Security you can trust — and verify
MicroBackups is built on the principle that your backup data should be more secure than your production environment. Here's exactly how we achieve that.
Encryption at every layer
At rest
AES-256 encryption for all backed-up data stored in our infrastructure.
In transit
TLS 1.2 for all data moving between your environment and MicroBackups.
Bring Your Own Encryption (BYOE)
Microsoft 365 customers can supply their own encryption keys. MicroBackups never has access to your plaintext data.
Key management
Customer-managed keys (CMK) supported. Keys stored separately from encrypted data.
Immutable storage infrastructure
WORM compliance
Write-once, read-many object storage with object-level locks. Data cannot be modified or deleted once written — by anyone, including MicroBackups staff.
Air-gapped buckets
Backup storage is completely isolated from your production environment on GCP and AWS infrastructure.
Legal hold
Legal hold policies can be applied to specific datasets, preventing deletion for the duration of the hold.
Retention enforcement
Retention policies are enforced at the storage layer — not just at the application layer — preventing policy bypass.
Access control and identity
Role-based access control (RBAC)
Granular admin roles. Create operator accounts that can perform restores without access to backup data contents.
Multi-factor authentication (MFA)
MFA required for all administrative access. TOTP and hardware key support.
SAML/SSO
Single sign-on via SAML 2.0. Integrate with Okta, Azure AD, Google Workspace, and other identity providers.
SIEM integration
Export audit logs to your SIEM (Splunk, Datadog, etc.) for centralised security monitoring.
Audit and visibility
Immutable audit logs
Every admin action, restore operation, login attempt, and system event is logged with IP address, timestamp, and session data.
Self-service audit trail
End-user restore operations are fully audited — who restored what, when, and where it was restored to.
Real-time alerting
Configurable alerts for backup failures, threat detections, policy violations, and administrative changes.
Multi-tenant visibility
Manage and audit multiple domains or tenants from a single dashboard without cross-tenant data access.
Data residency and sovereignty
Regional storage selection
Choose your storage region: United States, European Union, United Kingdom, Canada, or Australia.
Multi-geo policies
Route different data types to different regions to meet complex compliance requirements across jurisdictions.
Data never leaves your region
Backups are stored exclusively in your selected region. No cross-border replication without explicit configuration.
GDPR data processing
We sign a Data Processing Agreement (DPA) on request. Our EU region uses infrastructure located within the EEA.
Infrastructure and reliability
Cloud infrastructure
Hosted on Google Cloud Platform (GCP) and Amazon Web Services (AWS) — audited, SOC 2 certified hyperscaler infrastructure.
Microservices architecture
Isolated, independently scalable services. A failure in one component cannot affect backup integrity in another.
Parallel processing
2–3× faster than legacy monolithic backup solutions. API throttling handled automatically with intelligent retry logic.
Disaster recovery
MicroBackups infrastructure itself is replicated across availability zones. Your backup data is never a single point of failure.
Independently verified compliance
Our security posture is verified by third-party auditors, not just self-attested.
SOC 2 Type II
Independently audited by a third-party CPA firm. Controls across security, availability, and confidentiality are verified annually.
ISO 27001
Internationally recognised information security management standard. Our ISMS is certified and subject to annual surveillance audits.
PCI DSS
Payment Card Industry Data Security Standard compliance. Required for handling environments that process cardholder data.
HIPAA
We sign a Business Associate Agreement (BAA) for healthcare customers. Our systems and processes comply with HIPAA Security Rule requirements.
GDPR
We act as a Data Processor for EU personal data. DPA available on request. EU data remains within the EEA.
CCPA
California Consumer Privacy Act compliant. Users can request access to or deletion of their personal data.
Our shared responsibility model
| Area | MicroBackups | Customer |
|---|---|---|
| Backup infrastructure security | ✓ | |
| Encryption key management (default) | ✓ | |
| Encryption key management (BYOE) | ✓ | |
| Immutable storage enforcement | ✓ | |
| Admin access controls within MicroBackups | ✓ | |
| Admin access controls within your Google/M365 tenant | ✓ | |
| Choosing which users/data to back up | ✓ | |
| Compliance policy configuration | ✓ (tools) | ✓ (decisions) |
| Data residency region selection | ✓ | |
| Audit log retention | ✓ |
Responsible disclosure
We take security seriously and welcome reports from the security community. If you believe you've found a vulnerability in MicroBackups, please contact us.
security@microbackups.comSecurity questions? We're happy to help.
Talk to our team about your specific compliance requirements, request our SOC 2 report, or start a free trial.