Security

Security is the
product, not an afterthought

You're trusting us with the keys to your Microsoft 365 environment. Here's exactly how we protect that trust.

ISO 27001 Certified
Hostinger Hosted
DDoS & WAF Protected
TLS 1.3
AES-256-GCM
How we protect you

Six layers of security across every migration

🔐

Encryption at rest & in transit

  • OAuth tokens encrypted with AES-256-GCM before writing to database
  • All API traffic over TLS 1.3
  • Database backups encrypted at rest
  • Encryption keys rotated on a 90-day schedule
🛡️

Your content never passes through our servers

  • Email, files, and calendar data stream directly between tenants via Microsoft Graph API
  • We store only directory metadata needed to display migration progress (user list, site names)
  • No email bodies, file contents, or calendar events are stored or logged
  • Staging storage (Azure Blob) used only for SharePoint/OneDrive — purged immediately after migration
🔑

OAuth 2.0 service principal auth

  • Application permissions only — no user passwords ever collected or stored
  • Admin consent required from a Global Admin for each tenant connection
  • Minimum required Graph API scopes — no excess permissions requested
  • Tokens can be revoked from your Azure portal at any time
🏗️

Infrastructure security

  • Hosted on Hostinger dedicated servers — ISO/IEC 27001:2022 certified infrastructure
  • Private networking between all internal services
  • Daily database snapshots to encrypted S3-compatible storage
  • Automated dependency vulnerability scanning on every deploy
👁️

Access controls & audit

  • Role-based access control — org members can only see their own migrations
  • Immutable job audit logs — every state transition recorded with timestamp
  • Admin console access restricted to named employees with MFA
  • All access to production infrastructure logged and reviewed
📋

Compliance & certifications

  • Hosted on Hostinger infrastructure — ISO/IEC 27001:2022 certified
  • Hostinger data centres protected by DDoS mitigation, WAF, and IDS/IPS
  • Automated encrypted backups with business continuity and disaster recovery plans
  • Annual penetration testing conducted by an independent security firm
🔍

Responsible disclosure

Found a security vulnerability? We take all reports seriously and will respond within 24 hours. We operate a responsible disclosure policy — no legal action against good-faith researchers.

[email protected]