Whoever migrates your DotNetNuke site will hold your SQL Server credentials, your admin access, and every user account, form submission, and forum post your site has ever stored. Most migration providers have no formal obligation to protect any of it.
What Is Actually Inside a DotNetNuke Database
DotNetNuke stores its data in Microsoft SQL Server. The database schema covers user accounts in the Users and UserPortals tables with email addresses, hashed passwords, registration timestamps, and last login data. The UserProfile and UserProfileValueDetails tables hold custom profile fields that may include phone numbers, addresses, job titles, or any other information the site owner configured the profile system to collect. Form submission data from the Forms module is stored in module-specific tables. Active Forums data includes the full text of every post, reply, and private message, all linked to user identities. If Catalook or another e-commerce module is active, the database includes customer billing addresses and full order histories.
All of that is in the SQL Server backup file that any migration provider will extract and work from. The question is who holds it, on what infrastructure, under what security controls, and with what deletion commitment.
Your DNN SQL Server database during a migration with no documented data handling policy.
What Has Gone Wrong in Real Migrations
A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This exposed the database to attackers who breached over 5 billion data records.
Keepnet Labs breach, documented by Caylent security research
Ten minutes. No malicious intent. One operational shortcut during a data transfer window. For a DNN site with thousands of registered users and years of contact form submissions, the exposure during an insecure migration is the same: the period from when the SQL Server backup leaves your server to when it is formally deleted from the provider’s environment, which for most freelancers is never determined at all.
Migrations expose sensitive data to potential breaches if teams fail to apply strong governance and oversight. Without these safeguards, your migration team may mishandle personal information, violating regulations such as GDPR or HIPAA and triggering costly audits.
Alation, Data Migration Risks, December 2025
For DNN specifically, the credentials at risk span a wider surface than most CMS migrations. A DNN admin account gives access to the entire portal administration, all content, all user records, and all installed modules. The SQL Server connection string exposes the full database. FTP or server access exposes the file system including uploaded documents, form attachments, and any stored binaries. A migration provider holding all three simultaneously has unrestricted access to your entire environment.
The Freelancer and Cheap Tool Problem
The freelancer who migrated your DNN site: the SQL Server backup is still in their Downloads folder.
DNN migration is technically complex. It requires knowledge of the SQL Server schema, the module data architecture, the skin-to-theme conversion process, the user profile system, and how to map DNN tab and portal structures to WordPress page hierarchy. Finding someone technically capable is already difficult. Finding someone with a formal data protection process is rare. Here is what you typically do not get.
- No Data Processing Agreement. GDPR Article 28 requires a signed DPA before any third party processes personal data on your behalf. A DNN database almost certainly contains personal data from EU residents. A freelancer without a DPA cannot operate within a lawful framework regardless of competence.
- No credential security policy. Your DNN admin login, SQL Server credentials, and FTP/RDP access are typically sent by email and retained in the provider’s inbox indefinitely. No encrypted vault. No deletion timeline. No audit trail.
- No data retention policy. The SQL Server backup file downloaded to run the migration stays on the provider’s machine or server after the job. There is no formal deletion commitment and no notification to you when it is eventually removed.
- No breach notification obligation. If the provider’s system is compromised while holding your backup, they have no contractual obligation to tell you. Your members’ data could be circulating without your knowledge.
- No professional liability. If the migration fails, loses data, breaks forum history, or triggers a GDPR investigation, a marketplace freelancer has no insurance and no legal exposure. Your organization absorbs the full cost.
- DNN-specific technical failures. Most providers who advertise DNN migrations underestimate the SQL Server schema complexity, particularly for sites using Active Forums, Ventrian, or custom modules. The result is a “completed” migration that is missing significant content with no audit trail for what went wrong.
Why Automated Tools Do Not Solve the Problem
Unlike Drupal or Joomla, DNN has no widely-used automated export/import bridge to WordPress. Tools like CMS2CMS have offered DNN migration connectors, but these tools work by routing your content through the tool’s own servers for processing. Your personal data, including user records and form submissions, passes through infrastructure you have not audited and have no data protection relationship with.
The technical problem is compounded by the fact that generic tools handle basic HTML Module content and standard pages but consistently fail on module-specific data: Ventrian article custom fields, Active Forums thread data, user profile custom properties, and any content stored in third-party module tables. A “successful” automated migration typically means pages and navigation arrived, but all structured data, community content, and user profiles are missing.
If your DNN site has EU users and you use an automated tool without a signed DPA, you are processing personal data outside a lawful framework. GDPR fines for unlawful data processing start at 2% of annual global turnover or €10 million, whichever is higher.
How gConverter Does It
How gConverter starts every DNN migration: legal documentation before any credentials are shared.
gConverter is a registered US company with full EU GDPR compliance for all European and international clients. We act as a Data Processor under GDPR Article 4(8) with a documented six-step security process applied to every migration including DNN.
Step 1: DPA before credentials
Before you share any access credentials, you receive a Data Processing Agreement for review and signature. For GC-ExtraSecurity clients, a Non-Disclosure Agreement is also executed. No data access is granted until both documents are countersigned. The DPA defines what we process, the lawful basis, retention limits, and our liability in the event of a breach.
Step 2: Encrypted credential vault
Your DNN admin credentials, SQL Server connection details, and FTP/RDP access are transmitted via an encrypted channel, never by email. They are stored immediately in an AES-256 encrypted vault accessible only to the single assigned engineer and deleted within 24 hours of job completion with written confirmation sent to you.
Step 3: Isolated staging environment
Your SQL Server database is exported and transferred over TLS 1.3. For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, keeping all data inside the EEA throughout the migration. For standard clients, processing is on the assigned engineer’s encrypted machine (Apple FileVault AES-256). Your data is never on shared hosting and never alongside other clients’ data.
Steps 4 to 6: Logged migration, verified delivery, 30-day deletion
Every database query and file operation is logged. The migration is completed on staging and presented to you for approval before going live. After launch, credentials are revoked and deleted immediately. All customer data is permanently deleted within 30 days using secure overwrite. Breach notification within 72 hours if required by GDPR Article 33.
Read the complete GDPR and Data Protection documentation →
Questions to Ask Any DNN Migration Provider
- Will you sign a Data Processing Agreement before accessing any data? No DPA means no GDPR compliance and direct legal exposure for your organization.
- How do you handle DNN-specific content: HTML Module instances, Active Forums data, Ventrian articles, user profile properties? If they cannot answer specifically, they have not done it properly before.
- How are credentials transmitted and stored? Acceptable: encrypted channel and AES-256 vault. Not acceptable: email, Slack, or any plain-text method.
- Where is my SQL Server data processed and stored during migration? Specific server location, encryption method, and access policy.
- When and how is my data deleted after completion? A timeline and a deletion method – secure overwrite, not just removing from a downloads folder.
- Do you carry professional liability insurance? Without it, no financial recourse if a breach or data loss occurs.
- What is your breach notification procedure? Without a documented procedure, they have no obligation to notify you if your data is compromised.
Technical Quality Matters Too
Security is the foundation. But a secure migration that loses your forum history, article structure, or user profile data is still a failed migration. A complete DNN to WordPress migration by gConverter covers all pages and portal content, HTML Module instances mapped to Gutenberg blocks, Ventrian and EasyDNNnews articles imported as WordPress posts with ACF fields, Active Forums content migrated to wpForo 360° AI, user accounts with profile data, form submission archives, the DNN skin rebuilt as a custom WordPress theme, 301 redirects for every URL that changes, and SEO metadata transferred to Yoast SEO.
For the full picture of why organizations are moving off DotNetNuke and what the technical migration process covers: Why Companies Are Migrating From DotNetNuke to WordPress →
To discuss your specific site: DotNetNuke to WordPress migration at gConverter →
What Our Clients Say
Went FAR above and beyond to help us work through this project. We are thrilled with the final result and they were professional, great to work with, and responsive every step of the way. Would highly recommend.
Anna P., Wilmington NC – Customer Lobby, January 2026
Extremely professional and efficient, we had very good contact, the work was done in due time.
Timoti F., Berlin DC – Customer Lobby, February 2024
The outcome: DNN portal data, forum history, and all user accounts verified and live in WordPress.
The Bottom Line
A DNN SQL Server database contains years of personal data from registered users, form submissions, community forum posts, and in many cases billing records. Migrating it to WordPress requires the same governance and documentation as any other personal data transfer under GDPR. Most freelancers and tools do not provide that governance.
gConverter is US-registered and EU GDPR-compliant, with signed legal agreements before access, AES-256 encryption at rest, TLS 1.3 in transit, EU server options, and 30-day data deletion with written confirmation. Before the job starts, you have a signed DPA. While it runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems.