How secure is Carbo?
Have absolute confidence in our security. We have some of the best security practices in the tech industry. Carbo is powered by ShuttleCloud, the same technology that Google uses for their consumer Gmail service.
Google maintains an incredible standard for their brand and as a company with the distinct privilege of working with Google, ShuttleCloud is also held to a rigorous standard of security. In addition, in 2012, our current Director of Engineering found security flaws in Google’s system and was inducted into the Google Application Security Hall of Fame in Q2 2012.
How does Carbo Store Login Credentials?
For accounts on the G Suite domain, Carbo does not store login credentials. Carbo only stores a private key that our tool uses to authorize with Google. Carbo will never need any login credentials to migrate accounts within a G Suite domain that has Carbo installed.
After an application is downloaded from the Marketplace, permissions need to be granted before it can interface with G Suite. When a customer authorizes a third-party app, a key is generated that the application has to authorize with Google every time it needs to access the account. The key regularly changes and the specific permissions for any application can be changed or removed within the G Suite Admin Console.
What about Accounts not on the Google Apps Domain?
We do need to store login credentials for user accounts not on the Google Apps domain. We always encrypt credentials prior to storing, and we split credentials onto multiple servers as an added precaution.
Can Carbo Read My Emails?
The short answer is no -- none of your emails are stored on our servers and it is impossible for any of our staff to read your emails. Our migration tool never stores the content of emails, instead it stores the header information of each email so that it can later ‘fetch’ that email from one IMAP server to another.
The header information that is stored by our tool is the source account, destination account, the size, date, and the message ID. The To and From fields are also hashed and stored, but subject line is not. With this information, the content of the email is not required for migration.
Finally, twenty days after the migration completes, the header data and account credentials are purged from our servers.