For Guard to work, we require your private PGP key to be resident on our servers. Only this way can we ensure the secure server-side encryption and decryption of your e-mail messages.
We are doing our utmost to keep your key secure by maintaining our storage infrastructure appropriately and protecting the key with a password that only you, the account holder, knows. Nevertheless, this is a question that we cannot answer for you – it is your decision to either trust the key will be safe on our servers, or keep it stored on your personal devices, like your PC at home, or your smartphone.
Going either way will not guarantee 100% security, as a key stored on any computing device with a network connection will necessarily rely on the security features implemented in the software running on that device, any possible vulnerabilities uncovered over time, and how quickly these vulnerabilities can be fixed. Ultimately, it doesn’t matter if that device is a PC, Mac, phone, or an Internet server, but we would argue that there is a tendency that security fixes get applied more quickly and frequently on the latter.
Even if you do not upload your private key to our servers, you can still access your encrypted e-mails via IMAP or POP3, using your local PGP-enabled e-mail client. The support for browser-based PGP offered through Guard is entirely optional.