('backups/', include(('apps.backups.api_urls', 'backups'), namespace='backups')),
     # path('output/', include(('apps.output.api_urls', 'output'), namespace='output')),
     #path('player/', include(('apps.player.api_urls', 'player'), namespace='player')),
     #path('settings/', include(('apps.settings.api_urls', 'settings'), namespace='settings')),
diff --git a/apps/backups/__init__.py b/apps/backups/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/apps/backups/api_urls.py b/apps/backups/api_urls.py
new file mode 100644
index 00000000..226758cc
--- /dev/null
+++ b/apps/backups/api_urls.py
@@ -0,0 +1,18 @@
+from django.urls import path
+
+from . import api_views
+
+app_name = "backups"
+
+urlpatterns = [
+    path("", api_views.list_backups, name="backup-list"),
+    path("create/", api_views.create_backup, name="backup-create"),
+    path("upload/", api_views.upload_backup, name="backup-upload"),
+    path("schedule/", api_views.get_schedule, name="backup-schedule-get"),
+    path("schedule/update/", api_views.update_schedule, name="backup-schedule-update"),
+    path("status/<str:task_id>/", api_views.backup_status, name="backup-status"),
+    path("<str:filename>/download-token/", api_views.get_download_token, name="backup-download-token"),
+    path("<str:filename>/download/", api_views.download_backup, name="backup-download"),
+    path("<str:filename>/delete/", api_views.delete_backup, name="backup-delete"),
+    path("<str:filename>/restore/", api_views.restore_backup, name="backup-restore"),
+]
diff --git a/apps/backups/api_views.py b/apps/backups/api_views.py
new file mode 100644
index 00000000..c6ff7d26
--- /dev/null
+++ b/apps/backups/api_views.py
@@ -0,0 +1,364 @@
+import hashlib
+import hmac
+import logging
+import os
+from pathlib import Path
+
+from celery.result import AsyncResult
+from django.conf import settings
+from django.http import HttpResponse, StreamingHttpResponse, Http404
+from rest_framework import status
+from rest_framework.decorators import api_view, permission_classes, parser_classes
+from rest_framework.permissions import IsAdminUser, AllowAny
+from rest_framework.parsers import MultiPartParser, FormParser
+from rest_framework.response import Response
+
+from . import services
+from .tasks import create_backup_task, restore_backup_task
+from .scheduler import get_schedule_settings, update_schedule_settings
+
+logger = logging.getLogger(__name__)
+
+
+def _generate_task_token(task_id: str) -> str:
+    """Generate a signed token for task status access without auth."""
+    secret = settings.SECRET_KEY.encode()
+    return hmac.new(secret, task_id.encode(), hashlib.sha256).hexdigest()[:32]
+
+
+def _verify_task_token(task_id: str, token: str) -> bool:
+    """Verify a task token is valid."""
+    expected = _generate_task_token(task_id)
+    return hmac.compare_digest(expected, token)
+
+
+@api_view(["GET"])
+@permission_classes([IsAdminUser])
+def list_backups(request):
+    """List all available backup files."""
+    try:
+        backups = services.list_backups()
+        return Response(backups, status=status.HTTP_200_OK)
+    except Exception as e:
+        return Response(
+            {"detail": f"Failed to list backups: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["POST"])
+@permission_classes([IsAdminUser])
+def create_backup(request):
+    """Create a new backup (async via Celery)."""
+    try:
+        task = create_backup_task.delay()
+        return Response(
+            {
+                "detail": "Backup started",
+                "task_id": task.id,
+                "task_token": _generate_task_token(task.id),
+            },
+            status=status.HTTP_202_ACCEPTED,
+        )
+    except Exception as e:
+        return Response(
+            {"detail": f"Failed to start backup: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["GET"])
+@permission_classes([AllowAny])
+def backup_status(request, task_id):
+    """Check the status of a backup/restore task.
+
+    Requires either:
+    - Valid admin authentication, OR
+    - Valid task_token query parameter
+    """
+    # Check for token-based auth (for restore when session is invalidated)
+    token = request.query_params.get("token")
+    if token:
+        if not _verify_task_token(task_id, token):
+            return Response(
+                {"detail": "Invalid task token"},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+    else:
+        # Fall back to admin auth check
+        if not request.user.is_authenticated or not request.user.is_staff:
+            return Response(
+                {"detail": "Authentication required"},
+                status=status.HTTP_401_UNAUTHORIZED,
+            )
+
+    try:
+        result = AsyncResult(task_id)
+
+        if result.ready():
+            task_result = result.get()
+            if task_result.get("status") == "completed":
+                return Response({
+                    "state": "completed",
+                    "result": task_result,
+                })
+            else:
+                return Response({
+                    "state": "failed",
+                    "error": task_result.get("error", "Unknown error"),
+                })
+        elif result.failed():
+            return Response({
+                "state": "failed",
+                "error": str(result.result),
+            })
+        else:
+            return Response({
+                "state": result.state.lower(),
+            })
+    except Exception as e:
+        return Response(
+            {"detail": f"Failed to get task status: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["GET"])
+@permission_classes([IsAdminUser])
+def get_download_token(request, filename):
+    """Get a signed token for downloading a backup file."""
+    try:
+        # Security: prevent path traversal
+        if ".." in filename or "/" in filename or "\\" in filename:
+            raise Http404("Invalid filename")
+
+        backup_dir = services.get_backup_dir()
+        backup_file = backup_dir / filename
+
+        if not backup_file.exists():
+            raise Http404("Backup file not found")
+
+        token = _generate_task_token(filename)
+        return Response({"token": token})
+    except Http404:
+        raise
+    except Exception as e:
+        return Response(
+            {"detail": f"Failed to generate token: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["GET"])
+@permission_classes([AllowAny])
+def download_backup(request, filename):
+    """Download a backup file.
+
+    Requires either:
+    - Valid admin authentication, OR
+    - Valid download_token query parameter
+    """
+    # Check for token-based auth (avoids CORS preflight issues)
+    token = request.query_params.get("token")
+    if token:
+        if not _verify_task_token(filename, token):
+            return Response(
+                {"detail": "Invalid download token"},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+    else:
+        # Fall back to admin auth check
+        if not request.user.is_authenticated or not request.user.is_staff:
+            return Response(
+                {"detail": "Authentication required"},
+                status=status.HTTP_401_UNAUTHORIZED,
+            )
+
+    try:
+        # Security: prevent path traversal by checking for suspicious characters
+        if ".." in filename or "/" in filename or "\\" in filename:
+            raise Http404("Invalid filename")
+
+        backup_dir = services.get_backup_dir()
+        backup_file = (backup_dir / filename).resolve()
+
+        # Security: ensure the resolved path is still within backup_dir
+        if not str(backup_file).startswith(str(backup_dir.resolve())):
+            raise Http404("Invalid filename")
+
+        if not backup_file.exists() or not backup_file.is_file():
+            raise Http404("Backup file not found")
+
+        file_size = backup_file.stat().st_size
+
+        # Use X-Accel-Redirect for nginx (AIO container) - nginx serves file directly
+        # Fall back to streaming for non-nginx deployments
+        use_nginx_accel = os.environ.get("USE_NGINX_ACCEL", "").lower() == "true"
+        logger.info(f"[DOWNLOAD] File: {filename}, Size: {file_size}, USE_NGINX_ACCEL: {use_nginx_accel}")
+
+        if use_nginx_accel:
+            # X-Accel-Redirect: Django returns immediately, nginx serves file
+            logger.info(f"[DOWNLOAD] Using X-Accel-Redirect: /protected-backups/{filename}")
+            response = HttpResponse()
+            response["X-Accel-Redirect"] = f"/protected-backups/{filename}"
+            response["Content-Type"] = "application/zip"
+            response["Content-Length"] = file_size
+            response["Content-Disposition"] = f'attachment; filename="{filename}"'
+            return response
+        else:
+            # Streaming fallback for non-nginx deployments
+            logger.info(f"[DOWNLOAD] Using streaming fallback (no nginx)")
+            def file_iterator(file_path, chunk_size=2 * 1024 * 1024):
+                with open(file_path, "rb") as f:
+                    while chunk := f.read(chunk_size):
+                        yield chunk
+
+            response = StreamingHttpResponse(
+                file_iterator(backup_file),
+                content_type="application/zip",
+            )
+            response["Content-Length"] = file_size
+            response["Content-Disposition"] = f'attachment; filename="{filename}"'
+            return response
+    except Http404:
+        raise
+    except Exception as e:
+        return Response(
+            {"detail": f"Download failed: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["DELETE"])
+@permission_classes([IsAdminUser])
+def delete_backup(request, filename):
+    """Delete a backup file."""
+    try:
+        # Security: prevent path traversal
+        if ".." in filename or "/" in filename or "\\" in filename:
+            raise Http404("Invalid filename")
+
+        services.delete_backup(filename)
+        return Response(
+            {"detail": "Backup deleted successfully"},
+            status=status.HTTP_204_NO_CONTENT,
+        )
+    except FileNotFoundError:
+        raise Http404("Backup file not found")
+    except Exception as e:
+        return Response(
+            {"detail": f"Delete failed: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["POST"])
+@permission_classes([IsAdminUser])
+@parser_classes([MultiPartParser, FormParser])
+def upload_backup(request):
+    """Upload a backup file for restoration."""
+    uploaded = request.FILES.get("file")
+    if not uploaded:
+        return Response(
+            {"detail": "No file uploaded"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
+
+    try:
+        backup_dir = services.get_backup_dir()
+        filename = uploaded.name or "uploaded-backup.zip"
+
+        # Ensure unique filename
+        backup_file = backup_dir / filename
+        counter = 1
+        while backup_file.exists():
+            name_parts = filename.rsplit(".", 1)
+            if len(name_parts) == 2:
+                backup_file = backup_dir / f"{name_parts[0]}-{counter}.{name_parts[1]}"
+            else:
+                backup_file = backup_dir / f"{filename}-{counter}"
+            counter += 1
+
+        # Save uploaded file
+        with backup_file.open("wb") as f:
+            for chunk in uploaded.chunks():
+                f.write(chunk)
+
+        return Response(
+            {
+                "detail": "Backup uploaded successfully",
+                "filename": backup_file.name,
+            },
+            status=status.HTTP_201_CREATED,
+        )
+    except Exception as e:
+        return Response(
+            {"detail": f"Upload failed: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["POST"])
+@permission_classes([IsAdminUser])
+def restore_backup(request, filename):
+    """Restore from a backup file (async via Celery). WARNING: This will flush the database!"""
+    try:
+        # Security: prevent path traversal
+        if ".." in filename or "/" in filename or "\\" in filename:
+            raise Http404("Invalid filename")
+
+        backup_dir = services.get_backup_dir()
+        backup_file = backup_dir / filename
+
+        if not backup_file.exists():
+            raise Http404("Backup file not found")
+
+        task = restore_backup_task.delay(filename)
+        return Response(
+            {
+                "detail": "Restore started",
+                "task_id": task.id,
+                "task_token": _generate_task_token(task.id),
+            },
+            status=status.HTTP_202_ACCEPTED,
+        )
+    except Http404:
+        raise
+    except Exception as e:
+        return Response(
+            {"detail": f"Failed to start restore: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["GET"])
+@permission_classes([IsAdminUser])
+def get_schedule(request):
+    """Get backup schedule settings."""
+    try:
+        settings = get_schedule_settings()
+        return Response(settings)
+    except Exception as e:
+        return Response(
+            {"detail": f"Failed to get schedule: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
+
+
+@api_view(["PUT"])
+@permission_classes([IsAdminUser])
+def update_schedule(request):
+    """Update backup schedule settings."""
+    try:
+        settings = update_schedule_settings(request.data)
+        return Response(settings)
+    except ValueError as e:
+        return Response(
+            {"detail": str(e)},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
+    except Exception as e:
+        return Response(
+            {"detail": f"Failed to update schedule: {str(e)}"},
+            status=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        )
diff --git a/apps/backups/apps.py b/apps/backups/apps.py
new file mode 100644
index 00000000..ee644149
--- /dev/null
+++ b/apps/backups/apps.py
@@ -0,0 +1,7 @@
+from django.apps import AppConfig
+
+
+class BackupsConfig(AppConfig):
+    default_auto_field = "django.db.models.BigAutoField"
+    name = "apps.backups"
+    verbose_name = "Backups"
diff --git a/apps/backups/migrations/__init__.py b/apps/backups/migrations/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/apps/backups/models.py b/apps/backups/models.py
new file mode 100644
index 00000000..e69de29b
diff --git a/apps/backups/scheduler.py b/apps/backups/scheduler.py
new file mode 100644
index 00000000..011d63db
--- /dev/null
+++ b/apps/backups/scheduler.py
@@ -0,0 +1,198 @@
+import json
+import logging
+
+from django_celery_beat.models import PeriodicTask, CrontabSchedule
+
+from core.models import CoreSettings
+
+logger = logging.getLogger(__name__)
+
+BACKUP_SCHEDULE_TASK_NAME = "backup-scheduled-task"
+
+SETTING_KEYS = {
+    "enabled": "backup_schedule_enabled",
+    "frequency": "backup_schedule_frequency",
+    "time": "backup_schedule_time",
+    "day_of_week": "backup_schedule_day_of_week",
+    "retention_count": "backup_retention_count",
+    "cron_expression": "backup_schedule_cron_expression",
+}
+
+DEFAULTS = {
+    "enabled": False,
+    "frequency": "daily",
+    "time": "03:00",
+    "day_of_week": 0,  # Sunday
+    "retention_count": 0,
+    "cron_expression": "",
+}
+
+
+def _get_setting(key: str, default=None):
+    """Get a backup setting from CoreSettings."""
