Transfer General Request a PoC
Server General / Products / Transfer General

Cross-cloud data transfer with cryptographic proof — for every object.

Transfer General produces a cryptographically signed chain-of-custody record for every object that crosses a cloud boundary — automatically, at transfer completion, before anyone asks.

Request a proof of concept See how it works
Clouds
AWS · GCP · Azure
Validation
FIPS 140-2 Level 2
Available on
GCP Marketplace · Carahsoft
The defensibility gap

Cloud providers stop being responsible the moment data leaves their boundary.

Each CSP records its own hashes, but no single record links source to destination across a cloud boundary. For regulated industries and AI model training, this creates a forensic blind spot — one Transfer General was built to close.

The record of truth

One signed attestation per object, linking source to destination across any cloud boundary.

TG-signed · ECDSA P-384 · RFC 8785 canonical JSON · immutable, auditor-readable storage path.
Coverage
3
Cloud mesh — AWS, GCP, Azure in any 2- or 3-cloud combination.
Cryptography
256
Object-layer AES-256-GCM applied before data leaves source. Keys from your KMS only.
Assurance
Level 2
FIPS 140-2 Level 2 modules. ATO-ready evidence package with NIST 800-53 mapping.
Benefits

Ship data across clouds with an evidence package your auditor will accept.

TG lives entirely inside your cloud accounts. No shared multi-tenant pipeline. No data touches Server General. Your perimeter, your KMS, your IAM — and a signed record of truth per object.

Customer-controlled keys, end to end

TG encrypts at the object layer using AES-256-GCM. DEKs are obtained from your KMS at runtime and never retained. Server General cannot read your data — which is exactly what makes the attestation independent.

See how it works

A single signed record per object

Source hash, destination hash, signing key reference, timestamp, compliance mapping — one tamper-evident payload signed with ECDSA P-384 at transfer completion. No assembly required.

View sample report

ATO-ready for FedRAMP environments

FIPS 140-2 Level 2 modules for both object encryption and KMS channel. Pre-constructed evidence package with NIST 800-53 control mapping — ready for your authorizing official.

Federal edition
How it works

Four steps. Your cloud. Your keys.

01 · Deploy

Deploy inside your environment

TG lives entirely within your cloud infrastructure — deployed across your clouds simultaneously. No data ever touches Server General's systems. No shared multi-tenant pipeline. Your perimeter, your control, your IAM.

  • Audit logImmutable, tamper-evident — every event recorded as objects move.
  • VisibilityReal-time transfer state across every cloud boundary.
  • RuntimeServerless pipeline — scales with workload, zero idle cost.
Your cloud accounts · deployed via Terraform ● Ready
AWS account
TG workers + log
✓ deployed
GCP account
TG workers + log
✓ deployed
Azure account
TG workers + log
✓ deployed
data_planecustomer-owned · in-cloud
control_planecustomer-owned · in-cloud
sg_accessnone
02 · Encrypt

Secure every object before it crosses a boundary

Each object moves through a four-stage pipeline: Source → Staging → Landing → Destination. Before crossing any cloud boundary, TG encrypts at the object layer using FIPS-compliant AES-256-GCM with keys from your KMS.

  • AlgorithmAES-256-GCM · FIPS 140-2 Level 2 validated modules.
  • Key handlingDEKs pulled from your KMS at runtime — never retained by TG.
  • TopologyAny 2- or 3-cloud combination across AWS, GCP, Azure.
Object b7d3e9f2 · 218 MB ● Transferring
01 · source
s3://phi-prod
sha256 8a4f0d…
02 · staging
Encrypted
AES-256-GCM
03 · landing
Encrypted
ciphertext intact
04 · dest
gs://analytics-prod
sha256 8a4f0d…
dek_sourcecustomer KMS · never retained
algorithmAES-256-GCM
integrityhashes match — byte-for-byte
03 · Transfer

Move data across cloud boundaries under full custody

The encrypted object moves from the staging bucket in the source cloud to the landing bucket in the destination cloud. TG controls this crossing — monitoring progress, handling retries with offset-based re-transfer, and recording every event in the immutable audit log.

  • Boundary crossingEncrypted object transferred between customer-owned buckets across clouds.
  • Retry handlingOffset-based re-transfer — only the missing portion, not the entire object.
  • Audit trailFull forensic record of every event — checksum, encryption, key access, boundary crossing, verification, signing — captured in the immutable log. The evidence other transfer tools never record.
Cross-cloud transfer · 8f3a9c2e ● In progress
sources3://phi-prod (AWS)
destinationgs://analytics-prod (GCP)
encryptionAES-256-GCM · object-layer
retry_modeoffset-based · no full retransmit
audit trailforensic-grade — events other tools discard
04 · Attest

Every object produces a signed record

At transfer completion, TG produces a cryptographically signed attestation record per object — keyed to a universal TG object ID that follows the object across every cloud boundary. Source hash, destination hash, signing key reference, timestamp, compliance mapping. One ID, one deterministic view, one signed record. Automatically. Before anyone asks.

  • SigningECDSA P-384 · SHA-256 · DER.
  • PayloadRFC 8785 canonical JSON — tamper-evident.
  • StorageDeterministic, auditor-readable path. Immutable.
attestations/8f3a9c2e/0001.json
{
  "tg_object_id": "8f3a9c2e-7b1d-4f5a-9e8c-2d4b6a8f1c3e",
  "source_sha256": "8a4f0d2bb7c1e6f3…",
  "dest_sha256":   "8a4f0d2bb7c1e6f3…",
  "integrity":     "MATCH",
  "signing_algo":  "ECDSA P-384 / SHA-256",
  "compliance":    "HIPAA § 164.312(c)(2)",
  "timestamp":     "2026-04-15T09:22:05Z",
  "signature":     "MEUCIQDx9mYq…"
}
Object lifecycle — source to destination, with continuous evidence captured at every hop
Transfer General chain of custody diagram — data path, evidence path, attestation signing, and key separation
Watch the interactive walkthrough
Use cases

Built for the teams that get asked hard questions.

"When a cross-cloud data pipeline hits the roadmap, everyone assumes someone else owns it. Who set it up? Who babysits the IAM? Who answers the auditor?"

AI teams move training data across clouds with every retrain, every dataset update, every new source. The transfers are recurring by design — but the pipeline that handles them is often ad-hoc: built by whoever needed the data, with no designated owner for IAM cleanup, log retention, or auditor response.

Failure modeNobody owns the cross-cloud pipeline — IAM lingers, logs expire, evidence is never produced.
Cost of missAn external auditor asks a question no internal team prepared for — and the answer takes weeks to assemble.
Current workaroundThe destination CSP declares its own transfer successful. That's self-attestation — not independent proof.
Measured onOperational ownership — can you name who answers the auditor for every dataset that crossed a cloud boundary?
With TG Every object carries an independently signed attestation — keyed to a universal TG object ID that follows the data across cloud boundaries. Not the destination cloud's self-assessment, but a third-party record proving source and destination hashes match. Before a single training step runs.

"If your auditor asks today for proof that a specific PHI file moved intact between AWS and GCP — what document do you hand them?"

No single record proves a PHI file arrived intact — auditors must manually reconcile two disconnected cloud log systems. Every cross-cloud transfer is an open audit question until someone correlates logs by hand.

Audit exposureFindings that require manual correlation of AWS and GCP logs to close.
Cost of missA failed or inconclusive audit finding costs far more than the migration itself.
TLS limitationTLS proves the pipe was secure. It does not prove what arrived matches what left.
StakeholderCompliance officer — needs a per-object artifact on demand.
With TG One immutable, independently verifiable attestation per PHI object — handed to the auditor in seconds, not weeks.

"DataSync: FedRAMP authorized. GCP Storage Transfer Service: FedRAMP authorized. Outside their own cloud, neither is. That's exactly what a cross-cloud transfer requires."

Each CSP's transfer tool is FedRAMP authorized within its own cloud boundary. A cross-cloud transfer crosses both boundaries — and neither authorization covers the journey. Maintaining your FedRAMP compliance posture requires compensating controls for the gap.

Boundary gapEach tool's FedRAMP authorization stops at its own cloud. The cross-cloud journey needs compensating controls.
3PAO readinessWhen a third-party assessor asks who covers the cross-cloud journey, TG provides the documented answer — compensating controls with independently verifiable evidence.
EvidencePre-constructed ATO insertion package with NIST 800-53 control mapping (AU-16 cross-organizational audit coordination).
ProcurementCarahsoft, GCP Marketplace, GSA Schedule.
With TG Compensating controls for the cross-cloud gap — integrity verification, cryptographic attestation, and immutable audit logging that cover the journey no single CSP authorization boundary reaches. Plus a pre-constructed ATO insertion package your ISSO can drop into the SSP.
See the FedRAMP boundary gap
Editions

Three editions. One clear differentiator each.

Priced by your cloud configuration, not by the amount of data you move. Every edition ships with the immutable audit log and signed attestation record.

HIPAA · SOC 2 · GLBA
Standard
Audit-ready compliance for regulated industries moving data between any two clouds.
Point TG at your KMS. TG obtains encryption keys at runtime — your master key never leaves your environment.
  • EncryptionAES-256-GCM object layer, pre-boundary.
  • AttestationTG-signed record per object.
  • Audit logTamper-evident, append-only.
  • ReportsHIPAA · SOC 2 · GLBA configurable.
Contact sales
AI & ML Infrastructure
AI
For AI and ML teams moving training data across two or three clouds.
Built for data provenance at scale. Prove every training dataset arrived intact — mathematically, per object.
  • EncryptionAES-256-GCM object layer, pre-boundary.
  • TopologyTwo- or three-cloud pipelines across AWS, GCP, Azure.
  • AttestationSigned provenance record per object.
  • Audit logTamper-evident, real-time.
  • ReportsProvenance · integrity verification per object.
Contact sales
FedRAMP · FISMA
Federal
FIPS-attested transfers for GovCloud, Azure Government, and GCP Assured Workloads.
FIPS 140-2 Level 2 modules for both encryption and KMS channel. Contractually warranted.
  • EncryptionAES-256-GCM · FIPS-validated modules.
  • KMS channelFIPS-compliant protocol, not just algorithm.
  • KMS setupHSM-backed KMS in your GovCloud, if needed.
  • Formal attestationFIPS compliance warranted contractually — not just technically present.
  • Immutable logTamper-evident, append-only audit log — WORM compliance mode, every event recorded.
  • ATO packagePre-constructed · NIST 800-53 mapping.
Contact sales
Attestation report

This is what your auditor receives.

Every object transferred by TG produces a signed attestation record — automatically, at transfer completion. Source hash, destination hash, signing key reference, timestamp, compliance mapping. One document. No assembly.

View sample report
TG-ATTESTATION · 8f3a9c2e
● Verified
tg_object_id8f3a9c2e-7b1d-4f5a-9e8c-2d4b6a8f1c3e
sources3://phi-prod/records/patient-2847.enc
destinationgs://analytics-prod/phi/patient-2847.enc
source_sha2568a4f0d2b b7c1e6f3 a9d8b5c2 f1e4a7d3…
dest_sha2568a4f0d2b b7c1e6f3 a9d8b5c2 f1e4a7d3…
integrityMATCH — byte-for-byte identical
transferred_at2026-04-15T09:22:05.119Z
signing_algoECDSA P-384 / SHA-256 / DER
kms_key_refprojects/servergeneral/keys/ask-prod-v1
compliance_mapHIPAA § 164.312(c)(2)
attestation_pathattestations/8f3a9c2e/0001.json
Signed · Immutable · Chain-of-custody complete
Build vs. buy

DIY costs more than Transfer General.

Even with two clouds, building it yourself runs longer, costs more in engineer-hours, and still doesn't produce the evidence your auditor wants.

Building your own
Engineer hours that don't produce evidence.
  • 3–6 months of senior engineer time per CSP pair — before business logic.
  • No object-layer encryption out of the box — only CSP logs.
  • No cross-cloud hash linkage — two disconnected records, not one.
  • FIPS compliance is a separate project — teams routinely de-scope.
  • Every CSP API change breaks your pipeline — on-call each time.
  • No attestation record to hand to an auditor.
Transfer General
Deploy in hours. Evidence in every transfer.
  • Deploy in hours, not months — Terraform handles the infrastructure.
  • Object-layer AES-256-GCM applied before any cloud boundary, out of the box.
  • One signed record links source hash to destination hash across any boundary.
  • FIPS 140-2 Level 2 — already built, already verified, formally attested.
  • TG maintains CSP compatibility — your engineers don't carry the cost.
  • Add clouds without rebuilding the pipeline.
Calculate your DIY cost
Procurement & credentials

Procurement & credentials.

Google Cloud
Regulated & Sovereignty partner
Certified by Google Cloud — meets technical and compliance requirements for regulated and sovereign workloads.
GCP Marketplace
Draws against MACC / CUD
No new budget line, no new vendor onboarding. Committed spend covers the private offer.
Carahsoft
Federal & SLED channel
Procurement via GSA, BPA, and agency vehicles. Carahsoft reps cover healthcare and federal verticals.
FIPS 140-2 Level 2
AES-256-GCM encryption · ECDSA P-384 signing
Cryptographic validation required for FedRAMP, FISMA, and DoD. Applied at the object layer before data leaves source.

Ready to run a proof of concept in your environment? No commitment required.

Request a PoC Watch the walkthrough See the FedRAMP boundary gap

Partner Resources

If you are representing one of our partners, please log into your account to access hidden resources or request an invitation to sign up for the account.

Legal compliance

HIPAA
GDPR
GDPR Recitals

Contact Us

admin@servergeneral.com

+1 650-485-1415

Our partners

Terms of UsePrivacy PolicyEULA

Subscribe to our newsletter

Want to be notificated about new features and updates? Enter your email adress and name below to be the first to know.

Thank you! We'll soon get in touch with you.
Oops! Something went wrong while submitting the form.
Signup for newsletter now

Don't worry! You will not be spammed!