Compliance-First Approach: We take security and compliance very seriously. MigroStack is built from the ground up to meet the most stringent regulatory requirements, protecting client data in any form at all costs.
Our Certifications & Compliance Programs
🏆
SOC 2 Type II
✓ Certified
What it means: Independent third-party audit of our security, availability, processing integrity, confidentiality, and privacy controls.
Audit Frequency: Annual audits by certified CPA firms
Coverage:
- Security controls and policies
- Data handling procedures
- Access management systems
- Incident response processes
- Change management protocols
- Monitoring and logging systems
Reports Available: SOC 2 Type II reports available to enterprise customers under NDA
🏥
HIPAA Compliance
✓ Compliant
What it means: Full compliance with the Health Insurance Portability and Accountability Act for healthcare data protection.
Key Controls:
- Business Associate Agreements (BAA) available
- Protected Health Information (PHI) encryption
- Access controls and audit trails
- Data breach notification procedures
- Administrative, physical, and technical safeguards
- Regular risk assessments
Covered Services: All migration tools support HIPAA-compliant data handling
🇪🇺
GDPR Compliance
✓ Compliant
What it means: Full compliance with the European Union General Data Protection Regulation.
Data Subject Rights:
- Right to access personal data
- Right to rectification and erasure
- Right to data portability
- Right to restrict processing
- Right to object to processing
Our Commitments:
- Data Processing Agreements (DPA) available
- EU data residency options
- Standard Contractual Clauses (SCC) for cross-border transfers
- Privacy by design and default
- Data Protection Impact Assessments (DPIA)
🔐
FIPS 140-2
✓ Validated
What it means: Federal Information Processing Standard for cryptographic module validation.
Validated Components:
- Cryptographic libraries and modules
- Data encryption systems
- Key management infrastructure
- Random number generation
Use Cases: Required for U.S. government agencies and contractors handling sensitive but unclassified information
📋
ISO 27001
✓ Certified
What it means: International standard for Information Security Management Systems (ISMS).
Controls Implemented:
- Information security policies
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition and development
- Supplier relationships
- Incident management
- Business continuity
🌎
CCPA Compliance
✓ Compliant
What it means: California Consumer Privacy Act compliance for California residents.
Consumer Rights:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of data sale (we don't sell data)
- Right to non-discrimination
Our Practices: We never sell personal information and provide clear disclosures about data collection and use.
Industry-Specific Compliance
Financial Services (FINRA, PCI-DSS, GLBA)
- PCI-DSS: Payment Card Industry Data Security Standard compliance for organizations handling credit card data
- GLBA: Gramm-Leach-Bliley Act compliance for financial institutions protecting customer information
- FINRA: Financial Industry Regulatory Authority requirements for data retention and security
- SOX: Sarbanes-Oxley Act compliance with audit trail and data integrity controls
Government & Defense (FedRAMP, ITAR, CMMC)
- FedRAMP: Working towards Federal Risk and Authorization Management Program authorization
- ITAR: International Traffic in Arms Regulations - controlled unclassified information protection
- CMMC: Cybersecurity Maturity Model Certification readiness for DoD contractors
- CJIS: Criminal Justice Information Services security policy compliance available
Education (FERPA, COPPA)
- FERPA: Family Educational Rights and Privacy Act compliance for student records
- COPPA: Children's Online Privacy Protection Act compliance for under-13 user data
Data Residency & Sovereignty
MigroStack provides flexible data residency options to meet your regulatory and business requirements:
Available Regions
- United States: US East (Virginia), US West (Oregon), US Central (Iowa)
- Europe: EU West (Ireland), EU Central (Frankfurt), EU North (Stockholm)
- United Kingdom: UK South (London)
- Canada: Canada Central (Toronto)
- Asia Pacific: Singapore, Tokyo, Sydney
Data Location Guarantees
- Customer data processed only in specified regions
- No cross-border data transfer without explicit consent
- Region selection at organization level
- Migration data purged immediately after completion
- Backup data stored in the same geographic region
Audit Trails & Compliance Reporting
Comprehensive Audit Logging
Every action in MigroStack is logged for compliance and security purposes:
- User Activity: All user logins, actions, and configuration changes
- Data Access: Complete record of who accessed what data and when
- Migration Events: Detailed logs of all migration activities
- System Changes: Infrastructure and configuration modifications
- Security Events: Authentication failures, permission changes, and security incidents
- API Calls: All API requests and responses with timestamps
Compliance Reports
- Migration Summary Reports: Complete record of what was migrated, when, and by whom
- Permission Reports: Before and after permission states for compliance validation
- Data Classification Reports: Sensitive data handling and encryption status
- Access Reports: Who accessed what systems and data during migration
- Exception Reports: Failed items, errors, and remediation actions
- Custom Reports: Build custom compliance reports for your specific needs
Retention & E-Discovery
- Audit logs retained for 7 years by default (configurable)
- Immutable audit trail - logs cannot be modified or deleted
- E-discovery support with advanced search and filtering
- Export capabilities in multiple formats (CSV, JSON, PDF)
- Legal hold functionality to preserve data for litigation
Third-Party Security Assessments
Regular Security Testing
- Penetration Testing: Quarterly penetration tests by certified ethical hackers
- Vulnerability Scanning: Continuous automated vulnerability scanning
- Code Security Reviews: Static and dynamic application security testing (SAST/DAST)
- Infrastructure Audits: Annual infrastructure security assessments
- Social Engineering Tests: Regular employee security awareness testing
Vendor Risk Management
- All vendors undergo security assessments before engagement
- Annual vendor security reviews and re-assessments
- Contractual security requirements and SLAs
- Vendor access monitoring and logging
- Limited vendor access to production systems
Compliance Across Migration Tools
Every migration tool in MigroStack is designed with compliance in mind:
SharePoint & OneDrive Migration
- OAuth 2.0 authentication - no password storage
- Maintains Microsoft 365 compliance tags and retention labels
- Preserves sensitivity labels and DLP policies
- Complete audit trail of all migrated items
- Version history preservation
Microsoft Teams Migration
- Chat history encryption and audit logging
- Compliance recording preservation
- Legal hold status maintained
- Meeting recording and transcript handling
Mailbox Migration
- Email encryption during transit and processing
- Litigation hold preservation
- Archive and retention policy migration
- Message-level audit trails
- DLP policy preservation
SMB/File Share Migration
- NTFS permission preservation and documentation
- File classification and tagging maintained
- Audit of permission changes
- Secure credential handling - encrypted at rest
Shared Responsibility Model
Security and compliance is a shared responsibility between MigroStack and our customers:
MigroStack Responsibilities
- Secure infrastructure and platform operations
- Data encryption and protection
- Security monitoring and incident response
- Compliance certifications and audits
- Secure software development lifecycle
- Employee security training and background checks
Customer Responsibilities
- User access management and authentication
- Data classification and sensitivity labeling
- Configuring security settings appropriately
- Monitoring and reviewing audit logs
- Defining data retention policies
- Compliance with source and destination platform policies
Compliance Support & Documentation
We provide comprehensive support to help you meet your compliance requirements:
Available Documentation
- SOC 2 Type II Reports: Available to enterprise customers under NDA
- Security Whitepaper: Detailed technical security documentation
- Data Processing Agreement (DPA): GDPR-compliant data processing terms
- Business Associate Agreement (BAA): HIPAA compliance for healthcare organizations
- Standard Contractual Clauses (SCC): EU data transfer agreements
- Penetration Test Reports: Executive summaries available to enterprise customers
- Compliance Questionnaires: Pre-completed security questionnaires (VSA, SIG, CAIQ)
Compliance Support Services
- Dedicated compliance specialists for enterprise customers
- Custom compliance reports and documentation
- Compliance consultation and advisory services
- Audit support and evidence gathering
- Regulatory change notifications and updates
Compliance Questions?
Compliance Team: compliance@migrostack.com
Privacy Team: privacy@migrostack.com
Security Team: security@migrostack.com
Data Protection Officer (DPO): dpo@migrostack.com