+    try:
+        setting = CoreSettings.objects.get(key=SETTING_KEYS[key])
+        value = setting.value
+        if key == "enabled":
+            return value.lower() == "true"
+        elif key in ("day_of_week", "retention_count"):
+            return int(value)
+        return value
+    except CoreSettings.DoesNotExist:
+        return default if default is not None else DEFAULTS.get(key)
+
+
+def _set_setting(key: str, value) -> None:
+    """Set a backup setting in CoreSettings."""
+    str_value = str(value).lower() if isinstance(value, bool) else str(value)
+    CoreSettings.objects.update_or_create(
+        key=SETTING_KEYS[key],
+        defaults={
+            "name": f"Backup {key.replace('_', ' ').title()}",
+            "value": str_value,
+        },
+    )
+
+
+def get_schedule_settings() -> dict:
+    """Get all backup schedule settings."""
+    return {
+        "enabled": _get_setting("enabled"),
+        "frequency": _get_setting("frequency"),
+        "time": _get_setting("time"),
+        "day_of_week": _get_setting("day_of_week"),
+        "retention_count": _get_setting("retention_count"),
+        "cron_expression": _get_setting("cron_expression"),
+    }
+
+
+def update_schedule_settings(data: dict) -> dict:
+    """Update backup schedule settings and sync the PeriodicTask."""
+    # Validate
+    if "frequency" in data and data["frequency"] not in ("daily", "weekly"):
+        raise ValueError("frequency must be 'daily' or 'weekly'")
+
+    if "time" in data:
+        try:
+            hour, minute = data["time"].split(":")
+            int(hour)
+            int(minute)
+        except (ValueError, AttributeError):
+            raise ValueError("time must be in HH:MM format")
+
+    if "day_of_week" in data:
+        day = int(data["day_of_week"])
+        if day < 0 or day > 6:
+            raise ValueError("day_of_week must be 0-6 (Sunday-Saturday)")
+
+    if "retention_count" in data:
+        count = int(data["retention_count"])
+        if count < 0:
+            raise ValueError("retention_count must be >= 0")
+
+    # Update settings
+    for key in ("enabled", "frequency", "time", "day_of_week", "retention_count", "cron_expression"):
+        if key in data:
+            _set_setting(key, data[key])
+
+    # Sync the periodic task
+    _sync_periodic_task()
+
+    return get_schedule_settings()
+
+
+def _sync_periodic_task() -> None:
+    """Create, update, or delete the scheduled backup task based on settings."""
+    settings = get_schedule_settings()
+
+    if not settings["enabled"]:
+        # Delete the task if it exists
+        task = PeriodicTask.objects.filter(name=BACKUP_SCHEDULE_TASK_NAME).first()
+        if task:
+            old_crontab = task.crontab
+            task.delete()
+            _cleanup_orphaned_crontab(old_crontab)
+        logger.info("Backup schedule disabled, removed periodic task")
+        return
+
+    # Get old crontab before creating new one
+    old_crontab = None
+    try:
+        old_task = PeriodicTask.objects.get(name=BACKUP_SCHEDULE_TASK_NAME)
+        old_crontab = old_task.crontab
+    except PeriodicTask.DoesNotExist:
+        pass
+
+    # Check if using cron expression (advanced mode)
+    if settings["cron_expression"]:
+        # Parse cron expression: "minute hour day month weekday"
+        try:
+            parts = settings["cron_expression"].split()
+            if len(parts) != 5:
+                raise ValueError("Cron expression must have 5 parts: minute hour day month weekday")
+
+            minute, hour, day_of_month, month_of_year, day_of_week = parts
+
+            crontab, _ = CrontabSchedule.objects.get_or_create(
+                minute=minute,
+                hour=hour,
+                day_of_week=day_of_week,
+                day_of_month=day_of_month,
+                month_of_year=month_of_year,
+                timezone=CoreSettings.get_system_time_zone(),
+            )
+        except Exception as e:
+            logger.error(f"Invalid cron expression '{settings['cron_expression']}': {e}")
+            raise ValueError(f"Invalid cron expression: {e}")
+    else:
+        # Use simple frequency-based scheduling
+        # Parse time
+        hour, minute = settings["time"].split(":")
+
+        # Build crontab based on frequency
+        system_tz = CoreSettings.get_system_time_zone()
+        if settings["frequency"] == "daily":
+            crontab, _ = CrontabSchedule.objects.get_or_create(
+                minute=minute,
+                hour=hour,
+                day_of_week="*",
+                day_of_month="*",
+                month_of_year="*",
+                timezone=system_tz,
+            )
+        else:  # weekly
+            crontab, _ = CrontabSchedule.objects.get_or_create(
+                minute=minute,
+                hour=hour,
+                day_of_week=str(settings["day_of_week"]),
+                day_of_month="*",
+                month_of_year="*",
+                timezone=system_tz,
+            )
+
+    # Create or update the periodic task
+    task, created = PeriodicTask.objects.update_or_create(
+        name=BACKUP_SCHEDULE_TASK_NAME,
+        defaults={
+            "task": "apps.backups.tasks.scheduled_backup_task",
+            "crontab": crontab,
+            "enabled": True,
+            "kwargs": json.dumps({"retention_count": settings["retention_count"]}),
+        },
+    )
+
+    # Clean up old crontab if it changed and is orphaned
+    if old_crontab and old_crontab.id != crontab.id:
+        _cleanup_orphaned_crontab(old_crontab)
+
+    action = "Created" if created else "Updated"
+    logger.info(f"{action} backup schedule: {settings['frequency']} at {settings['time']}")
+
+
+def _cleanup_orphaned_crontab(crontab_schedule):
+    """Delete old CrontabSchedule from backup task."""
+    if crontab_schedule is None:
+        return
+
+    logger.debug(f"Cleaning up old CrontabSchedule: {crontab_schedule.id}")
+    crontab_schedule.delete()
diff --git a/apps/backups/services.py b/apps/backups/services.py
new file mode 100644
index 00000000..b99fab6d
--- /dev/null
+++ b/apps/backups/services.py
@@ -0,0 +1,320 @@
+import datetime
+import json
+import os
+import shutil
+import subprocess
+import tempfile
+from pathlib import Path
+from zipfile import ZipFile, ZIP_DEFLATED
+import logging
+import pytz
+
+from django.conf import settings
+from core.models import CoreSettings
+
+logger = logging.getLogger(__name__)
+
+
+def get_backup_dir() -> Path:
+    """Get the backup directory, creating it if necessary."""
+    backup_dir = Path(settings.BACKUP_ROOT)
+    backup_dir.mkdir(parents=True, exist_ok=True)
+    return backup_dir
+
+
+def _is_postgresql() -> bool:
+    """Check if we're using PostgreSQL."""
+    return settings.DATABASES["default"]["ENGINE"] == "django.db.backends.postgresql"
+
+
+def _get_pg_env() -> dict:
+    """Get environment variables for PostgreSQL commands."""
+    db_config = settings.DATABASES["default"]
+    env = os.environ.copy()
+    env["PGPASSWORD"] = db_config.get("PASSWORD", "")
+    return env
+
+
+def _get_pg_args() -> list[str]:
+    """Get common PostgreSQL command arguments."""
+    db_config = settings.DATABASES["default"]
+    return [
+        "-h", db_config.get("HOST", "localhost"),
+        "-p", str(db_config.get("PORT", 5432)),
+        "-U", db_config.get("USER", "postgres"),
+        "-d", db_config.get("NAME", "dispatcharr"),
+    ]
+
+
+def _dump_postgresql(output_file: Path) -> None:
+    """Dump PostgreSQL database using pg_dump."""
+    logger.info("Dumping PostgreSQL database with pg_dump...")
+
+    cmd = [
+        "pg_dump",
+        *_get_pg_args(),
+        "-Fc",  # Custom format for pg_restore
+        "-v",   # Verbose
+        "-f", str(output_file),
+    ]
+
+    result = subprocess.run(
+        cmd,
+        env=_get_pg_env(),
+        capture_output=True,
+        text=True,
+    )
+
+    if result.returncode != 0:
+        logger.error(f"pg_dump failed: {result.stderr}")
+        raise RuntimeError(f"pg_dump failed: {result.stderr}")
+
+    logger.debug(f"pg_dump output: {result.stderr}")
+
+
+def _restore_postgresql(dump_file: Path) -> None:
+    """Restore PostgreSQL database using pg_restore."""
+    logger.info("[PG_RESTORE] Starting pg_restore...")
+    logger.info(f"[PG_RESTORE] Dump file: {dump_file}")
+
+    pg_args = _get_pg_args()
+    logger.info(f"[PG_RESTORE] Connection args: {pg_args}")
+
+    cmd = [
+        "pg_restore",
+        "--clean",  # Clean (drop) database objects before recreating
+        *pg_args,
+        "-v",  # Verbose
+        str(dump_file),
+    ]
+
+    logger.info(f"[PG_RESTORE] Running command: {' '.join(cmd)}")
+
+    result = subprocess.run(
+        cmd,
+        env=_get_pg_env(),
+        capture_output=True,
+        text=True,
+    )
+
+    logger.info(f"[PG_RESTORE] Return code: {result.returncode}")
+
+    # pg_restore may return non-zero even on partial success
+    # Check for actual errors vs warnings
+    if result.returncode != 0:
+        # Some errors during restore are expected (e.g., "does not exist" when cleaning)
+        # Only fail on critical errors
+        stderr = result.stderr.lower()
+        if "fatal" in stderr or "could not connect" in stderr:
+            logger.error(f"[PG_RESTORE] Failed critically: {result.stderr}")
+            raise RuntimeError(f"pg_restore failed: {result.stderr}")
+        else:
+            logger.warning(f"[PG_RESTORE] Completed with warnings: {result.stderr[:500]}...")
+
+    logger.info("[PG_RESTORE] Completed successfully")
+
+
+def _dump_sqlite(output_file: Path) -> None:
+    """Dump SQLite database using sqlite3 .backup command."""
+    logger.info("Dumping SQLite database with sqlite3 .backup...")
+    db_path = Path(settings.DATABASES["default"]["NAME"])
+
+    if not db_path.exists():
+        raise FileNotFoundError(f"SQLite database not found: {db_path}")
+
+    # Use sqlite3 .backup command via stdin for reliable execution
+    result = subprocess.run(
+        ["sqlite3", str(db_path)],
+        input=f".backup '{output_file}'\n",
+        capture_output=True,
+        text=True,
+    )
+
+    if result.returncode != 0:
+        logger.error(f"sqlite3 backup failed: {result.stderr}")
+        raise RuntimeError(f"sqlite3 backup failed: {result.stderr}")
+
+    # Verify the backup file was created
+    if not output_file.exists():
+        raise RuntimeError("sqlite3 backup failed: output file not created")
+
+    logger.info(f"sqlite3 backup completed successfully: {output_file}")
+
+
+def _restore_sqlite(dump_file: Path) -> None:
+    """Restore SQLite database by replacing the database file."""
+    logger.info("Restoring SQLite database...")
+    db_path = Path(settings.DATABASES["default"]["NAME"])
+    backup_current = None
+
+    # Backup current database before overwriting
+    if db_path.exists():
+        backup_current = db_path.with_suffix(".db.bak")
+        shutil.copy2(db_path, backup_current)
+        logger.info(f"Backed up current database to {backup_current}")
+
+    # Ensure parent directory exists
+    db_path.parent.mkdir(parents=True, exist_ok=True)
+
+    # The backup file from _dump_sqlite is a complete SQLite database file
+    # We can simply copy it over the existing database
+    shutil.copy2(dump_file, db_path)
+
+    # Verify the restore worked by checking if sqlite3 can read it
+    result = subprocess.run(
+        ["sqlite3", str(db_path)],
+        input=".tables\n",
+        capture_output=True,
+        text=True,
+    )
+
+    if result.returncode != 0:
+        logger.error(f"sqlite3 verification failed: {result.stderr}")
+        # Try to restore from backup
+        if backup_current and backup_current.exists():
+            shutil.copy2(backup_current, db_path)
+            logger.info("Restored original database from backup")
+        raise RuntimeError(f"sqlite3 restore verification failed: {result.stderr}")
+
+    logger.info("sqlite3 restore completed successfully")
+
+
+def create_backup() -> Path:
+    """
+    Create a backup archive containing database dump and data directories.
+    Returns the path to the created backup file.
+    """
+    backup_dir = get_backup_dir()
+
+    # Use system timezone for filename (user-friendly), but keep internal timestamps as UTC
+    system_tz_name = CoreSettings.get_system_time_zone()
+    try:
+        system_tz = pytz.timezone(system_tz_name)
+        now_local = datetime.datetime.now(datetime.UTC).astimezone(system_tz)
+        timestamp = now_local.strftime("%Y.%m.%d.%H.%M.%S")
+    except Exception as e:
+        logger.warning(f"Failed to use system timezone {system_tz_name}: {e}, falling back to UTC")
+        timestamp = datetime.datetime.now(datetime.UTC).strftime("%Y.%m.%d.%H.%M.%S")
+
+    backup_name = f"dispatcharr-backup-{timestamp}.zip"
+    backup_file = backup_dir / backup_name
+
+    logger.info(f"Creating backup: {backup_name}")
+
+    with tempfile.TemporaryDirectory(prefix="dispatcharr-backup-") as temp_dir:
+        temp_path = Path(temp_dir)
+
+        # Determine database type and dump accordingly
+        if _is_postgresql():
+            db_dump_file = temp_path / "database.dump"
+            _dump_postgresql(db_dump_file)
+            db_type = "postgresql"
+        else:
+            db_dump_file = temp_path / "database.sqlite3"
+            _dump_sqlite(db_dump_file)
+            db_type = "sqlite"
+
+        # Create ZIP archive with compression and ZIP64 support for large files
+        with ZipFile(backup_file, "w", compression=ZIP_DEFLATED, allowZip64=True) as zip_file:
+            # Add database dump
+            zip_file.write(db_dump_file, db_dump_file.name)
+
+            # Add metadata
+            metadata = {
+                "format": "dispatcharr-backup",
+                "version": 2,
+                "database_type": db_type,
+                "database_file": db_dump_file.name,
+                "created_at": datetime.datetime.now(datetime.UTC).isoformat(),
+            }
+            zip_file.writestr("metadata.json", json.dumps(metadata, indent=2))
+
+    logger.info(f"Backup created successfully: {backup_file}")
+    return backup_file
+
+
+def restore_backup(backup_file: Path) -> None:
+    """
+    Restore from a backup archive.
+    WARNING: This will overwrite the database!
+    """
+    if not backup_file.exists():
+        raise FileNotFoundError(f"Backup file not found: {backup_file}")
+
+    logger.info(f"Restoring from backup: {backup_file}")
+
+    with tempfile.TemporaryDirectory(prefix="dispatcharr-restore-") as temp_dir:
+        temp_path = Path(temp_dir)
+
+        # Extract backup
+        logger.debug("Extracting backup archive...")
+        with ZipFile(backup_file, "r") as zip_file:
+            zip_file.extractall(temp_path)
+
+        # Read metadata
+        metadata_file = temp_path / "metadata.json"
+        if not metadata_file.exists():
+            raise ValueError("Invalid backup: missing metadata.json")
+
+        with open(metadata_file) as f:
+            metadata = json.load(f)
+
+        # Restore database
+        _restore_database(temp_path, metadata)
+
+    logger.info("Restore completed successfully")
+
+
+def _restore_database(temp_path: Path, metadata: dict) -> None:
+    """Restore database from backup."""
+    db_type = metadata.get("database_type", "postgresql")
+    db_file = metadata.get("database_file", "database.dump")
+    dump_file = temp_path / db_file
+
+    if not dump_file.exists():
+        raise ValueError(f"Invalid backup: missing {db_file}")
+
+    current_db_type = "postgresql" if _is_postgresql() else "sqlite"
+
+    if db_type != current_db_type:
+        raise ValueError(
+            f"Database type mismatch: backup is {db_type}, "
+            f"but current database is {current_db_type}"
+        )
+
+    if db_type == "postgresql":
+        _restore_postgresql(dump_file)
+    else:
+        _restore_sqlite(dump_file)
+
+
+def list_backups() -> list[dict]:
+    """List all available backup files with metadata."""
+    backup_dir = get_backup_dir()
+    backups = []
+
+    for backup_file in sorted(backup_dir.glob("dispatcharr-backup-*.zip"), reverse=True):
+        # Use UTC timezone so frontend can convert to user's local time
+        created_time = datetime.datetime.fromtimestamp(backup_file.stat().st_mtime, datetime.UTC)
+        backups.append({
+            "name": backup_file.name,
+            "size": backup_file.stat().st_size,
+            "created": created_time.isoformat(),
+        })
+
+    return backups
+
+
+def delete_backup(filename: str) -> None:
+    """Delete a backup file."""
+    backup_dir = get_backup_dir()
+    backup_file = backup_dir / filename
+
+    if not backup_file.exists():
+        raise FileNotFoundError(f"Backup file not found: {filename}")
+
+    if not backup_file.is_file():
+        raise ValueError(f"Invalid backup file: {filename}")
+
+    backup_file.unlink()
+    logger.info(f"Deleted backup: {filename}")
diff --git a/apps/backups/tasks.py b/apps/backups/tasks.py
new file mode 100644
index 00000000..f531fef8
--- /dev/null
+++ b/apps/backups/tasks.py
@@ -0,0 +1,106 @@
+import logging
+import traceback
+from celery import shared_task
+
+from . import services
+
+logger = logging.getLogger(__name__)
+
+
+def _cleanup_old_backups(retention_count: int) -> int:
+    """Delete old backups, keeping only the most recent N. Returns count deleted."""
+    if retention_count <= 0:
+        return 0
+
+    backups = services.list_backups()
+    if len(backups) <= retention_count:
+        return 0
+
+    # Backups are sorted newest first, so delete from the end
+    to_delete = backups[retention_count:]
+    deleted = 0
+
+    for backup in to_delete:
+        try:
+            services.delete_backup(backup["name"])
+            deleted += 1
+            logger.info(f"[CLEANUP] Deleted old backup: {backup['name']}")
+        except Exception as e:
+            logger.error(f"[CLEANUP] Failed to delete {backup['name']}: {e}")
+
+    return deleted
+
+
+@shared_task(bind=True)
+def create_backup_task(self):
+    """Celery task to create a backup asynchronously."""
+    try:
+        logger.info(f"[BACKUP] Starting backup task {self.request.id}")
+        backup_file = services.create_backup()
+        logger.info(f"[BACKUP] Task {self.request.id} completed: {backup_file.name}")
+        return {
+            "status": "completed",
+            "filename": backup_file.name,
+            "size": backup_file.stat().st_size,
+        }
+    except Exception as e:
+        logger.error(f"[BACKUP] Task {self.request.id} failed: {str(e)}")
+        logger.error(f"[BACKUP] Traceback: {traceback.format_exc()}")
+        return {
+            "status": "failed",
+            "error": str(e),
+        }
+
+
+@shared_task(bind=True)
+def restore_backup_task(self, filename: str):
+    """Celery task to restore a backup asynchronously."""
+    try:
+        logger.info(f"[RESTORE] Starting restore task {self.request.id} for {filename}")
+        backup_dir = services.get_backup_dir()
+        backup_file = backup_dir / filename
+        logger.info(f"[RESTORE] Backup file path: {backup_file}")
+        services.restore_backup(backup_file)
+        logger.info(f"[RESTORE] Task {self.request.id} completed successfully")
+        return {
+            "status": "completed",
+            "filename": filename,
+        }
+    except Exception as e:
+        logger.error(f"[RESTORE] Task {self.request.id} failed: {str(e)}")
+        logger.error(f"[RESTORE] Traceback: {traceback.format_exc()}")
+        return {
+            "status": "failed",
+            "error": str(e),
+        }
+
+
+@shared_task(bind=True)
+def scheduled_backup_task(self, retention_count: int = 0):
+    """Celery task for scheduled backups with optional retention cleanup."""
+    try:
+        logger.info(f"[SCHEDULED] Starting scheduled backup task {self.request.id}")
+
+        # Create backup
+        backup_file = services.create_backup()
+        logger.info(f"[SCHEDULED] Backup created: {backup_file.name}")
+
+        # Cleanup old backups if retention is set
+        deleted = 0
+        if retention_count > 0:
+            deleted = _cleanup_old_backups(retention_count)
+            logger.info(f"[SCHEDULED] Cleanup complete, deleted {deleted} old backup(s)")
+
+        return {
+            "status": "completed",
+            "filename": backup_file.name,
+            "size": backup_file.stat().st_size,
+            "deleted_count": deleted,
+        }
+    except Exception as e:
+        logger.error(f"[SCHEDULED] Task {self.request.id} failed: {str(e)}")
+        logger.error(f"[SCHEDULED] Traceback: {traceback.format_exc()}")
+        return {
+            "status": "failed",
+            "error": str(e),
+        }
diff --git a/apps/backups/tests.py b/apps/backups/tests.py
new file mode 100644
index 00000000..dc8a5136
--- /dev/null
+++ b/apps/backups/tests.py
@@ -0,0 +1,1163 @@
+import json
+import tempfile
+from io import BytesIO
+from pathlib import Path
+from zipfile import ZipFile
+from unittest.mock import patch, MagicMock
+
+from django.test import TestCase
+from django.contrib.auth import get_user_model
+from rest_framework.test import APIClient
+from rest_framework_simplejwt.tokens import RefreshToken
+
+from . import services
+
+User = get_user_model()
+
+
+class BackupServicesTestCase(TestCase):
+    """Test cases for backup services"""
+
+    def setUp(self):
+        self.temp_backup_dir = tempfile.mkdtemp()
+
+    def tearDown(self):
+        import shutil
+        if Path(self.temp_backup_dir).exists():
+            shutil.rmtree(self.temp_backup_dir)
+
+    @patch('apps.backups.services.settings')
+    def test_get_backup_dir_creates_directory(self, mock_settings):
+        """Test that get_backup_dir creates the directory if it doesn't exist"""
+        mock_settings.BACKUP_ROOT = self.temp_backup_dir
+
+        with patch('apps.backups.services.Path') as mock_path:
+            mock_path_instance = MagicMock()
+            mock_path_instance.mkdir = MagicMock()
+            mock_path.return_value = mock_path_instance
+
+            services.get_backup_dir()
+            mock_path_instance.mkdir.assert_called_once_with(parents=True, exist_ok=True)
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.services._is_postgresql')
+    @patch('apps.backups.services._dump_sqlite')
+    def test_create_backup_success_sqlite(self, mock_dump_sqlite, mock_is_pg, mock_get_backup_dir):
+        """Test successful backup creation with SQLite"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+        mock_is_pg.return_value = False
+
+        # Mock SQLite dump to create a temp file
+        def mock_dump(output_file):
+            output_file.write_text("sqlite dump")
+
+        mock_dump_sqlite.side_effect = mock_dump
+
+        result = services.create_backup()
+
+        self.assertIsInstance(result, Path)
+        self.assertTrue(result.exists())
+        self.assertTrue(result.name.startswith('dispatcharr-backup-'))
+        self.assertTrue(result.name.endswith('.zip'))
+
+        # Verify the backup contains expected files
+        with ZipFile(result, 'r') as zf:
+            names = zf.namelist()
+            self.assertIn('database.sqlite3', names)
+            self.assertIn('metadata.json', names)
+
+            # Check metadata
+            metadata = json.loads(zf.read('metadata.json'))
+            self.assertEqual(metadata['version'], 2)
+            self.assertEqual(metadata['database_type'], 'sqlite')
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.services._is_postgresql')
+    @patch('apps.backups.services._dump_postgresql')
+    def test_create_backup_success_postgresql(self, mock_dump_pg, mock_is_pg, mock_get_backup_dir):
+        """Test successful backup creation with PostgreSQL"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+        mock_is_pg.return_value = True
+
+        # Mock PostgreSQL dump to create a temp file
+        def mock_dump(output_file):
+            output_file.write_bytes(b"pg dump data")
+
+        mock_dump_pg.side_effect = mock_dump
+
+        result = services.create_backup()
+
+        self.assertIsInstance(result, Path)
+        self.assertTrue(result.exists())
+
+        # Verify the backup contains expected files
+        with ZipFile(result, 'r') as zf:
+            names = zf.namelist()
+            self.assertIn('database.dump', names)
+            self.assertIn('metadata.json', names)
+
+            # Check metadata
+            metadata = json.loads(zf.read('metadata.json'))
+            self.assertEqual(metadata['version'], 2)
+            self.assertEqual(metadata['database_type'], 'postgresql')
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_list_backups_empty(self, mock_get_backup_dir):
+        """Test listing backups when none exist"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+
+        result = services.list_backups()
+
+        self.assertEqual(result, [])
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_list_backups_with_files(self, mock_get_backup_dir):
+        """Test listing backups with existing backup files"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+
+        # Create a fake backup file
+        test_backup = backup_dir / "dispatcharr-backup-2025.01.01.12.00.00.zip"
+        test_backup.write_text("fake backup content")
+
+        result = services.list_backups()
+
+        self.assertEqual(len(result), 1)
+        self.assertEqual(result[0]['name'], test_backup.name)
+        self.assertIn('size', result[0])
+        self.assertIn('created', result[0])
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_delete_backup_success(self, mock_get_backup_dir):
+        """Test successful backup deletion"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+
+        # Create a fake backup file
+        test_backup = backup_dir / "dispatcharr-backup-test.zip"
+        test_backup.write_text("fake backup content")
+
+        self.assertTrue(test_backup.exists())
+
+        services.delete_backup(test_backup.name)
+
+        self.assertFalse(test_backup.exists())
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_delete_backup_not_found(self, mock_get_backup_dir):
+        """Test deleting a non-existent backup raises error"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+
+        with self.assertRaises(FileNotFoundError):
+            services.delete_backup("nonexistent-backup.zip")
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.services._is_postgresql')
+    @patch('apps.backups.services._restore_postgresql')
+    def test_restore_backup_postgresql(self, mock_restore_pg, mock_is_pg, mock_get_backup_dir):
+        """Test successful restoration of PostgreSQL backup"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+        mock_is_pg.return_value = True
+
+        # Create PostgreSQL backup file
+        backup_file = backup_dir / "test-backup.zip"
+        with ZipFile(backup_file, 'w') as zf:
+            zf.writestr('database.dump', b'pg dump data')
+            zf.writestr('metadata.json', json.dumps({
+                'version': 2,
+                'database_type': 'postgresql',
+                'database_file': 'database.dump'
+            }))
+
+        services.restore_backup(backup_file)
+
+        mock_restore_pg.assert_called_once()
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.services._is_postgresql')
+    @patch('apps.backups.services._restore_sqlite')
+    def test_restore_backup_sqlite(self, mock_restore_sqlite, mock_is_pg, mock_get_backup_dir):
+        """Test successful restoration of SQLite backup"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+        mock_is_pg.return_value = False
+
+        # Create SQLite backup file
+        backup_file = backup_dir / "test-backup.zip"
+        with ZipFile(backup_file, 'w') as zf:
+            zf.writestr('database.sqlite3', 'sqlite data')
+            zf.writestr('metadata.json', json.dumps({
+                'version': 2,
+                'database_type': 'sqlite',
+                'database_file': 'database.sqlite3'
+            }))
+
+        services.restore_backup(backup_file)
+
+        mock_restore_sqlite.assert_called_once()
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.services._is_postgresql')
+    def test_restore_backup_database_type_mismatch(self, mock_is_pg, mock_get_backup_dir):
+        """Test restore fails when database type doesn't match"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+        mock_is_pg.return_value = True  # Current system is PostgreSQL
+
+        # Create SQLite backup file
+        backup_file = backup_dir / "test-backup.zip"
+        with ZipFile(backup_file, 'w') as zf:
+            zf.writestr('database.sqlite3', 'sqlite data')
+            zf.writestr('metadata.json', json.dumps({
+                'version': 2,
+                'database_type': 'sqlite',  # Backup is SQLite
+                'database_file': 'database.sqlite3'
+            }))
+
+        with self.assertRaises(ValueError) as context:
+            services.restore_backup(backup_file)
+
+        self.assertIn('mismatch', str(context.exception).lower())
+
+    def test_restore_backup_not_found(self):
+        """Test restoring from non-existent backup file"""
+        fake_path = Path("/tmp/nonexistent-backup-12345.zip")
+
+        with self.assertRaises(FileNotFoundError):
+            services.restore_backup(fake_path)
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_restore_backup_missing_metadata(self, mock_get_backup_dir):
+        """Test restoring from backup without metadata.json"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+
+        # Create a backup file missing metadata.json
+        backup_file = backup_dir / "invalid-backup.zip"
+        with ZipFile(backup_file, 'w') as zf:
+            zf.writestr('database.dump', b'fake dump data')
+
+        with self.assertRaises(ValueError) as context:
+            services.restore_backup(backup_file)
+
+        self.assertIn('metadata.json', str(context.exception))
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.services._is_postgresql')
+    def test_restore_backup_missing_database(self, mock_is_pg, mock_get_backup_dir):
+        """Test restoring from backup missing database dump"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+        mock_is_pg.return_value = True
+
+        # Create backup file missing database dump
+        backup_file = backup_dir / "invalid-backup.zip"
+        with ZipFile(backup_file, 'w') as zf:
+            zf.writestr('metadata.json', json.dumps({
+                'version': 2,
+                'database_type': 'postgresql',
+                'database_file': 'database.dump'
+            }))
+
+        with self.assertRaises(ValueError) as context:
+            services.restore_backup(backup_file)
+
+        self.assertIn('database.dump', str(context.exception))
+
+
+class BackupAPITestCase(TestCase):
+    """Test cases for backup API endpoints"""
+
+    def setUp(self):
+        self.client = APIClient()
+        self.user = User.objects.create_user(
+            username='testuser',
+            email='test@example.com',
+            password='testpass123'
+        )
+        self.admin_user = User.objects.create_superuser(
+            username='admin',
+            email='admin@example.com',
+            password='adminpass123'
+        )
+        self.temp_backup_dir = tempfile.mkdtemp()
+
+    def get_auth_header(self, user):
+        """Helper method to get JWT auth header for a user"""
+        refresh = RefreshToken.for_user(user)
+        return f'Bearer {str(refresh.access_token)}'
+
+    def tearDown(self):
+        import shutil
+        if Path(self.temp_backup_dir).exists():
+            shutil.rmtree(self.temp_backup_dir)
+
+    def test_list_backups_requires_admin(self):
+        """Test that listing backups requires admin privileges"""
+        url = '/api/backups/'
+
+        # Unauthenticated request
+        response = self.client.get(url)
+        self.assertIn(response.status_code, [401, 403])
+
+        # Regular user request
+        response = self.client.get(url, HTTP_AUTHORIZATION=self.get_auth_header(self.user))
+        self.assertIn(response.status_code, [401, 403])
+
+    @patch('apps.backups.services.list_backups')
+    def test_list_backups_success(self, mock_list_backups):
+        """Test successful backup listing"""
+        mock_list_backups.return_value = [
+            {
+                'name': 'backup-test.zip',
+                'size': 1024,
+                'created': '2025-01-01T12:00:00'
+            }
+        ]
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertEqual(len(data), 1)
+        self.assertEqual(data[0]['name'], 'backup-test.zip')
+
+    def test_create_backup_requires_admin(self):
+        """Test that creating backups requires admin privileges"""
+        url = '/api/backups/create/'
+
+        # Unauthenticated request
+        response = self.client.post(url)
+        self.assertIn(response.status_code, [401, 403])
+
+        # Regular user request
+        response = self.client.post(url, HTTP_AUTHORIZATION=self.get_auth_header(self.user))
+        self.assertIn(response.status_code, [401, 403])
+
+    @patch('apps.backups.tasks.create_backup_task.delay')
+    def test_create_backup_success(self, mock_create_task):
+        """Test successful backup creation via API (async task)"""
+        mock_task = MagicMock()
+        mock_task.id = 'test-task-id-123'
+        mock_create_task.return_value = mock_task
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/create/'
+        response = self.client.post(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 202)
+        data = response.json()
+        self.assertIn('task_id', data)
+        self.assertIn('task_token', data)
+        self.assertEqual(data['task_id'], 'test-task-id-123')
+
+    @patch('apps.backups.tasks.create_backup_task.delay')
+    def test_create_backup_failure(self, mock_create_task):
+        """Test backup creation failure handling"""
+        mock_create_task.side_effect = Exception("Failed to start task")
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/create/'
+        response = self.client.post(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 500)
+        data = response.json()
+        self.assertIn('detail', data)
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_download_backup_success(self, mock_get_backup_dir):
+        """Test successful backup download"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+
+        # Create a test backup file
+        backup_file = backup_dir / "test-backup.zip"
+        backup_file.write_text("test backup content")
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/test-backup.zip/download/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response['Content-Type'], 'application/zip')
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_download_backup_not_found(self, mock_get_backup_dir):
+        """Test downloading non-existent backup"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/nonexistent.zip/download/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 404)
+
+    @patch('apps.backups.services.delete_backup')
+    def test_delete_backup_success(self, mock_delete_backup):
+        """Test successful backup deletion via API"""
+        mock_delete_backup.return_value = None
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/test-backup.zip/delete/'
+        response = self.client.delete(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 204)
+        mock_delete_backup.assert_called_once_with('test-backup.zip')
+
+    @patch('apps.backups.services.delete_backup')
+    def test_delete_backup_not_found(self, mock_delete_backup):
+        """Test deleting non-existent backup via API"""
+        mock_delete_backup.side_effect = FileNotFoundError("Not found")
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/nonexistent.zip/delete/'
+        response = self.client.delete(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 404)
+
+    def test_upload_backup_requires_file(self):
+        """Test that upload requires a file"""
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/upload/'
+        response = self.client.post(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 400)
+        data = response.json()
+        self.assertIn('No file uploaded', data['detail'])
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_upload_backup_success(self, mock_get_backup_dir):
+        """Test successful backup upload"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+
+        # Create a fake backup file
+        fake_backup = BytesIO(b"fake backup content")
+        fake_backup.name = 'uploaded-backup.zip'
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/upload/'
+        response = self.client.post(url, {'file': fake_backup}, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 201)
+        data = response.json()
+        self.assertIn('filename', data)
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.tasks.restore_backup_task.delay')
+    def test_restore_backup_success(self, mock_restore_task, mock_get_backup_dir):
+        """Test successful backup restoration via API (async task)"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+
+        mock_task = MagicMock()
+        mock_task.id = 'test-restore-task-456'
+        mock_restore_task.return_value = mock_task
+
+        # Create a test backup file
+        backup_file = backup_dir / "test-backup.zip"
+        backup_file.write_text("test backup content")
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/test-backup.zip/restore/'
+        response = self.client.post(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 202)
+        data = response.json()
+        self.assertIn('task_id', data)
+        self.assertIn('task_token', data)
+        self.assertEqual(data['task_id'], 'test-restore-task-456')
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_restore_backup_not_found(self, mock_get_backup_dir):
+        """Test restoring from non-existent backup via API"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/nonexistent.zip/restore/'
+        response = self.client.post(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 404)
+
+    # --- Backup Status Endpoint Tests ---
+
+    def test_backup_status_requires_auth_or_token(self):
+        """Test that backup_status requires auth or valid token"""
+        url = '/api/backups/status/fake-task-id/'
+
+        # Unauthenticated request without token
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 401)
+
+    def test_backup_status_invalid_token(self):
+        """Test that backup_status rejects invalid tokens"""
+        url = '/api/backups/status/fake-task-id/?token=invalid-token'
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
+
+    @patch('apps.backups.api_views.AsyncResult')
+    def test_backup_status_with_admin_auth(self, mock_async_result):
+        """Test backup_status with admin authentication"""
+        mock_result = MagicMock()
+        mock_result.ready.return_value = False
+        mock_result.failed.return_value = False
+        mock_result.state = 'PENDING'
+        mock_async_result.return_value = mock_result
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/status/test-task-id/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertEqual(data['state'], 'pending')
+
+    @patch('apps.backups.api_views.AsyncResult')
+    @patch('apps.backups.api_views._verify_task_token')
+    def test_backup_status_with_valid_token(self, mock_verify, mock_async_result):
+        """Test backup_status with valid token"""
+        mock_verify.return_value = True
+        mock_result = MagicMock()
+        mock_result.ready.return_value = True
+        mock_result.get.return_value = {'status': 'completed', 'filename': 'test.zip'}
+        mock_async_result.return_value = mock_result
+
+        url = '/api/backups/status/test-task-id/?token=valid-token'
+        response = self.client.get(url)
+
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertEqual(data['state'], 'completed')
+
+    @patch('apps.backups.api_views.AsyncResult')
+    def test_backup_status_task_failed(self, mock_async_result):
+        """Test backup_status when task failed"""
+        mock_result = MagicMock()
+        mock_result.ready.return_value = True
+        mock_result.get.return_value = {'status': 'failed', 'error': 'Something went wrong'}
+        mock_async_result.return_value = mock_result
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/status/test-task-id/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertEqual(data['state'], 'failed')
+        self.assertIn('Something went wrong', data['error'])
+
+    # --- Download Token Endpoint Tests ---
+
+    def test_get_download_token_requires_admin(self):
+        """Test that get_download_token requires admin privileges"""
+        url = '/api/backups/test.zip/download-token/'
+
+        response = self.client.get(url)
+        self.assertIn(response.status_code, [401, 403])
+
+        response = self.client.get(url, HTTP_AUTHORIZATION=self.get_auth_header(self.user))
+        self.assertIn(response.status_code, [401, 403])
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_get_download_token_success(self, mock_get_backup_dir):
+        """Test successful download token generation"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+
+        # Create a test backup file
+        backup_file = backup_dir / "test-backup.zip"
+        backup_file.write_text("test content")
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/test-backup.zip/download-token/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertIn('token', data)
+        self.assertEqual(len(data['token']), 32)
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_get_download_token_not_found(self, mock_get_backup_dir):
+        """Test download token for non-existent file"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/nonexistent.zip/download-token/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 404)
+
+    # --- Download with Token Auth Tests ---
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.api_views._verify_task_token')
+    def test_download_backup_with_valid_token(self, mock_verify, mock_get_backup_dir):
+        """Test downloading backup with valid token (no auth header)"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+        mock_verify.return_value = True
+
+        # Create a test backup file
+        backup_file = backup_dir / "test-backup.zip"
+        backup_file.write_text("test backup content")
+
+        url = '/api/backups/test-backup.zip/download/?token=valid-token'
+        response = self.client.get(url)
+
+        self.assertEqual(response.status_code, 200)
+
+    @patch('apps.backups.services.get_backup_dir')
+    def test_download_backup_invalid_token(self, mock_get_backup_dir):
+        """Test downloading backup with invalid token"""
+        mock_get_backup_dir.return_value = Path(self.temp_backup_dir)
+
+        url = '/api/backups/test-backup.zip/download/?token=invalid-token'
+        response = self.client.get(url)
+
+        self.assertEqual(response.status_code, 403)
+
+    @patch('apps.backups.services.get_backup_dir')
+    @patch('apps.backups.tasks.restore_backup_task.delay')
+    def test_restore_backup_task_start_failure(self, mock_restore_task, mock_get_backup_dir):
+        """Test restore task start failure via API"""
+        backup_dir = Path(self.temp_backup_dir)
+        mock_get_backup_dir.return_value = backup_dir
+        mock_restore_task.side_effect = Exception("Failed to start restore task")
+
+        # Create a test backup file
+        backup_file = backup_dir / "test-backup.zip"
+        backup_file.write_text("test content")
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/test-backup.zip/restore/'
+        response = self.client.post(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 500)
+        data = response.json()
+        self.assertIn('detail', data)
+
+    def test_get_schedule_requires_admin(self):
+        """Test that getting schedule requires admin privileges"""
+        url = '/api/backups/schedule/'
+
+        # Unauthenticated request
+        response = self.client.get(url)
+        self.assertIn(response.status_code, [401, 403])
+
+        # Regular user request
+        response = self.client.get(url, HTTP_AUTHORIZATION=self.get_auth_header(self.user))
+        self.assertIn(response.status_code, [401, 403])
+
+    @patch('apps.backups.api_views.get_schedule_settings')
+    def test_get_schedule_success(self, mock_get_settings):
+        """Test successful schedule retrieval"""
+        mock_get_settings.return_value = {
+            'enabled': True,
+            'frequency': 'daily',
+            'time': '03:00',
+            'day_of_week': 0,
+            'retention_count': 5,
+            'cron_expression': '',
+        }
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/schedule/'
+        response = self.client.get(url, HTTP_AUTHORIZATION=auth_header)
+
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertEqual(data['enabled'], True)
+        self.assertEqual(data['frequency'], 'daily')
+        self.assertEqual(data['retention_count'], 5)
+
+    def test_update_schedule_requires_admin(self):
+        """Test that updating schedule requires admin privileges"""
+        url = '/api/backups/schedule/update/'
+
+        # Unauthenticated request
+        response = self.client.put(url, {}, content_type='application/json')
+        self.assertIn(response.status_code, [401, 403])
+
+        # Regular user request
+        response = self.client.put(
+            url,
+            {},
+            content_type='application/json',
+            HTTP_AUTHORIZATION=self.get_auth_header(self.user)
+        )
+        self.assertIn(response.status_code, [401, 403])
+
+    @patch('apps.backups.api_views.update_schedule_settings')
+    def test_update_schedule_success(self, mock_update_settings):
+        """Test successful schedule update"""
+        mock_update_settings.return_value = {
+            'enabled': True,
+            'frequency': 'weekly',
+            'time': '02:00',
+            'day_of_week': 1,
+            'retention_count': 10,
+            'cron_expression': '',
+        }
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/schedule/update/'
+        response = self.client.put(
+            url,
+            {'enabled': True, 'frequency': 'weekly', 'time': '02:00', 'day_of_week': 1, 'retention_count': 10},
+            content_type='application/json',
+            HTTP_AUTHORIZATION=auth_header
+        )
+
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertEqual(data['frequency'], 'weekly')
+        self.assertEqual(data['day_of_week'], 1)
+
+    @patch('apps.backups.api_views.update_schedule_settings')
+    def test_update_schedule_validation_error(self, mock_update_settings):
+        """Test schedule update with invalid data"""
+        mock_update_settings.side_effect = ValueError("frequency must be 'daily' or 'weekly'")
+
+        auth_header = self.get_auth_header(self.admin_user)
+        url = '/api/backups/schedule/update/'
+        response = self.client.put(
+            url,
+            {'frequency': 'invalid'},
+            content_type='application/json',
+            HTTP_AUTHORIZATION=auth_header
+        )
+
+        self.assertEqual(response.status_code, 400)
+        data = response.json()
+        self.assertIn('frequency', data['detail'])
+
+
+class BackupSchedulerTestCase(TestCase):
+    """Test cases for backup scheduler"""
+
+    databases = {'default'}
+
+    @classmethod
+    def setUpClass(cls):
+        pass
+
+    @classmethod
+    def tearDownClass(cls):
+        pass
+
+    def setUp(self):
+        from core.models import CoreSettings
+        # Clean up any existing settings
+        CoreSettings.objects.filter(key__startswith='backup_').delete()
+
+    def tearDown(self):
+        from core.models import CoreSettings
+        from django_celery_beat.models import PeriodicTask
+        CoreSettings.objects.filter(key__startswith='backup_').delete()
+        PeriodicTask.objects.filter(name='backup-scheduled-task').delete()
+
+    def test_get_schedule_settings_defaults(self):
+        """Test that get_schedule_settings returns defaults when no settings exist"""
+        from . import scheduler
+
+        settings = scheduler.get_schedule_settings()
+
+        self.assertEqual(settings['enabled'], False)
+        self.assertEqual(settings['frequency'], 'daily')
+        self.assertEqual(settings['time'], '03:00')
+        self.assertEqual(settings['day_of_week'], 0)
+        self.assertEqual(settings['retention_count'], 0)
+        self.assertEqual(settings['cron_expression'], '')
+
+    def test_update_schedule_settings_stores_values(self):
+        """Test that update_schedule_settings stores values correctly"""
+        from . import scheduler
+
+        result = scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'weekly',
+            'time': '04:30',
+            'day_of_week': 3,
+            'retention_count': 7,
+        })
+
+        self.assertEqual(result['enabled'], True)
+        self.assertEqual(result['frequency'], 'weekly')
+        self.assertEqual(result['time'], '04:30')
+        self.assertEqual(result['day_of_week'], 3)
+        self.assertEqual(result['retention_count'], 7)
+
+        # Verify persistence
+        settings = scheduler.get_schedule_settings()
+        self.assertEqual(settings['enabled'], True)
+        self.assertEqual(settings['frequency'], 'weekly')
+
+    def test_update_schedule_settings_invalid_frequency(self):
+        """Test that invalid frequency raises ValueError"""
+        from . import scheduler
+
+        with self.assertRaises(ValueError) as context:
+            scheduler.update_schedule_settings({'frequency': 'monthly'})
+
+        self.assertIn('frequency', str(context.exception).lower())
+
+    def test_update_schedule_settings_invalid_time(self):
+        """Test that invalid time raises ValueError"""
+        from . import scheduler
+
+        with self.assertRaises(ValueError) as context:
+            scheduler.update_schedule_settings({'time': 'invalid'})
+
+        self.assertIn('HH:MM', str(context.exception))
+
+    def test_update_schedule_settings_invalid_day_of_week(self):
+        """Test that invalid day_of_week raises ValueError"""
+        from . import scheduler
+
+        with self.assertRaises(ValueError) as context:
+            scheduler.update_schedule_settings({'day_of_week': 7})
+
+        self.assertIn('day_of_week', str(context.exception).lower())
+
+    def test_update_schedule_settings_invalid_retention(self):
+        """Test that negative retention_count raises ValueError"""
+        from . import scheduler
+
+        with self.assertRaises(ValueError) as context:
+            scheduler.update_schedule_settings({'retention_count': -1})
+
+        self.assertIn('retention_count', str(context.exception).lower())
+
+    def test_sync_creates_periodic_task_when_enabled(self):
+        """Test that enabling schedule creates a PeriodicTask"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'daily',
+            'time': '05:00',
+        })
+
+        task = PeriodicTask.objects.get(name='backup-scheduled-task')
+        self.assertTrue(task.enabled)
+        self.assertEqual(task.crontab.hour, '05')
+        self.assertEqual(task.crontab.minute, '00')
+
+    def test_sync_deletes_periodic_task_when_disabled(self):
+        """Test that disabling schedule removes PeriodicTask"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+
+        # First enable
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'daily',
+            'time': '05:00',
+        })
+
+        self.assertTrue(PeriodicTask.objects.filter(name='backup-scheduled-task').exists())
+
+        # Then disable
+        scheduler.update_schedule_settings({'enabled': False})
+
+        self.assertFalse(PeriodicTask.objects.filter(name='backup-scheduled-task').exists())
+
+    def test_weekly_schedule_sets_day_of_week(self):
+        """Test that weekly schedule sets correct day_of_week in crontab"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'weekly',
+            'time': '06:00',
+            'day_of_week': 3,  # Wednesday
+        })
+
+        task = PeriodicTask.objects.get(name='backup-scheduled-task')
+        self.assertEqual(task.crontab.day_of_week, '3')
+
+    def test_cron_expression_stores_value(self):
+        """Test that cron_expression is stored and retrieved correctly"""
+        from . import scheduler
+
+        result = scheduler.update_schedule_settings({
+            'enabled': True,
+            'cron_expression': '*/5 * * * *',
+        })
+
+        self.assertEqual(result['cron_expression'], '*/5 * * * *')
+
+        # Verify persistence
+        settings = scheduler.get_schedule_settings()
+        self.assertEqual(settings['cron_expression'], '*/5 * * * *')
+
+    def test_cron_expression_creates_correct_schedule(self):
+        """Test that cron expression creates correct CrontabSchedule"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'cron_expression': '*/15 2 * * 1-5',  # Every 15 mins during 2 AM hour on weekdays
+        })
+
+        task = PeriodicTask.objects.get(name='backup-scheduled-task')
+        self.assertEqual(task.crontab.minute, '*/15')
+        self.assertEqual(task.crontab.hour, '2')
+        self.assertEqual(task.crontab.day_of_month, '*')
+        self.assertEqual(task.crontab.month_of_year, '*')
+        self.assertEqual(task.crontab.day_of_week, '1-5')
+
+    def test_cron_expression_invalid_format(self):
+        """Test that invalid cron expression raises ValueError"""
+        from . import scheduler
+
+        # Too few parts
+        with self.assertRaises(ValueError) as context:
+            scheduler.update_schedule_settings({
+                'enabled': True,
+                'cron_expression': '0 3 *',
+            })
+        self.assertIn('5 parts', str(context.exception))
+
+    def test_cron_expression_empty_uses_simple_mode(self):
+        """Test that empty cron_expression falls back to simple frequency mode"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'daily',
+            'time': '04:00',
+            'cron_expression': '',  # Empty, should use simple mode
+        })
+
+        task = PeriodicTask.objects.get(name='backup-scheduled-task')
+        self.assertEqual(task.crontab.minute, '00')
+        self.assertEqual(task.crontab.hour, '04')
+        self.assertEqual(task.crontab.day_of_week, '*')
+
+    def test_cron_expression_overrides_simple_settings(self):
+        """Test that cron_expression takes precedence over frequency/time"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'daily',
+            'time': '03:00',
+            'cron_expression': '0 */6 * * *',  # Every 6 hours (should override daily at 3 AM)
+        })
+
+        task = PeriodicTask.objects.get(name='backup-scheduled-task')
+        self.assertEqual(task.crontab.minute, '0')
+        self.assertEqual(task.crontab.hour, '*/6')
+        self.assertEqual(task.crontab.day_of_week, '*')
+
+    def test_periodic_task_uses_system_timezone(self):
+        """Test that CrontabSchedule is created with the system timezone"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+        from core.models import CoreSettings
+
+        original_tz = CoreSettings.get_system_time_zone()
+
+        try:
+            # Set a non-UTC timezone
+            CoreSettings.set_system_time_zone('America/New_York')
+
+            scheduler.update_schedule_settings({
+                'enabled': True,
+                'frequency': 'daily',
+                'time': '03:00',
+            })
+
+            task = PeriodicTask.objects.get(name='backup-scheduled-task')
+            self.assertEqual(str(task.crontab.timezone), 'America/New_York')
+        finally:
+            scheduler.update_schedule_settings({'enabled': False})
+            CoreSettings.set_system_time_zone(original_tz)
+
+    def test_periodic_task_timezone_updates_with_schedule(self):
+        """Test that CrontabSchedule timezone is updated when schedule is modified"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask
+        from core.models import CoreSettings
+
+        original_tz = CoreSettings.get_system_time_zone()
+
+        try:
+            # Create initial schedule with one timezone
+            CoreSettings.set_system_time_zone('America/Los_Angeles')
+            scheduler.update_schedule_settings({
+                'enabled': True,
+                'frequency': 'daily',
+                'time': '02:00',
+            })
+
+            task = PeriodicTask.objects.get(name='backup-scheduled-task')
+            self.assertEqual(str(task.crontab.timezone), 'America/Los_Angeles')
+
+            # Change system timezone and update schedule
+            CoreSettings.set_system_time_zone('Europe/London')
+            scheduler.update_schedule_settings({
+                'enabled': True,
+                'time': '04:00',
+            })
+
+            task.refresh_from_db()
+            self.assertEqual(str(task.crontab.timezone), 'Europe/London')
+        finally:
+            scheduler.update_schedule_settings({'enabled': False})
+            CoreSettings.set_system_time_zone(original_tz)
+
+    def test_orphaned_crontab_cleanup(self):
+        """Test that old CrontabSchedule is deleted when schedule changes"""
+        from . import scheduler
+        from django_celery_beat.models import PeriodicTask, CrontabSchedule
+
+        # Create initial daily schedule
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'daily',
+            'time': '03:00',
+        })
+
+        task = PeriodicTask.objects.get(name='backup-scheduled-task')
+        first_crontab_id = task.crontab.id
+        initial_count = CrontabSchedule.objects.count()
+
+        # Change to weekly schedule (different crontab)
+        scheduler.update_schedule_settings({
+            'enabled': True,
