How to Securely Migrate Your Kentico Website to WordPress

Your Kentico database holds page content with all custom field values, registered user accounts with profile data, Contact Management records tracking visitor behavior, form submissions, e-commerce order history, and forum post data. Whoever migrates it has access to every record in it.

What Is Actually Inside a Kentico Database

Kentico stores its content and user data in SQL Server using a proprietary schema. The CMS_User table holds every registered user: email address, hashed password, first and last name, and account creation date. The CMS_UserSettings table holds extended user profile data including any custom profile fields configured on the site. The OM_Contact and OM_Activity tables from the Contact Management module hold detailed visitor interaction records: who visited, which pages they viewed, which forms they submitted, and when. These contact records may include email addresses, IP addresses, and behavioral data collected during site visits. The BizFormData_ tables (one per form) hold all submitted form field values. The Ecommerce_Order and related tables hold complete customer purchase history if the E-commerce module was active. Forum data is in forum-specific tables linked to the CMS user accounts.

The Contact Management data in particular deserves attention. Kentico is a DXP platform, and for organizations using it as intended, the contact and activity database is a detailed behavioral profile of every visitor who interacted with the site. This data is unambiguously personal data under GDPR, and migrating it requires the same governance as any other personal data transfer.

What Has Gone Wrong in Real Data Migrations

A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This exposed the database to attackers who breached over 5 billion data records.

Keepnet Labs breach, documented by Caylent security research

Ten minutes. No malicious intent. One shortcut during a data transfer. For a Kentico enterprise site with contact management records, e-commerce order history, and thousands of registered users, the exposure window during an insecure migration runs from when the database backup leaves your server to when it is formally deleted from the provider’s system, a moment that for most freelancers never arrives.

Without proper encryption and access controls, customer data intercepted during a cloud migration and personally identifiable information exposed due to misconfigured permissions are not hypothetical scenarios. They result in regulatory fines, lawsuits, and destroyed customer trust.

Monte Carlo Data, September 2025

Kentico migrations involve a wider credential surface than most CMS migrations. Your Kentico admin credentials give access to the full CMS including all content, user accounts, contact records, and form data. SQL Server connection credentials expose the entire proprietary database schema. Azure hosting credentials (if applicable) expose the full cloud environment. A provider holding all three has unrestricted access to your entire digital estate.

The Freelancer and Agency Problem

Kentico migrations are technically demanding and require knowledge of the CMS Page Type schema, the Widget system, the MVC template architecture, and the Contact Management data model. Finding a competent technical provider is already difficult given the small Kentico developer pool. Finding one with a formal data protection process is rare.

• No Data Processing Agreement. GDPR Article 28 requires a signed DPA before any third party processes personal data. A Kentico database almost certainly contains personal data from EU residents, including contact records, user profiles, and form submissions. Without a DPA, your organization is in violation before the migration begins.
• No credential security policy. Your Kentico admin credentials, SQL Server connection string, and Azure credentials are typically shared by email and kept indefinitely. No encrypted vault, no deletion timeline, no audit trail.
• No data retention policy. The SQL Server backup downloaded for the migration stays on the provider’s machine. There is no deletion commitment and no notification when it disappears.
• No breach notification obligation. If the provider’s system is compromised while holding your database, they have no contractual obligation to notify you or the affected contacts and users.
• No professional liability. If contact records are exposed, forum history is lost, or Page Type field data is dropped, a marketplace freelancer has no insurance and no legal accountability.
• Kentico-specific technical failures. Most providers do not know how to handle Kentico Page Type field data, Widget zone layouts, Contact Management records, or the BizFormData schema. The migration appears complete but is missing structured content, contact data, and forum history.

How gConverter Does It

gConverter is a registered US company with full EU GDPR compliance for all European and international clients. We act as a Data Processor under GDPR Article 4(8) with a documented six-step security process applied to every migration including Kentico.

Step 1: DPA before credentials

Before you share any credentials, you receive a Data Processing Agreement for review and signature. For GC-ExtraSecurity clients, a Non-Disclosure Agreement is also executed. No data access is granted until both documents are countersigned. The DPA specifies what we process, the lawful basis, retention limits, and our liability in the event of a breach.

Step 2: Encrypted credential vault

Your Kentico admin credentials, SQL Server connection string, and hosting access are transmitted via an encrypted channel, never by email. Stored immediately in an AES-256 encrypted vault accessible only to the single assigned engineer. Deleted within 24 hours of job completion with written confirmation sent to you.

Step 3: Isolated staging environment

Your database is exported and transferred over TLS 1.3. For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, keeping all data inside the EEA throughout. For standard clients, processing is on the assigned engineer’s encrypted machine (Apple FileVault AES-256). Your data is never on shared hosting and never alongside other clients’ data.

Steps 4 to 6: Logged migration, verified delivery, 30-day deletion

Every database query and file operation is logged. The migration is completed on staging and presented for your review before go-live. After approval and launch, credentials are revoked and deleted. All customer data is permanently deleted within 30 days using secure overwrite. Breach notification within 72 hours if required by GDPR Article 33.

Read the complete GDPR and Data Protection documentation →

Questions to Ask Any Kentico Migration Provider

1. Will you sign a Data Processing Agreement before accessing any data? No DPA means no GDPR compliance and direct legal exposure for your organization.
2. How do you handle Kentico-specific data: Page Type fields, Contact Management records, BizFormData tables, Forum data? If they cannot answer specifically, they have not done it before.
3. How are credentials transmitted and stored? Acceptable: encrypted channel and AES-256 vault. Not acceptable: email, Slack, or any plain-text channel.
4. Where is my SQL Server data processed during migration? Specific server location, encryption method, and access policy.
5. When and how is my data deleted after completion? A timeline and a deletion method, not just a verbal commitment.
6. Do you carry professional liability insurance? Without it, no financial recourse if a breach or data loss occurs.
7. What is your breach notification procedure? Without a documented procedure, they have no obligation to notify you if your data is compromised.

Technical Quality Matters Too

Security is the non-negotiable baseline. But a secure migration that drops Page Type fields, loses Contact Management data, or abandons forum history is still a failed migration. A complete Kentico to WordPress migration by gConverter covers all page content with Page Type field values, Widgets rebuilt as Gutenberg blocks, Forum content migrated to wpForo 360° AI, user accounts with profile data, Contact Management records exported to FluentCRM, BizFormData form submissions archived, E-commerce order history preserved, the Kentico MVC theme rebuilt as a custom WordPress theme, 301 redirects for every URL that changes, and SEO metadata transferred to Yoast SEO.

For the full picture of why organizations are leaving Kentico and what the technical migration covers: Why Digital Teams Are Moving From Kentico to WordPress →

To discuss your specific site: Kentico to WordPress migration at gConverter →

What Our Clients Say

Went FAR above and beyond to help us work through this project. We are thrilled with the final result and they were professional, great to work with, and responsive every step of the way. Would highly recommend.

Anna P., Wilmington NC – Customer Lobby, January 2026

Extremely professional and efficient, we had very good contact, the work was done in due time.

Timoti F., Berlin DC – Customer Lobby, February 2024

The Bottom Line

A Kentico database built over years of enterprise operation contains content with all its structured field data, detailed visitor contact and activity records, registered user accounts with profile data, and e-commerce customer history. The Contact Management data alone may represent one of the most sensitive and commercially valuable datasets your organization holds. Migrating it requires a provider with documented security processes, not just a developer who knows the Kentico schema.

gConverter is US-registered and EU GDPR-compliant, with signed legal agreements before access, AES-256 encryption at rest, TLS 1.3 in transit, EU server options, and 30-day data deletion with written confirmation. Before the job starts, you have a signed DPA. While it runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems.