Didn't knew about this. They say that the API-Key is not stored. I would check if the Backup runs in your browser (which would be ok) or if it runs on their servers. With the last implementation I would never use it from a more or less anonymous system.
Interesting one. They seem to answer all common objections well. I would probably try it for my own org, but not for any clients without their prior permission. Generating an API key for this and then revoking after seems to keep it as safe as possible.