+            'frequency': 'weekly',
+            'day_of_week': 3,
+            'time': '03:00',
+        })
+
+        task.refresh_from_db()
+        second_crontab_id = task.crontab.id
+
+        # Verify old crontab was deleted
+        self.assertNotEqual(first_crontab_id, second_crontab_id)
+        self.assertFalse(CrontabSchedule.objects.filter(id=first_crontab_id).exists())
+        self.assertEqual(CrontabSchedule.objects.count(), initial_count)
+
+        # Cleanup
+        scheduler.update_schedule_settings({'enabled': False})
+
+
+class BackupTasksTestCase(TestCase):
+    """Test cases for backup Celery tasks"""
+
+    def setUp(self):
+        self.temp_backup_dir = tempfile.mkdtemp()
+
+    def tearDown(self):
+        import shutil
+        if Path(self.temp_backup_dir).exists():
+            shutil.rmtree(self.temp_backup_dir)
+
+    @patch('apps.backups.tasks.services.list_backups')
+    @patch('apps.backups.tasks.services.delete_backup')
+    def test_cleanup_old_backups_keeps_recent(self, mock_delete, mock_list):
+        """Test that cleanup keeps the most recent backups"""
+        from .tasks import _cleanup_old_backups
+
+        mock_list.return_value = [
+            {'name': 'backup-3.zip'},  # newest
+            {'name': 'backup-2.zip'},
+            {'name': 'backup-1.zip'},  # oldest
+        ]
+
+        deleted = _cleanup_old_backups(retention_count=2)
+
+        self.assertEqual(deleted, 1)
+        mock_delete.assert_called_once_with('backup-1.zip')
+
+    @patch('apps.backups.tasks.services.list_backups')
+    @patch('apps.backups.tasks.services.delete_backup')
+    def test_cleanup_old_backups_does_nothing_when_under_limit(self, mock_delete, mock_list):
+        """Test that cleanup does nothing when under retention limit"""
+        from .tasks import _cleanup_old_backups
+
+        mock_list.return_value = [
+            {'name': 'backup-2.zip'},
+            {'name': 'backup-1.zip'},
+        ]
+
+        deleted = _cleanup_old_backups(retention_count=5)
+
+        self.assertEqual(deleted, 0)
+        mock_delete.assert_not_called()
+
+    @patch('apps.backups.tasks.services.list_backups')
+    @patch('apps.backups.tasks.services.delete_backup')
+    def test_cleanup_old_backups_zero_retention_keeps_all(self, mock_delete, mock_list):
+        """Test that retention_count=0 keeps all backups"""
+        from .tasks import _cleanup_old_backups
+
+        mock_list.return_value = [
+            {'name': 'backup-3.zip'},
+            {'name': 'backup-2.zip'},
+            {'name': 'backup-1.zip'},
+        ]
+
+        deleted = _cleanup_old_backups(retention_count=0)
+
+        self.assertEqual(deleted, 0)
+        mock_delete.assert_not_called()
+
+    @patch('apps.backups.tasks.services.create_backup')
+    @patch('apps.backups.tasks._cleanup_old_backups')
+    def test_scheduled_backup_task_success(self, mock_cleanup, mock_create):
+        """Test scheduled backup task success"""
+        from .tasks import scheduled_backup_task
+
+        mock_backup_file = MagicMock()
+        mock_backup_file.name = 'scheduled-backup.zip'
+        mock_backup_file.stat.return_value.st_size = 1024
+        mock_create.return_value = mock_backup_file
+        mock_cleanup.return_value = 2
+
+        result = scheduled_backup_task(retention_count=5)
+
+        self.assertEqual(result['status'], 'completed')
+        self.assertEqual(result['filename'], 'scheduled-backup.zip')
+        self.assertEqual(result['size'], 1024)
+        self.assertEqual(result['deleted_count'], 2)
+        mock_cleanup.assert_called_once_with(5)
+
+    @patch('apps.backups.tasks.services.create_backup')
+    @patch('apps.backups.tasks._cleanup_old_backups')
+    def test_scheduled_backup_task_no_cleanup_when_retention_zero(self, mock_cleanup, mock_create):
+        """Test scheduled backup skips cleanup when retention is 0"""
+        from .tasks import scheduled_backup_task
+
+        mock_backup_file = MagicMock()
+        mock_backup_file.name = 'scheduled-backup.zip'
+        mock_backup_file.stat.return_value.st_size = 1024
+        mock_create.return_value = mock_backup_file
+
+        result = scheduled_backup_task(retention_count=0)
+
+        self.assertEqual(result['status'], 'completed')
+        self.assertEqual(result['deleted_count'], 0)
+        mock_cleanup.assert_not_called()
+
+    @patch('apps.backups.tasks.services.create_backup')
+    def test_scheduled_backup_task_failure(self, mock_create):
+        """Test scheduled backup task handles failure"""
+        from .tasks import scheduled_backup_task
+
+        mock_create.side_effect = Exception("Backup failed")
+
+        result = scheduled_backup_task(retention_count=5)
+
+        self.assertEqual(result['status'], 'failed')
+        self.assertIn('Backup failed', result['error'])
diff --git a/dispatcharr/settings.py b/dispatcharr/settings.py
index 5f8c23e2..556fb39d 100644
--- a/dispatcharr/settings.py
+++ b/dispatcharr/settings.py
@@ -226,6 +226,13 @@ CELERY_BEAT_SCHEDULE = {
 MEDIA_ROOT = BASE_DIR / "media"
 MEDIA_URL = "/media/"
 
+# Backup settings
+BACKUP_ROOT = os.environ.get("BACKUP_ROOT", "/data/backups")
+BACKUP_DATA_DIRS = [
+    os.environ.get("LOGOS_DIR", "/data/logos"),
+    os.environ.get("UPLOADS_DIR", "/data/uploads"),
+    os.environ.get("PLUGINS_DIR", "/data/plugins"),
+]
 
 SERVER_IP = "127.0.0.1"
 
diff --git a/docker/nginx.conf b/docker/nginx.conf
index 020bc99a..406d587c 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -35,6 +35,13 @@ server {
         root /data;
     }
 
+    # Internal location for X-Accel-Redirect backup downloads
+    # Django handles auth, nginx serves the file directly
+    location /protected-backups/ {
+        internal;
+        alias /data/backups/;
+    }
+
     location /api/logos/(?<logo_id>\d+)/cache/ {
         proxy_pass http://127.0.0.1:5656;
         proxy_cache logo_cache;
diff --git a/docker/uwsgi.ini b/docker/uwsgi.ini
index f8fe8ab7..d831adfc 100644
--- a/docker/uwsgi.ini
+++ b/docker/uwsgi.ini
@@ -21,6 +21,7 @@ module = dispatcharr.wsgi:application
 virtualenv = /dispatcharrpy
 master = true
 env = DJANGO_SETTINGS_MODULE=dispatcharr.settings
+env = USE_NGINX_ACCEL=true
 socket = /app/uwsgi.sock
 chmod-socket = 777
 vacuum = true
diff --git a/frontend/src/api.js b/frontend/src/api.js
index 7eda6a3f..14067a02 100644
--- a/frontend/src/api.js
+++ b/frontend/src/api.js
@@ -1349,6 +1349,183 @@ export default class API {
     }
   }
 
+  // Backup API (async with Celery task polling)
+  static async listBackups() {
+    try {
+      const response = await request(`${host}/api/backups/`);
+      return response || [];
+    } catch (e) {
+      errorNotification('Failed to load backups', e);
+      throw e;
+    }
+  }
+
+  static async getBackupStatus(taskId, token = null) {
+    try {
+      let url = `${host}/api/backups/status/${taskId}/`;
+      if (token) {
+        url += `?token=${encodeURIComponent(token)}`;
+      }
+      const response = await request(url, { auth: !token });
+      return response;
+    } catch (e) {
+      throw e;
+    }
+  }
+
+  static async waitForBackupTask(taskId, onProgress, token = null) {
+    const pollInterval = 2000; // Poll every 2 seconds
+    const maxAttempts = 300; // Max 10 minutes (300 * 2s)
+
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      try {
+        const status = await API.getBackupStatus(taskId, token);
+
+        if (onProgress) {
+          onProgress(status);
+        }
+
+        if (status.state === 'completed') {
+          return status.result;
+        } else if (status.state === 'failed') {
+          throw new Error(status.error || 'Task failed');
+        }
+      } catch (e) {
+        throw e;
+      }
+
+      // Wait before next poll
+      await new Promise((resolve) => setTimeout(resolve, pollInterval));
+    }
+
+    throw new Error('Task timed out');
+  }
+
+  static async createBackup(onProgress) {
+    try {
+      // Start the backup task
+      const response = await request(`${host}/api/backups/create/`, {
+        method: 'POST',
+      });
+
+      // Wait for the task to complete using token for auth
+      const result = await API.waitForBackupTask(response.task_id, onProgress, response.task_token);
+      return result;
+    } catch (e) {
+      errorNotification('Failed to create backup', e);
+      throw e;
+    }
+  }
+
+  static async uploadBackup(file) {
+    try {
+      const formData = new FormData();
+      formData.append('file', file);
+
+      const response = await request(
+        `${host}/api/backups/upload/`,
+        {
+          method: 'POST',
+          body: formData,
+        }
+      );
+      return response;
+    } catch (e) {
+      errorNotification('Failed to upload backup', e);
+      throw e;
+    }
+  }
+
+  static async deleteBackup(filename) {
+    try {
+      const encodedFilename = encodeURIComponent(filename);
+      await request(`${host}/api/backups/${encodedFilename}/delete/`, {
+        method: 'DELETE',
+      });
+    } catch (e) {
+      errorNotification('Failed to delete backup', e);
+      throw e;
+    }
+  }
+
+  static async getDownloadToken(filename) {
+    // Get a download token from the server
+    try {
+      const response = await request(`${host}/api/backups/${encodeURIComponent(filename)}/download-token/`);
+      return response.token;
+    } catch (e) {
+      throw e;
+    }
+  }
+
+  static async downloadBackup(filename) {
+    try {
+      // Get a download token first (requires auth)
+      const token = await API.getDownloadToken(filename);
+      const encodedFilename = encodeURIComponent(filename);
+
+      // Build the download URL with token
+      const downloadUrl = `${host}/api/backups/${encodedFilename}/download/?token=${encodeURIComponent(token)}`;
+
+      // Use direct browser navigation instead of fetch to avoid CORS issues
+      const link = document.createElement('a');
+      link.href = downloadUrl;
+      link.download = filename;
+      document.body.appendChild(link);
+      link.click();
+      document.body.removeChild(link);
+
+      return { filename };
+    } catch (e) {
+      errorNotification('Failed to download backup', e);
+      throw e;
+    }
+  }
+
+  static async restoreBackup(filename, onProgress) {
+    try {
+      // Start the restore task
+      const encodedFilename = encodeURIComponent(filename);
+      const response = await request(
+        `${host}/api/backups/${encodedFilename}/restore/`,
+        {
+          method: 'POST',
+        }
+      );
+
+      // Wait for the task to complete using token for auth
+      // Token-based auth allows status polling even after DB restore invalidates user sessions
+      const result = await API.waitForBackupTask(response.task_id, onProgress, response.task_token);
+      return result;
+    } catch (e) {
+      errorNotification('Failed to restore backup', e);
+      throw e;
+    }
+  }
+
+  static async getBackupSchedule() {
+    try {
+      const response = await request(`${host}/api/backups/schedule/`);
+      return response;
+    } catch (e) {
+      errorNotification('Failed to get backup schedule', e);
+      throw e;
+    }
+  }
+
+  static async updateBackupSchedule(settings) {
+    try {
+      const response = await request(`${host}/api/backups/schedule/update/`, {
+        method: 'PUT',
+        body: settings,
+      });
+      return response;
+    } catch (e) {
+      errorNotification('Failed to update backup schedule', e);
+      throw e;
+    }
+  }
+
   static async getVersion() {
     try {
       const response = await request(`${host}/api/core/version/`, {
diff --git a/frontend/src/components/backups/BackupManager.jsx b/frontend/src/components/backups/BackupManager.jsx
new file mode 100644
index 00000000..fed0dcfa
--- /dev/null
+++ b/frontend/src/components/backups/BackupManager.jsx
@@ -0,0 +1,902 @@
+import { useEffect, useMemo, useState } from 'react';
+import {
+  ActionIcon,
+  Box,
+  Button,
+  FileInput,
+  Flex,
+  Group,
+  Loader,
+  Modal,
+  NumberInput,
+  Paper,
+  Select,
+  Stack,
+  Switch,
+  Text,
+  TextInput,
+  Tooltip,
+} from '@mantine/core';
+import {
+  Download,
+  RefreshCcw,
+  RotateCcw,
+  SquareMinus,
+  SquarePlus,
+  UploadCloud,
+} from 'lucide-react';
+import { notifications } from '@mantine/notifications';
+import dayjs from 'dayjs';
+
+import API from '../../api';
+import ConfirmationDialog from '../ConfirmationDialog';
+import useLocalStorage from '../../hooks/useLocalStorage';
+import useWarningsStore from '../../store/warnings';
+import { CustomTable, useTable } from '../tables/CustomTable';
+
+const RowActions = ({ row, handleDownload, handleRestoreClick, handleDeleteClick, downloading }) => {
+  return (
+    <Flex gap={4} wrap="nowrap">
+      <Tooltip label="Download">
+        <ActionIcon
+          variant="transparent"
+          size="sm"
+          color="blue.5"
+          onClick={() => handleDownload(row.original.name)}
+          loading={downloading === row.original.name}
+          disabled={downloading !== null}
+        >
+          <Download size={18} />
+        </ActionIcon>
+      </Tooltip>
+      <Tooltip label="Restore">
+        <ActionIcon
+          variant="transparent"
+          size="sm"
+          color="yellow.5"
+          onClick={() => handleRestoreClick(row.original)}
+        >
+          <RotateCcw size={18} />
+        </ActionIcon>
+      </Tooltip>
+      <Tooltip label="Delete">
+        <ActionIcon
+          variant="transparent"
+          size="sm"
+          color="red.9"
+          onClick={() => handleDeleteClick(row.original)}
+        >
+          <SquareMinus size={18} />
+        </ActionIcon>
+      </Tooltip>
+    </Flex>
+  );
+};
+
+// Convert 24h time string to 12h format with period
+function to12Hour(time24) {
+  if (!time24) return { time: '12:00', period: 'AM' };
+  const [hours, minutes] = time24.split(':').map(Number);
+  const period = hours >= 12 ? 'PM' : 'AM';
+  const hours12 = hours % 12 || 12;
+  return {
+    time: `${hours12}:${String(minutes).padStart(2, '0')}`,
+    period,
+  };
+}
+
+// Convert 12h time + period to 24h format
+function to24Hour(time12, period) {
+  if (!time12) return '00:00';
+  const [hours, minutes] = time12.split(':').map(Number);
+  let hours24 = hours;
+  if (period === 'PM' && hours !== 12) {
+    hours24 = hours + 12;
+  } else if (period === 'AM' && hours === 12) {
+    hours24 = 0;
+  }
+  return `${String(hours24).padStart(2, '0')}:${String(minutes).padStart(2, '0')}`;
+}
+
+
+// Get default timezone (same as Settings page)
+function getDefaultTimeZone() {
+  try {
+    return Intl.DateTimeFormat().resolvedOptions().timeZone || 'UTC';
+  } catch {
+    return 'UTC';
+  }
+}
+
+// Validate cron expression
+function validateCronExpression(expression) {
+  if (!expression || expression.trim() === '') {
+    return { valid: false, error: 'Cron expression is required' };
+  }
+
+  const parts = expression.trim().split(/\s+/);
+  if (parts.length !== 5) {
+    return { valid: false, error: 'Cron expression must have exactly 5 parts: minute hour day month weekday' };
+  }
+
+  const [minute, hour, dayOfMonth, month, dayOfWeek] = parts;
+
+  // Validate each part (allowing *, */N steps, ranges, lists, steps)
+  // Supports: *, */2, 5, 1-5, 1-5/2, 1,3,5, etc.
