Is it safe to transfer files between cloud services?
What actually happens to your files when a cloud-to-cloud transfer tool moves them — the access it needs, where your data goes, and the five things to check before you trust one.
Moving files between clouds means handing a third-party tool access to your storage — so "is this safe?" is exactly the right question to ask. The honest answer: it depends entirely on the tool, and there are concrete things you can check rather than just hoping. Here's what actually happens under the hood, and how to tell a safe service from a risky one.
What access does a transfer tool actually need?
To copy from cloud A to cloud B, a tool connects to both through their official APIs (OAuth) — you log in on Google's or Microsoft's own screen and grant access; the tool never sees your password. The key question is the *scope* of that access. A well-built tool asks only to read the source and write to the destination. A careless one asks for full account control it doesn't need.
Copy vs. move: the difference that matters
A "move" deletes from the source after copying — which means if anything goes wrong mid-transfer, you can lose the original. A "copy" leaves your source untouched and only writes to the destination. Copy is strictly safer: your originals are still there if a transfer fails, and you delete them yourself only once you've confirmed everything arrived.
CloudRaft is copy-only by design — it can read your source to make copies, but it has no ability to delete, move, or change anything there. That's enforced in code, not just promised in a policy.
Where do your files go during the transfer?
Some tools download your files to your own computer and re-upload them (slow, but nothing leaves your control). Others run the transfer on their own servers — your files stream through their infrastructure. The thing to check there: do they *store* your files, or just pass them through? A trustworthy hosted service streams the bytes between the two clouds and never writes your file contents to its own disks.
Five things to check before you trust a tool
- Copy-only, not move — your source should be untouched. Avoid anything that deletes as it goes.
- Least-privilege access — it should request read on the source and write on the destination, not full account control. You can review the scopes on the consent screen.
- No file storage — it should stream files through, not keep copies. Check the privacy policy for exactly what's retained.
- Where your data is hosted — EU/EEA hosting matters if you're in Europe (GDPR). A real company names its data location and legal entity.
- Revocable access — you should be able to disconnect the tool any time from your Google/Microsoft account security settings, instantly cutting off access.
CloudRaft is copy-only, streams files without storing them, is EU-hosted (database in Ireland, workers in Amsterdam), requests least-privilege scopes, and you can revoke access any time. The full detail is on the security page.
Cloud-to-cloud transfers are safe when the tool is built to be — copy-only, least-privilege, no storage, revocable. Check those, and you can move your files with confidence.