Security

Built with security at the foundation

Migration Platform is designed so that sensitive credentials stay encrypted and tenant-scoped at all times. Your data is accessed to perform the migration you authorise — nothing more.

Security controls

Platform-level protections

Control	Detail
Credential encryption	All connection secrets — client secrets, certificates, service account keys, and passwords — are encrypted at rest before being stored. They are decrypted only at runtime within an active migration run, and only by the tenant that owns them.
Tenant isolation	Each customer account operates in complete isolation. Credentials, projects, mappings, and transfer data are scoped strictly to the account that created them. Cross-tenant access is not possible.
Role-based access	Customer accounts and administrator accounts are separated by role. Customers can only view and manage their own projects and billing. Administrative functions are inaccessible to customer-role users.
Pre-flight validation	API permissions are validated against both source and destination before any migration run begins. Runs with insufficient permissions are rejected before a single item is read or written.
Prepaid billing only	There is no stored payment method on the platform. Credits are purchased through a secure checkout flow. All payment processing is handled by Stripe — no card details are stored here.
Immutable audit trail	All significant actions — authentication, project changes, run launches, and billing events — are recorded in an append-only audit log. Entries cannot be modified or deleted once written.

Credential handling

Client secrets, service account keys, and passwords are never stored in plain text
Credentials are encrypted before being written and only decrypted within the migration runtime
For Microsoft 365, certificate-based authentication is supported as an alternative to client secrets
For Google Workspace, service account delegation is used — no individual user passwords required
Connection credentials are validated against the live API before being accepted — invalid credentials are rejected, not stored

Your data

Email content is read from the source and written to the destination. It is not stored on the platform beyond the active migration run
Migration logs record events and progress metrics — not mail content
On-premises connector mode keeps data entirely within the customer network for the transfer leg

Your credentials, your control

Migration Platform uses credentials you create and own within your own Azure AD, Google Workspace domain, or Exchange environment. You can revoke access at any time by removing the app registration or service account — the platform has no persistent back-channel.

Principle of least privilege

The guided setup for Microsoft 365 and Google Workspace requests only the API permissions required for migration — mail read and write, calendar, contacts, and directory enumeration. No broader administrative access is requested or required.