New Migrate your forum to wpForo 3.0 AI Edition — the first 360° AI-powered forum platform. See how
Get free quote
GDPR & Data Privacy Compliance

Your data is handled with the same care you'd expect from your own team.

When you give us access to your website, you're trusting us with your users' personal data. We take that responsibility seriously — and we've documented exactly how.

GC-ExtraSecurity (+ extra cost) Ask a question
GDPR Article 28 Compliant
AES-256 Encryption at Rest
DPA + NDA with GC-ExtraSecurity
Data Deleted Within 30 Days
Legal framework

Our role: we are your Data Processor

Under GDPR Article 4(8), we act as a Data Processor — not a Data Controller. That distinction matters.

You — the Data Controller

You decide why and how your users' data is collected and processed. You own the relationship with your community members. You give us instructions on what to migrate and where.

Us — the Data Processor

We process your data only under your documented instructions. We have no legitimate basis to use your data for any other purpose. We are legally bound by GDPR Article 28 in everything we do with it.

Why this matters to you: As a data controller, you remain responsible for your users' data. Choosing a processor (us) who doesn't comply with GDPR makes you liable for the violation — not just us. Our compliance protects you too. This is why we insist on a signed Data Processing Agreement before every migration.

Data inventory

What personal data passes through our systems

Every migration contains personal data belonging to your users. Here is exactly what we process — and why.

Email addresses High sensitivity

User registration emails. Used only to re-create accounts in the target platform. Not used for marketing. Not shared with any third party.

Usernames & display names Medium sensitivity

Public-facing identity data. Migrated 1:1 to preserve community continuity.

Password hashes Medium sensitivity

Hashed passwords (bcrypt, MD5, SHA1 depending on source platform). We never see plain-text passwords. Hashes are re-encoded into the target platform's algorithm where compatible.

Private messages High sensitivity

User-to-user PMs are personal — often highly so. They are encrypted in transit, migrated only under your explicit instruction, and never read by our team.

IP addresses & login history High sensitivity

Where present in source database, migrated as-is. IP addresses are personal data under GDPR.

Profile data & avatars Low sensitivity

Signatures, bios, locations, custom profile fields, profile photos. Migrated only to fields that exist in the target platform.

Posts & thread content Low sensitivity

Forum posts and CMS content. May contain personal information authored by users. Migrated verbatim.

Step by step

Where your data goes — and when it's deleted

Complete transparency on every step of the data journey from your source website to your new platform.

1

You sign our DPA & NDA

Before we touch a single byte of your data, both parties sign a Data Processing Agreement (Article 28 GDPR) and a Non-Disclosure Agreement. These documents define exactly what we process, why, how, and for how long. You receive a copy.

Legal binding established. Processing lawful basis confirmed.
2

You provide access credentials

You share admin credentials (CMS login, database credentials, FTP/SSH, cPanel access) via encrypted channel — never by plain email. All credentials are immediately stored in an AES-256 encrypted vault accessible only to the assigned engineer. Credentials are deleted within 24 hours of job completion.

AES-256 encrypted vault. 24-hour post-job deletion. Engineer NDA active.
3

We download your database to our staging server

Your database is exported and transferred over TLS 1.3. For GC-ExtraSecurity customers, processing occurs on a dedicated Hetzner EU server (Frankfurt, Germany) — keeping your data inside the EEA. For Standard customers, processing is on the engineer's encrypted Mac (Apple FileVault AES-256). In both cases, only the assigned engineer has access.

AES-256 at rest. TLS 1.3 in transit. EU server option for GC-ExtraSecurity.
4

Migration is performed on our isolated environment

The migration runs on an isolated server environment. Your data is never mixed with other customers' data. We use separate database instances per customer job. The target platform is built from scratch — your source data is never written to a shared environment.

Customer data isolation. Separate DB instance. Minimal data access.
5

You inspect & approve the result

We give you access to the staging result. You review everything. Your source site stays fully online. No data has been deleted, altered, or published yet. You are in control of whether to proceed.

No irreversible changes until your explicit approval.
6

Go-live: final sync & DNS switch

You approve. We run a final incremental sync to capture any new content posted since step 3. We switch DNS. Your new site goes live. Your source site remains untouched — it's your decision when to shut it down.

You control timing. Source site untouched.
7

All your data is permanently deleted from our servers

Within 30 days of migration completion, all copies of your data — source database dumps, staging database, exported files, uploaded media, and any backups — are permanently deleted from our servers using secure deletion. Your credentials are deleted from our vault immediately upon job completion. We send you a written confirmation of deletion.

Secure deletion within 30 days. Written confirmation provided.
Article 32 GDPR

Technical & organisational security measures

The GDPR requires processors to implement "appropriate technical and organisational measures." Here is what we implement specifically.

Encryption at rest & in transit

  • AES-256 encryption for all data stored on our servers
  • TLS 1.3 for all data transferred between systems
  • Encrypted database dumps — never stored in plaintext
  • Encrypted credential vault for any access keys

Access control

  • Role-based access — only the assigned engineer accesses your data
  • Multi-factor authentication (MFA) on all admin systems
  • Access logs maintained for every file or database interaction
  • Credentials revoked and deleted immediately after job completion

Staff confidentiality

  • Every team member signs a binding Confidentiality Agreement
  • Engineers receive data security training
  • Internal need-to-know policy — access given only for the specific job
  • No team member may copy, share, or retain customer data

Infrastructure security

  • Dedicated private servers — your data is never on shared hosting
  • Customer data isolated in separate environments
  • Regular security patching and vulnerability scanning
  • Firewalled environments — no public access to staging systems

Breach response

  • We notify you within 72 hours of becoming aware of any breach (Article 33)
  • Incident response plan maintained and tested
  • Breach register maintained internally
  • We assist you in notifying your supervisory authority if required

Data retention & deletion

  • All customer data deleted within 30 days of job completion
  • Secure deletion (overwrite) — not just file-system removal
  • Written confirmation of deletion sent to customer
  • No backups retained beyond the agreed retention window
Legal documents

Documents you sign before we start

GC-ExtraSecurity customers (+ extra cost) receive both agreements before any access is granted. Standard customers are covered by our Standard Service Agreement.

Data Processing Agreement
Required by GDPR Article 28

The DPA is the core legal instrument that governs how we handle your data. It is mandatory under GDPR Article 28 — without it, any processing of personal data by us on your behalf would be unlawful.

Our DPA covers:

  • Scope, nature, and purpose of the processing
  • Types of personal data and categories of data subjects
  • Duration of processing
  • Our confidentiality and security obligations (Article 32)
  • Sub-processor list and approval process
  • Data deletion obligations upon completion
  • Breach notification procedures (Article 33)
  • Your audit rights
  • International transfer safeguards (Standard Contractual Clauses)
Request DPA
Non-Disclosure Agreement
Covers business confidentiality

The NDA covers the business confidentiality layer that the DPA doesn't: your site architecture, content strategy, technical setup, commercial information, and anything else you share with us during the engagement.

Our NDA covers:

  • All technical information shared (credentials, server configs, DB structures)
  • Business information about your site and community
  • Pricing and commercial terms of your engagement
  • Any source code, themes, or custom development observed
  • Mutual obligations (we don't disclose you; you don't disclose our methods)
  • Binding on all gConverter employees and sub-contractors
  • 2-year confidentiality term + 2-year survival period (4 years total from signing)
Request NDA

Important notice for EU customers: gVectors LLC is incorporated in Wyoming, USA and operates from Armenia — both are outside the EEA. Transfers of EU personal data to us constitute international transfers under GDPR Articles 44–46. Our DPA includes Standard Contractual Clauses (SCCs, Module 2 — Controller to Processor) adopted by the EU Commission under Implementing Decision (EU) 2021/914. The SCC clauses are governed by Irish law as required. GC-ExtraSecurity customers additionally benefit from EU-region processing on Hetzner (Frankfurt, Germany), minimising the volume of data transferred internationally.

Governing law: NDA and DPA main body — Wyoming, USA (Sheridan County courts). SCC Annex — Republic of Ireland (Irish courts). Signatory: CTO of gVectors LLC.

GDPR Chapter III

Your rights — and how we support them

As a data controller, you have the right to exercise GDPR data subject rights on behalf of your users. As your processor, we are obligated to help you do that.

Right of access (Article 15)

If one of your users requests a copy of all personal data you hold on them, and that data is currently on our servers during an active migration, we will provide it to you within 3 business days at no charge.

Right to rectification (Article 16)

If data needs to be corrected before or during migration, notify us immediately. We can amend specific records in the source dataset before completing the migration.

Right to erasure — "Right to be forgotten" (Article 17)

If a user requests deletion of their account and data during an active migration job, we will remove that specific user record from our staging environment and confirm deletion in writing within 5 business days.

Right to restriction (Article 18)

You may instruct us to suspend processing at any time by written notice. We will pause the migration within 24 hours of receiving your instruction.

Right to data portability (Article 20)

We can provide your users' data in machine-readable formats (SQL, CSV, JSON) on request. This is largely what migration is — we are already set up for portability.

Right to object (Article 21)

If you instruct us to stop processing because a data subject has objected, we will comply immediately and confirm in writing.

Article 28(2) GDPR

Our sub-processors

GDPR requires us to disclose any third parties (sub-processors) who may process your data on our behalf. Your DPA grants prior written authorization for those listed here. Any change will be notified to you in advance.

Sub-processor Purpose Location Safeguard
Google LLC (Google Workspace) Email coordination and project communication. No customer personal data (PII) is transmitted via email. USA (Google servers globally) Google Workspace DPA (GDPR compliant)
Hetzner Online GmbH GC-ExtraSecurity only: EU-region staging server for temporary database storage and processing during active migration. Frankfurt, Germany (EU jurisdiction) Hetzner DPA (GDPR Article 28 compliant)
Engineer's MacBook (Apple FileVault) Standard tier: primary migration workstation. Source database processed locally on encrypted hardware. Republic of Armenia (engineer office) Apple FileVault AES-256 full-disk encryption

We never sell, share, or transfer your data to any party not listed above. Your data is never used for advertising, analytics, or any purpose other than completing your migration.

Common questions

Data privacy FAQ

Is sharing my database credentials with you GDPR-compliant?
Yes — when done correctly. Sharing credentials with a Data Processor is lawful under GDPR, provided a Data Processing Agreement is in place first. The DPA documents that the access is given under your instruction, for a specific purpose (migration), for a defined duration. We store credentials in an encrypted vault and delete them the moment the job is complete. We never reuse them.
My users are in the EU. Is it legal to send their data to your servers?
Yes, with the right safeguards. Our DPA includes Standard Contractual Clauses (SCCs) — the EU-approved legal mechanism for transferring personal data outside the EEA. By signing our DPA, you have a lawful basis for the international transfer. The processing purpose (migration) is specific and time-limited, which satisfies GDPR's data minimization and purpose limitation principles.
What if one of my users requests deletion of their data during migration?
Contact us immediately in writing. We will locate and delete that specific user's record from our staging environment and confirm deletion in writing within 5 business days. We maintain enough record structure to identify individual records for targeted deletion.
Do you keep backups of our data after the migration?
No. Within 30 days of your migration completion confirmation, all copies of your data — including source dumps, staging databases, file exports, media, and any backups — are permanently deleted using secure overwrite methods. We send you a written Deletion Confirmation.
Can I audit your data security practices?
Yes. Article 28(3)(h) of GDPR gives you the right to audit your processor. You may request a written description of our security measures at any time. For enterprise customers, on-site or remote technical audits can be arranged — contact us to discuss.
What happens if you suffer a data breach during my migration?
We notify you within 72 hours of becoming aware of any personal data breach — as required by GDPR Article 33. Our notification will include the nature of the breach, the data types affected, the approximate number of records, and the measures we have taken or will take. We will assist you in notifying your supervisory authority (e.g., the ICO for UK customers, or your national DPA) and your affected users.
Do your employees sign confidentiality agreements?
Yes. Every employee and contractor who may have access to customer data signs a binding Confidentiality Agreement before starting any work. This is required by GDPR Article 28(3)(b). Access to any given customer's data is restricted to the specific engineer assigned to that job.
Do you need to be listed in our GDPR records?
Yes. Under GDPR, you must maintain a Record of Processing Activities (ROPA) under Article 30. gConverter should be listed as a data processor in your ROPA entry covering "website/forum data migration." Our DPA provides the information you need to complete that entry.

Ready to migrate with confidence?

Before we start your migration, we send you our DPA and NDA to review and sign. No data access is granted until both documents are in place. Your security is not optional — it's step one.

Questions about GDPR compliance? Email privacy@gconverters.com

Get in touch

Request documents or ask a question

Select what you need from the dropdown — we respond within one business day.

GDPR / Data Privacy Request Form

Your information is never shared. We respond within one business day. Or email us directly at privacy@gconverters.com.

Ready to leave your outdated platform behind?

Free quote in 6–12 hours. You pay only after the migration is approved.