+  const cronPartRegex = /^(\*\/\d+|\*|\d+(-\d+)?(\/\d+)?(,\d+(-\d+)?(\/\d+)?)*)$/;
+
+  if (!cronPartRegex.test(minute)) {
+    return { valid: false, error: 'Invalid minute field (0-59, *, or cron syntax)' };
+  }
+  if (!cronPartRegex.test(hour)) {
+    return { valid: false, error: 'Invalid hour field (0-23, *, or cron syntax)' };
+  }
+  if (!cronPartRegex.test(dayOfMonth)) {
+    return { valid: false, error: 'Invalid day field (1-31, *, or cron syntax)' };
+  }
+  if (!cronPartRegex.test(month)) {
+    return { valid: false, error: 'Invalid month field (1-12, *, or cron syntax)' };
+  }
+  if (!cronPartRegex.test(dayOfWeek)) {
+    return { valid: false, error: 'Invalid weekday field (0-6, *, or cron syntax)' };
+  }
+
+  // Additional range validation for numeric values
+  const validateRange = (value, min, max, name) => {
+    // Skip if it's * or contains special characters
+    if (value === '*' || value.includes('/') || value.includes('-') || value.includes(',')) {
+      return null;
+    }
+    const num = parseInt(value, 10);
+    if (isNaN(num) || num < min || num > max) {
+      return `${name} must be between ${min} and ${max}`;
+    }
+    return null;
+  };
+
+  const minuteError = validateRange(minute, 0, 59, 'Minute');
+  if (minuteError) return { valid: false, error: minuteError };
+
+  const hourError = validateRange(hour, 0, 23, 'Hour');
+  if (hourError) return { valid: false, error: hourError };
+
+  const dayError = validateRange(dayOfMonth, 1, 31, 'Day');
+  if (dayError) return { valid: false, error: dayError };
+
+  const monthError = validateRange(month, 1, 12, 'Month');
+  if (monthError) return { valid: false, error: monthError };
+
+  const weekdayError = validateRange(dayOfWeek, 0, 6, 'Weekday');
+  if (weekdayError) return { valid: false, error: weekdayError };
+
+  return { valid: true, error: null };
+}
+
+const DAYS_OF_WEEK = [
+  { value: '0', label: 'Sunday' },
+  { value: '1', label: 'Monday' },
+  { value: '2', label: 'Tuesday' },
+  { value: '3', label: 'Wednesday' },
+  { value: '4', label: 'Thursday' },
+  { value: '5', label: 'Friday' },
+  { value: '6', label: 'Saturday' },
+];
+
+function formatBytes(bytes) {
+  if (bytes === 0) return '0 B';
+  const k = 1024;
+  const sizes = ['B', 'KB', 'MB', 'GB'];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${(bytes / Math.pow(k, i)).toFixed(2)} ${sizes[i]}`;
+}
+
+export default function BackupManager() {
+  const [backups, setBackups] = useState([]);
+  const [loading, setLoading] = useState(false);
+  const [creating, setCreating] = useState(false);
+  const [downloading, setDownloading] = useState(null);
+  const [uploadFile, setUploadFile] = useState(null);
+  const [uploadModalOpen, setUploadModalOpen] = useState(false);
+  const [restoreConfirmOpen, setRestoreConfirmOpen] = useState(false);
+  const [deleteConfirmOpen, setDeleteConfirmOpen] = useState(false);
+  const [selectedBackup, setSelectedBackup] = useState(null);
+
+  // Read user's preferences from settings
+  const [timeFormat] = useLocalStorage('time-format', '12h');
+  const [dateFormatSetting] = useLocalStorage('date-format', 'mdy');
+  const [tableSize] = useLocalStorage('table-size', 'default');
+  const [userTimezone] = useLocalStorage('time-zone', getDefaultTimeZone());
+  const is12Hour = timeFormat === '12h';
+
+  // Format date according to user preferences
+  const formatDate = (dateString) => {
+    const date = dayjs(dateString);
+    const datePart = dateFormatSetting === 'mdy' ? 'MM/DD/YYYY' : 'DD/MM/YYYY';
+    const timePart = is12Hour ? 'h:mm:ss A' : 'HH:mm:ss';
+    return date.format(`${datePart}, ${timePart}`);
+  };
+
+  // Warning suppression for confirmation dialogs
+  const suppressWarning = useWarningsStore((s) => s.suppressWarning);
+
+  // Schedule state
+  const [schedule, setSchedule] = useState({
+    enabled: false,
+    frequency: 'daily',
+    time: '03:00',
+    day_of_week: 0,
+    retention_count: 0,
+    cron_expression: '',
+  });
+  const [scheduleLoading, setScheduleLoading] = useState(false);
+  const [scheduleSaving, setScheduleSaving] = useState(false);
+  const [scheduleChanged, setScheduleChanged] = useState(false);
+  const [advancedMode, setAdvancedMode] = useState(false);
+  const [cronError, setCronError] = useState(null);
+
+  // For 12-hour display mode
+  const [displayTime, setDisplayTime] = useState('3:00');
+  const [timePeriod, setTimePeriod] = useState('AM');
+
+  const columns = useMemo(
+    () => [
+      {
+        header: 'Filename',
+        accessorKey: 'name',
+        grow: true,
+        cell: ({ cell }) => (
+          <div
+            style={{
+              whiteSpace: 'nowrap',
+              overflow: 'hidden',
+              textOverflow: 'ellipsis',
+            }}
+          >
+            {cell.getValue()}
+          </div>
+        ),
+      },
+      {
+        header: 'Size',
+        accessorKey: 'size',
+        size: 80,
+        cell: ({ cell }) => (
+          <Text size="sm">{formatBytes(cell.getValue())}</Text>
+        ),
+      },
+      {
+        header: 'Created',
+        accessorKey: 'created',
+        minSize: 180,
+        cell: ({ cell }) => (
+          <Text size="sm" style={{ whiteSpace: 'nowrap' }}>
+            {formatDate(cell.getValue())}
+          </Text>
+        ),
+      },
+      {
+        id: 'actions',
+        header: 'Actions',
+        size: tableSize === 'compact' ? 75 : 100,
+      },
+    ],
+    [tableSize]
+  );
+
+  const renderHeaderCell = (header) => {
+    return (
+      <Text size="sm" name={header.id}>
+        {header.column.columnDef.header}
+      </Text>
+    );
+  };
+
+  const renderBodyCell = ({ cell, row }) => {
+    switch (cell.column.id) {
+      case 'actions':
+        return (
+          <RowActions
+            row={row}
+            handleDownload={handleDownload}
+            handleRestoreClick={handleRestoreClick}
+            handleDeleteClick={handleDeleteClick}
+            downloading={downloading}
+          />
+        );
+    }
+  };
+
+  const table = useTable({
+    columns,
+    data: backups,
+    allRowIds: backups.map((b) => b.name),
+    bodyCellRenderFns: {
+      actions: renderBodyCell,
+    },
+    headerCellRenderFns: {
+      name: renderHeaderCell,
+      size: renderHeaderCell,
+      created: renderHeaderCell,
+      actions: renderHeaderCell,
+    },
+  });
+
+  const loadBackups = async () => {
+    setLoading(true);
+    try {
+      const backupList = await API.listBackups();
+      setBackups(backupList);
+    } catch (error) {
+      notifications.show({
+        title: 'Error',
+        message: error?.message || 'Failed to load backups',
+        color: 'red',
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const loadSchedule = async () => {
+    setScheduleLoading(true);
+    try {
+      const settings = await API.getBackupSchedule();
+
+      // Check if using cron expression (advanced mode)
+      if (settings.cron_expression) {
+        setAdvancedMode(true);
+      }
+
+      setSchedule(settings);
+
+      // Initialize 12-hour display values
+      const { time, period } = to12Hour(settings.time);
+      setDisplayTime(time);
+      setTimePeriod(period);
+
+      setScheduleChanged(false);
+    } catch (error) {
+      // Ignore errors on initial load - settings may not exist yet
+    } finally {
+      setScheduleLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    loadBackups();
+    loadSchedule();
+  }, []);
+
+  // Validate cron expression when switching to advanced mode
+  useEffect(() => {
+    if (advancedMode && schedule.cron_expression) {
+      const validation = validateCronExpression(schedule.cron_expression);
+      setCronError(validation.valid ? null : validation.error);
+    } else {
+      setCronError(null);
+    }
+  }, [advancedMode, schedule.cron_expression]);
+
+  const handleScheduleChange = (field, value) => {
+    setSchedule((prev) => ({ ...prev, [field]: value }));
+    setScheduleChanged(true);
+
+    // Validate cron expression if in advanced mode
+    if (field === 'cron_expression' && advancedMode) {
+      const validation = validateCronExpression(value);
+      setCronError(validation.valid ? null : validation.error);
+    }
+  };
+
+  // Handle time changes in 12-hour mode
+  const handleTimeChange12h = (newTime, newPeriod) => {
+    const time = newTime ?? displayTime;
+    const period = newPeriod ?? timePeriod;
+    setDisplayTime(time);
+    setTimePeriod(period);
+    // Convert to 24h and update schedule
+    const time24 = to24Hour(time, period);
+    handleScheduleChange('time', time24);
+  };
+
+  // Handle time changes in 24-hour mode
+  const handleTimeChange24h = (value) => {
+    handleScheduleChange('time', value);
+    // Also update 12h display state in case user switches formats
+    const { time, period } = to12Hour(value);
+    setDisplayTime(time);
+    setTimePeriod(period);
+  };
+
+  const handleSaveSchedule = async () => {
+    setScheduleSaving(true);
+    try {
+      const scheduleToSave = advancedMode
+        ? schedule
+        : { ...schedule, cron_expression: '' };
+
+      const updated = await API.updateBackupSchedule(scheduleToSave);
+      setSchedule(updated);
+      setScheduleChanged(false);
+
+      notifications.show({
+        title: 'Success',
+        message: 'Backup schedule saved',
+        color: 'green',
+      });
+    } catch (error) {
+      notifications.show({
+        title: 'Error',
+        message: error?.message || 'Failed to save schedule',
+        color: 'red',
+      });
+    } finally {
+      setScheduleSaving(false);
+    }
+  };
+
+  const handleCreateBackup = async () => {
+    setCreating(true);
+    try {
+      await API.createBackup();
+      notifications.show({
+        title: 'Success',
+        message: 'Backup created successfully',
+        color: 'green',
+      });
+      await loadBackups();
+    } catch (error) {
+      notifications.show({
+        title: 'Error',
+        message: error?.message || 'Failed to create backup',
+        color: 'red',
+      });
+    } finally {
+      setCreating(false);
+    }
+  };
+
+  const handleDownload = async (filename) => {
+    setDownloading(filename);
+    try {
+      await API.downloadBackup(filename);
+      notifications.show({
+        title: 'Download Started',
+        message: `Downloading ${filename}...`,
+        color: 'blue',
+      });
+    } catch (error) {
+      notifications.show({
+        title: 'Error',
+        message: error?.message || 'Failed to download backup',
+        color: 'red',
+      });
+    } finally {
+      setDownloading(null);
+    }
+  };
+
+  const handleDeleteClick = (backup) => {
+    setSelectedBackup(backup);
+    setDeleteConfirmOpen(true);
+  };
+
+  const handleDeleteConfirm = async () => {
+    try {
+      await API.deleteBackup(selectedBackup.name);
+      notifications.show({
+        title: 'Success',
+        message: 'Backup deleted successfully',
+        color: 'green',
+      });
+      await loadBackups();
+    } catch (error) {
+      notifications.show({
+        title: 'Error',
+        message: error?.message || 'Failed to delete backup',
+        color: 'red',
+      });
+    } finally {
+      setDeleteConfirmOpen(false);
+      setSelectedBackup(null);
+    }
+  };
+
+  const handleRestoreClick = (backup) => {
+    setSelectedBackup(backup);
+    setRestoreConfirmOpen(true);
+  };
+
+  const handleRestoreConfirm = async () => {
+    try {
+      await API.restoreBackup(selectedBackup.name);
+      notifications.show({
+        title: 'Success',
+        message: 'Backup restored successfully. You may need to refresh the page.',
+        color: 'green',
+      });
+      setTimeout(() => window.location.reload(), 2000);
+    } catch (error) {
+      notifications.show({
+        title: 'Error',
+        message: error?.message || 'Failed to restore backup',
+        color: 'red',
+      });
+    } finally {
+      setRestoreConfirmOpen(false);
+      setSelectedBackup(null);
+    }
+  };
+
+  const handleUploadSubmit = async () => {
+    if (!uploadFile) return;
+
+    try {
+      await API.uploadBackup(uploadFile);
+      notifications.show({
+        title: 'Success',
+        message: 'Backup uploaded successfully',
+        color: 'green',
+      });
+      setUploadModalOpen(false);
+      setUploadFile(null);
+      await loadBackups();
+    } catch (error) {
+      notifications.show({
+        title: 'Error',
+        message: error?.message || 'Failed to upload backup',
+        color: 'red',
+      });
+    }
+  };
+
+  return (
+    <Stack gap="md">
+      {/* Schedule Settings */}
+      <Stack gap="sm">
+        <Group justify="space-between">
+          <Text size="sm" fw={500}>Scheduled Backups</Text>
+          <Switch
+            checked={schedule.enabled}
+            onChange={(e) => handleScheduleChange('enabled', e.currentTarget.checked)}
+            label={schedule.enabled ? 'Enabled' : 'Disabled'}
+          />
+        </Group>
+
+        <Group justify="space-between">
+          <Text size="sm" fw={500}>Advanced (Cron Expression)</Text>
+          <Switch
+            checked={advancedMode}
+            onChange={(e) => setAdvancedMode(e.currentTarget.checked)}
+            label={advancedMode ? 'Enabled' : 'Disabled'}
+            disabled={!schedule.enabled}
+            size="sm"
+          />
+        </Group>
+
+        {scheduleLoading ? (
+          <Loader size="sm" />
+        ) : (
+          <>
+            {advancedMode ? (
+              <>
+                <Stack gap="sm">
+                  <TextInput
+                    label="Cron Expression"
+                    value={schedule.cron_expression}
+                    onChange={(e) => handleScheduleChange('cron_expression', e.currentTarget.value)}
+                    placeholder="0 3 * * *"
+                    description="Format: minute hour day month weekday (e.g., '0 3 * * *' = 3:00 AM daily)"
+                    disabled={!schedule.enabled}
+                    error={cronError}
+                  />
+                  <Text size="xs" c="dimmed">
+                    Examples: <br />
+                    • <code>0 3 * * *</code> - Every day at 3:00 AM<br />
+                    • <code>0 2 * * 0</code> - Every Sunday at 2:00 AM<br />
+                    • <code>0 */6 * * *</code> - Every 6 hours<br />
+                    • <code>30 14 1 * *</code> - 1st of every month at 2:30 PM
+                  </Text>
+                </Stack>
+                <Group grow align="flex-end">
+                  <NumberInput
+                    label="Retention"
+                    description="0 = keep all"
+                    value={schedule.retention_count}
+                    onChange={(value) => handleScheduleChange('retention_count', value || 0)}
+                    min={0}
+                    disabled={!schedule.enabled}
+                  />
+                  <Button
+                    onClick={handleSaveSchedule}
+                    loading={scheduleSaving}
+                    disabled={!scheduleChanged || (advancedMode && cronError)}
+                    variant="default"
+                  >
+                    Save
+                  </Button>
+                </Group>
+              </>
+            ) : (
+              <Stack gap="sm">
+                <Group align="flex-end" gap="xs" wrap="nowrap">
+                  <Select
+                    label="Frequency"
+                    value={schedule.frequency}
+                    onChange={(value) => handleScheduleChange('frequency', value)}
+                    data={[
+                      { value: 'daily', label: 'Daily' },
+                      { value: 'weekly', label: 'Weekly' },
+                    ]}
+                    disabled={!schedule.enabled}
+                  />
+                  {schedule.frequency === 'weekly' && (
+                    <Select
+                      label="Day"
+                      value={String(schedule.day_of_week)}
+                      onChange={(value) => handleScheduleChange('day_of_week', parseInt(value, 10))}
+                      data={DAYS_OF_WEEK}
+                      disabled={!schedule.enabled}
+                    />
+                  )}
+                  {is12Hour ? (
+                    <>
+                      <Select
+                        label="Hour"
+                        value={displayTime ? displayTime.split(':')[0] : '12'}
+                        onChange={(value) => {
+                          const minute = displayTime ? displayTime.split(':')[1] : '00';
+                          handleTimeChange12h(`${value}:${minute}`, null);
+                        }}
+                        data={Array.from({ length: 12 }, (_, i) => ({
+                          value: String(i + 1),
+                          label: String(i + 1),
+                        }))}
+                        disabled={!schedule.enabled}
+                        searchable
+                      />
+                      <Select
+                        label="Minute"
+                        value={displayTime ? displayTime.split(':')[1] : '00'}
+                        onChange={(value) => {
+                          const hour = displayTime ? displayTime.split(':')[0] : '12';
+                          handleTimeChange12h(`${hour}:${value}`, null);
+                        }}
+                        data={Array.from({ length: 60 }, (_, i) => ({
+                          value: String(i).padStart(2, '0'),
+                          label: String(i).padStart(2, '0'),
+                        }))}
+                        disabled={!schedule.enabled}
+                        searchable
+                      />
+                      <Select
+                        label="Period"
+                        value={timePeriod}
+                        onChange={(value) => handleTimeChange12h(null, value)}
+                        data={[
+                          { value: 'AM', label: 'AM' },
+                          { value: 'PM', label: 'PM' },
+                        ]}
+                        disabled={!schedule.enabled}
+                      />
+                    </>
+                  ) : (
+                    <>
+                      <Select
+                        label="Hour"
+                        value={schedule.time ? schedule.time.split(':')[0] : '00'}
+                        onChange={(value) => {
+                          const minute = schedule.time ? schedule.time.split(':')[1] : '00';
+                          handleTimeChange24h(`${value}:${minute}`);
+                        }}
+                        data={Array.from({ length: 24 }, (_, i) => ({
+                          value: String(i).padStart(2, '0'),
+                          label: String(i).padStart(2, '0'),
+                        }))}
+                        disabled={!schedule.enabled}
+                        searchable
+                      />
+                      <Select
+                        label="Minute"
+                        value={schedule.time ? schedule.time.split(':')[1] : '00'}
+                        onChange={(value) => {
+                          const hour = schedule.time ? schedule.time.split(':')[0] : '00';
+                          handleTimeChange24h(`${hour}:${value}`);
+                        }}
+                        data={Array.from({ length: 60 }, (_, i) => ({
+                          value: String(i).padStart(2, '0'),
+                          label: String(i).padStart(2, '0'),
+                        }))}
+                        disabled={!schedule.enabled}
+                        searchable
+                      />
+                    </>
+                  )}
+                </Group>
+                <Group grow align="flex-end" gap="xs">
+                  <NumberInput
+                    label="Retention"
+                    description="0 = keep all"
+                    value={schedule.retention_count}
+                    onChange={(value) => handleScheduleChange('retention_count', value || 0)}
+                    min={0}
+                    disabled={!schedule.enabled}
+                  />
+                  <Button
+                    onClick={handleSaveSchedule}
+                    loading={scheduleSaving}
+                    disabled={!scheduleChanged}
+                    variant="default"
+                  >
+                    Save
+                  </Button>
+                </Group>
+              </Stack>
+            )}
+
+            {/* Timezone info - only show in simple mode */}
+            {!advancedMode && schedule.enabled && schedule.time && (
+              <Text size="xs" c="dimmed" mt="xs">
+                System Timezone: {userTimezone} • Backup will run at {schedule.time} {userTimezone}
+              </Text>
+            )}
+          </>
+        )}
+      </Stack>
+
+      {/* Backups List */}
+      <Stack gap={0}>
+        <Paper>
+          <Box
+            style={{
+              display: 'flex',
+              justifyContent: 'flex-end',
+              padding: 10,
+            }}
+          >
+            <Flex gap={6}>
+              <Tooltip label="Upload existing backup">
+                <Button
+                  leftSection={<UploadCloud size={18} />}
+                  variant="light"
+                  size="xs"
+                  onClick={() => setUploadModalOpen(true)}
+                  p={5}
+                >
+                  Upload
+                </Button>
+              </Tooltip>
+              <Tooltip label="Refresh list">
+                <Button
+                  leftSection={<RefreshCcw size={18} />}
+                  variant="light"
+                  size="xs"
+                  onClick={loadBackups}
+                  loading={loading}
+                  p={5}
+                >
+                  Refresh
+                </Button>
+              </Tooltip>
+              <Tooltip label="Create new backup">
+                <Button
+                  leftSection={<SquarePlus size={18} />}
+                  variant="light"
+                  size="xs"
+                  onClick={handleCreateBackup}
+                  loading={creating}
+                  p={5}
+                  color="green"
+                  style={{
+                    borderWidth: '1px',
+                    borderColor: 'green',
+                    color: 'white',
+                  }}
+                >
+                  Create Backup
+                </Button>
+              </Tooltip>
+            </Flex>
+          </Box>
+        </Paper>
+
+        <Box
+          style={{
+            display: 'flex',
+            flexDirection: 'column',
+            maxHeight: 300,
+            width: '100%',
+            overflow: 'hidden',
+          }}
+        >
+          <Box
+            style={{
+              flex: 1,
+              overflowY: 'auto',
+              overflowX: 'auto',
+              border: 'solid 1px rgb(68,68,68)',
+              borderRadius: 'var(--mantine-radius-default)',
+            }}
+          >
+            {loading ? (
+              <Box p="xl" style={{ display: 'flex', justifyContent: 'center' }}>
+                <Loader />
+              </Box>
+            ) : backups.length === 0 ? (
+              <Text size="sm" c="dimmed" p="md" ta="center">
+                No backups found. Create one to get started.
+              </Text>
+            ) : (
+              <div style={{ minWidth: 500 }}>
+                <CustomTable table={table} />
+              </div>
+            )}
+          </Box>
+        </Box>
+      </Stack>
+
+      <Modal
+        opened={uploadModalOpen}
+        onClose={() => {
+          setUploadModalOpen(false);
+          setUploadFile(null);
+        }}
+        title="Upload Backup"
+      >
+        <Stack>
+          <FileInput
+            label="Select backup file"
+            placeholder="Choose a .zip file"
+            accept=".zip,application/zip,application/x-zip-compressed"
+            value={uploadFile}
+            onChange={setUploadFile}
+          />
+          <Group justify="flex-end">
+            <Button
+              variant="outline"
+              onClick={() => {
+                setUploadModalOpen(false);
+                setUploadFile(null);
+              }}
+            >
+              Cancel
+            </Button>
+            <Button onClick={handleUploadSubmit} disabled={!uploadFile} variant="default">
+              Upload
+            </Button>
+          </Group>
+        </Stack>
+      </Modal>
+
+      <ConfirmationDialog
+        opened={restoreConfirmOpen}
+        onClose={() => {
+          setRestoreConfirmOpen(false);
+          setSelectedBackup(null);
+        }}
+        onConfirm={handleRestoreConfirm}
+        title="Restore Backup"
+        message={`Are you sure you want to restore from "${selectedBackup?.name}"? This will replace all current data with the backup data. This action cannot be undone.`}
+        confirmLabel="Restore"
+        cancelLabel="Cancel"
+        actionKey="restore-backup"
+        onSuppressChange={suppressWarning}
+      />
+
+      <ConfirmationDialog
+        opened={deleteConfirmOpen}
+        onClose={() => {
+          setDeleteConfirmOpen(false);
+          setSelectedBackup(null);
+        }}
+        onConfirm={handleDeleteConfirm}
+        title="Delete Backup"
+        message={`Are you sure you want to delete "${selectedBackup?.name}"? This action cannot be undone.`}
+        confirmLabel="Delete"
+        cancelLabel="Cancel"
+        actionKey="delete-backup"
+        onSuppressChange={suppressWarning}
+      />
+    </Stack>
+  );
+}
diff --git a/frontend/src/pages/Settings.jsx b/frontend/src/pages/Settings.jsx
index 5c25897a..74de842e 100644
--- a/frontend/src/pages/Settings.jsx
+++ b/frontend/src/pages/Settings.jsx
@@ -30,6 +30,7 @@ import { isNotEmpty, useForm } from '@mantine/form';
 import { notifications } from '@mantine/notifications';
 import UserAgentsTable from '../components/tables/UserAgentsTable';
 import StreamProfilesTable from '../components/tables/StreamProfilesTable';
+import BackupManager from '../components/backups/BackupManager';
 import useLocalStorage from '../hooks/useLocalStorage';
 import useAuthStore from '../store/auth';
 import {
@@ -1306,6 +1307,13 @@ const SettingsPage = () => {
                   </form>
                 </Accordion.Panel>
               </Accordion.Item>
+
+              <Accordion.Item value="backups">
+                <Accordion.Control>Backup & Restore</Accordion.Control>
+                <Accordion.Panel>
+                  <BackupManager />
+                </Accordion.Panel>
+              </Accordion.Item>
             </>
           )}
         </Accordion>