Your Concrete CMS database holds every registered user account, every form submission stored by the Form block, every file record in the File Manager, and any Express Entries your site collected. Whoever migrates it has access to all of it.
What Is Actually Inside a Concrete CMS Database
Concrete CMS uses MySQL and stores personal data across several table groups. The Users table holds every registered user: email address, username, hashed password, and registration date. Custom user profile attributes are stored in dynamically named user attribute tables (for example uatFirstName, uatPhone, uatAddress) with values mapped via UserAttributeValues. The FormResults and FormResultsData tables hold every submission from every Form block on the site, including all submitted field values. For organizations that used Express Entries to collect structured data from visitors, the Express Entries tables hold those records. The Files and FileVersions tables track every file uploaded to the File Manager, including metadata about who uploaded it and when. If Community Store was active, customer order records and billing data are in the commerce tables.
The attribute table architecture in Concrete CMS is worth specific attention. Because attribute tables are generated dynamically based on the attribute types configured in the site, the full scope of personal data stored in a Concrete CMS database is not always obvious until you run a schema audit. A provider who has not worked with Concrete CMS before will not know to look for these tables, and may not know what personal data they contain.
Your Concrete CMS database during a migration with no documented data handling policy.
What Has Gone Wrong in Real Data Migrations
A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This exposed the database to attackers who breached over 5 billion data records.
Keepnet Labs breach, documented by Caylent security research
Ten minutes. One shortcut during a migration window. For a Concrete CMS site with years of form submissions and registered user accounts, the exposure window during an insecure migration is the period from when the database backup leaves your server to when it is formally deleted from the provider’s system. For most freelancers, that moment is never defined.
Customer data intercepted during a cloud migration and personally identifiable information exposed due to misconfigured permissions are not hypothetical scenarios. They result in regulatory fines, lawsuits, and destroyed customer trust.
Monte Carlo Data, September 2025
Concrete CMS migrations create a credential exposure surface that includes your Concrete CMS admin credentials (access to all pages, users, and file manager), your MySQL database credentials (access to all content, attribute values, and form data), and your file server access (the physical uploaded files). A provider holding all three has complete access to your entire environment.
The Freelancer and Cheap Tool Problem
The developer who migrated your Concrete CMS site: the MySQL backup is still on their machine, no DPA, no deletion date.
Concrete CMS migrations require knowledge of the Collections and Pages schema, the dynamically named attribute tables, the block table architecture, and the File Manager storage model. Most freelancers who advertise Concrete CMS migrations have not handled a full database-level migration before and have no formal data protection process. Here is what you typically do not get.
- No Data Processing Agreement. GDPR requires a signed DPA before any third party processes personal data. A Concrete CMS database almost certainly contains personal data from EU residents. Without a DPA, your organization is in violation before the migration begins.
- No credential security policy. Your Concrete CMS admin credentials and MySQL connection details are typically shared by email and kept on the provider’s machine indefinitely. No encrypted vault, no deletion commitment, no audit trail.
- No data retention policy. The MySQL backup downloaded for the migration stays on the provider’s machine after the job. There is no deletion date and no notification when it eventually disappears.
- No breach notification obligation. If the provider’s system is compromised while holding your backup, they have no contractual obligation to notify you or the affected users.
- No professional liability. If the migration loses form submissions, corrupts attribute data, or triggers a GDPR investigation, a marketplace freelancer has no insurance and no legal accountability.
- Concrete CMS-specific technical gaps. Most providers do not know how to read the dynamically named attribute tables, the block-specific table structure, or the Express Entries schema. Form submission data and user profile attributes are routinely lost without the provider even noticing.
How gConverter Does It
How gConverter starts every Concrete CMS migration: signed legal documentation before any credentials are shared.
gConverter is a registered US company with full EU GDPR compliance for all European and international clients. We act as a Data Processor under GDPR Article 4(8) with a documented six-step security process applied to every migration including Concrete CMS.
Step 1: DPA before credentials
Before you share any credentials, you receive a Data Processing Agreement for review and signature. For GC-ExtraSecurity clients, a Non-Disclosure Agreement is also executed. No data access is granted until both documents are countersigned. The DPA specifies what we process, the lawful basis, retention limits, and our liability in the event of a breach.
Step 2: Encrypted credential vault
Your Concrete CMS admin credentials and MySQL database connection details are transmitted via an encrypted channel, never by email. Stored immediately in an AES-256 encrypted vault accessible only to the single assigned engineer. Deleted within 24 hours of job completion with written confirmation sent to you.
Step 3: Isolated staging environment
Your database is exported and transferred over TLS 1.3. For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, keeping all data inside the EEA throughout. For standard clients, processing is on the assigned engineer’s encrypted machine (Apple FileVault AES-256). Your data is never on shared hosting and never alongside other clients’ data.
Steps 4 to 6: Logged migration, verified delivery, 30-day deletion
Every database query and file operation is logged. The migration is completed on staging and presented for your review before go-live. After approval and launch, credentials are revoked immediately. All customer data is permanently deleted within 30 days using secure overwrite. Breach notification within 72 hours if required by GDPR Article 33.
Read the complete GDPR and Data Protection documentation →
Questions to Ask Any Concrete CMS Migration Provider
- Will you sign a Data Processing Agreement before accessing any data? No DPA means no GDPR compliance and direct legal exposure for your organization.
- How do you handle Concrete CMS-specific data: CollectionAttributeValues and dynamically named attribute tables, block-specific content tables, FormResults submissions, Express Entries? If they cannot answer specifically, they have not done it before.
- How are credentials transmitted and stored? Acceptable: encrypted channel and AES-256 vault. Not acceptable: email, Slack, or any plain-text channel.
- Where is my MySQL data processed during migration? Specific server location, encryption method, and access policy.
- When and how is my data deleted after completion? A timeline and a deletion method, not a verbal assurance.
- Do you carry professional liability insurance? Without it, no financial recourse if a breach or data loss occurs.
- What is your breach notification procedure? Without a documented procedure, they have no obligation to notify you if your data is compromised.
Technical Quality Matters Too
Security is the foundation. But a secure migration that drops attribute values, loses block content, or abandons form submissions is still a failed migration. A complete Concrete CMS to WordPress migration by gConverter covers all pages with all block content, all page type attribute values from CollectionAttributeValues and dynamically named attribute tables, FormResults submission data archived, user accounts with profile attribute data, File Manager files imported to the WordPress Media Library, Express Entries data exported, the Concrete CMS theme rebuilt as a custom WordPress theme, 301 redirects for every URL that changes, and SEO metadata transferred to Yoast SEO.
For the full picture: Why Site Owners Are Moving From Concrete CMS to WordPress →
To discuss your specific site: Concrete CMS to WordPress migration at gConverter →
What Our Clients Say
Went FAR above and beyond to help us work through this project. We are thrilled with the final result and they were professional, great to work with, and responsive every step of the way. Would highly recommend.
Anna P., Wilmington NC – Customer Lobby, January 2026
Extremely professional and efficient, we had very good contact, the work was done in due time.
Timoti F., Berlin DC – Customer Lobby, February 2024
Concrete CMS blocks, attribute values, form submissions, and users – all verified in WordPress.
The Bottom Line
A Concrete CMS database contains the personal data of every registered user, every form submission, and in many cases Express Entries data collected from visitors. The dynamically generated attribute table architecture means that the full scope of personal data is not always immediately visible. Migrating it requires a provider who has performed a proper schema audit before touching a single record.
gConverter is US-registered and EU GDPR-compliant, with signed legal agreements before access, AES-256 encryption at rest, TLS 1.3 in transit, EU server options, and 30-day data deletion with written confirmation. Before the job starts, you have a signed DPA. While it runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems.