A Drupal migration hands a third party your admin credentials, your database, every user account, every webform submission, and every commerce order your site has ever collected. Most providers have no formal obligation to protect any of it.
What Is Actually Inside a Drupal Database
A Drupal installation distributes personal data across many tables. The users table holds every registered account: username, email address, hashed password, IP address used at registration, timezone, and language preference. The profile_values or field_data_field_* user entity tables hold any custom profile fields configured by the site owner. The node table references every piece of content by author. The webform_submissions and webform_submitted_data tables hold every form submission including whatever personal data visitors entered. Drupal Commerce adds commerce_customer_profile, commerce_order, and related tables containing full customer billing history.
For government portals, university sites, and institutional platforms built on Drupal, these tables may also contain legally protected data under GDPR, HIPAA, or sector-specific national data protection laws. All of it is in the database file that any migration provider downloads to run the migration.
Your Drupal database during migration with a provider who has no documented data handling policy.
What Has Gone Wrong in Real Data Migrations
A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This exposed the database to attackers who breached over 5 billion data records.
Keepnet Labs breach, documented by Caylent security research
Ten minutes. No malicious intent. A single operational shortcut during a data transfer. The lesson: without a formal, documented security process, any data migration creates an exposure window that may not be visible until it is too late. For a Drupal site running a government portal or a university platform with thousands of registered users, the exposure window on an insecure migration is not theoretical. It is the period from when your database leaves your server to when it is deleted from the provider’s system, which for most freelancers is never formally determined.
Data is particularly vulnerable during transit and temporary storage phases. Customer data intercepted during a cloud migration, personally identifiable information exposed due to misconfigured permissions in the new database. These are not hypothetical scenarios. They result in regulatory fines, lawsuits, and destroy customer trust.
Monte Carlo Data, September 2025
For Drupal specifically, the credential exposure window is broader than most CMS migrations. A Drupal admin account gives access to the entire backend, all nodes, all user accounts, all webform submissions, and the site configuration. Database credentials expose every field table, every commerce record, and every user profile. Drush access (command-line management) or SSH credentials expose the entire server environment. A provider who holds all three simultaneously has unrestricted access to everything.
The Freelancer and Cheap Tool Problem
The freelancer who migrated your Drupal site last week: your database is still in their Downloads folder.
Drupal migrations are technically demanding. They require knowledge of the node and field architecture, the field_data table structure, Views query logic, taxonomy hierarchies, and how to map all of this to WordPress post types and ACF field groups. Finding a freelancer with the technical skills is already hard. Finding one who also has a formal data protection process is extremely rare. Here is the gap between what you need and what you typically get.
- No Data Processing Agreement. GDPR Article 28 requires a signed DPA before any third party processes personal data on your behalf. A Drupal database almost certainly contains personal data from EU residents. A freelancer without a DPA cannot operate within a GDPR-compliant framework regardless of their technical competence.
- No credential security policy. Your Drupal admin login, database credentials, Drush access, and SSH keys are typically shared by email and retained indefinitely in the provider’s inbox, local machine, or project notes. No encrypted vault. No deletion confirmation.
- No data retention policy. After the job, the database dump downloaded to run the migration stays on the freelancer’s machine. For how long? There is no answer. No secure deletion. No notification to you when it eventually disappears.
- No breach notification obligation. If the provider’s system is compromised while holding your data, they have no contractual obligation to notify you. Your members’ data could be circulating without your knowledge.
- No professional liability. If the migration fails, corrupts data, loses field content, or triggers a GDPR investigation, a marketplace freelancer has no insurance and no legal exposure in most jurisdictions.
- Drupal-specific technical gaps. Most freelancers underestimate the complexity of field_data tables, entity reference fields, Views-driven layouts, multilingual content, and forum data. The result is a technically incomplete migration with no audit trail for what was lost.
Why Automated Migration Tools Create Their Own Risks
Tools like FG Drupal to WordPress work by installing a connector on your source Drupal site and pulling content through the tool’s own servers. The core problem is the same one that applies to all automated migration tools: your personal data (user records, webform submissions, commerce orders) passes through third-party infrastructure you have not audited, have no data protection agreement with, and cannot verify is GDPR-compliant.
The technical problem is equally significant. FG Drupal to WordPress handles basic node content adequately for simple blog-type sites. It does not handle field_data tables for complex content types, Views-generated pages, entity reference relationships, or Drupal Commerce records with proper fidelity. Forum content in the Drupal Forum module is not migrated to wpForo 360° AI. These gaps are often not visible in the tool’s output until after launch.
If your Drupal site has EU users and you use an automated tool without a signed DPA with that provider, you are processing personal data outside a lawful data sharing framework. GDPR fines for unlawful data processing start at 2% of annual global turnover or €10 million, whichever is higher.
How gConverter Does It
How gConverter starts every Drupal migration: legal documentation before any data access.
gConverter is a registered US company with full EU GDPR compliance for all European and international clients. We act as a Data Processor under GDPR Article 4(8) with a documented six-step security process that applies to every migration including Drupal.
Step 1: DPA before credentials
Before you share any login or database credentials, you receive a Data Processing Agreement for review and signature. For GC-ExtraSecurity clients, a Non-Disclosure Agreement is also executed. No data access is granted until both documents are countersigned. The DPA defines what we process, the lawful basis, retention limits, and our liability in the event of a breach. This is the legal foundation of the engagement, not a formality.
Step 2: Encrypted credential storage
Your Drupal admin credentials, database credentials, SSH/Drush access, and FTP details are transmitted via an encrypted channel, never by email. They are stored immediately in an AES-256 encrypted vault accessible only to the single assigned engineer and deleted within 24 hours of job completion with written confirmation sent to you.
Step 3: Isolated staging
Your database is transferred over TLS 1.3. For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, Germany, keeping all data inside the EEA. For standard clients, processing is on the assigned engineer’s encrypted machine (Apple FileVault AES-256). Your data is never on shared hosting and never co-located with other clients’ data.
Steps 4 to 6: Logged migration, verified delivery, 30-day deletion
Every database query and file access is logged. The migration is completed on staging and presented to you for review before going live. After approval, credentials are revoked immediately. All customer data is permanently deleted within 30 days using secure overwrite deletion. If a security incident occurs, we notify you within 72 hours as required by GDPR Article 33.
Read the complete GDPR and Data Protection documentation →
Questions to Ask Any Drupal Migration Provider
- Will you sign a Data Processing Agreement before accessing any data? No DPA means no GDPR compliance and legal exposure for your organization.
- How do you handle Drupal-specific data: field_data tables, Views, entity references, forum content? If they cannot answer specifically, they have not done it properly before.
- How are credentials transmitted and stored? Acceptable: encrypted channel and AES-256 vault. Not acceptable: email, Slack, or any plain-text channel.
- Where is my data processed and stored during migration? Specific server location, encryption method, single-engineer access policy.
- When and how is my data deleted after completion? A timeline and a deletion method (secure overwrite, not trash).
- Do you carry professional liability insurance? Without it, there is no financial recourse if a breach or data loss occurs.
- What is your breach notification procedure? If they do not have a documented one, they have no obligation to tell you if your data is compromised.
Technical Quality Matters Too
Security is the non-negotiable foundation. But a migration that is secure but technically incomplete is still a failed migration. A complete Drupal to WordPress migration by gConverter covers all nodes by content type, all field_data table values mapped to ACF Pro fields, entity reference relationships preserved, taxonomy hierarchies intact, user accounts with role mapping, Webform submission data archived, forum content migrated to wpForo 360° AI, SEO metadata transferred to Yoast SEO, 301 redirects for every URL that changes, Views-driven pages rebuilt as WordPress template loops, and a custom WordPress theme that matches the original Drupal output exactly.
For the complete picture of why organizations are moving off Drupal and what the migration process covers technically: Why Businesses Are Moving From Drupal to WordPress and How We Do It →
To discuss your specific site: Drupal to WordPress migration at gConverter →
What Our Clients Say
Went FAR above and beyond to help us work through this project. We are thrilled with the final result and they were professional, great to work with, and responsive every step of the way. Would highly recommend.
Anna P., Wilmington NC – Customer Lobby, January 2026
Extremely professional and efficient, we had very good contact, the work was done in due time.
Timoti F., Berlin DC – Customer Lobby, February 2024
The outcome when security and technical quality are both handled right: Drupal nodes, fields, and forum history in WordPress.
The Bottom Line
A Drupal database is not just content. It contains the personal data of every registered user, every webform submitter, and every customer your site has ever served. Government portals, universities, and enterprise platforms running Drupal handle some of the most sensitive personal data on the web. Migrating that data requires the same governance, documentation, and accountability as any other personal data processing activity under GDPR.
gConverter is US-registered and EU GDPR-compliant, with signed legal agreements before access, AES-256 encryption at rest, TLS 1.3 in transit, EU server options, and 30-day data deletion with written confirmation. Before the job starts, you have a signed DPA. While it runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems.