Our GDPR Commitment: We take security very seriously and at all costs protect client data in any form. Your data is your property, and we are committed to safeguarding your privacy rights under GDPR and providing full transparency in how we process personal data.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union (EU) and European Economic Area (EEA), regardless of where the organization is located.
GDPR establishes strict requirements for data collection, processing, storage, and protection, and grants individuals significant rights over their personal data.
How GDPR Applies to MigroStack
Our Role as Data Processor
When you use MigroStack to migrate data, we act as a data processor on your behalf. You, as the customer, are the data controller who determines what data is migrated and how it is used. This distinction is important under GDPR:
- Data Controller (You): Determines the purposes and means of processing personal data
- Data Processor (MigroStack): Processes personal data on behalf of the controller according to their instructions
Data Processing Agreement (DPA)
GDPR requires a written agreement between data controllers and processors. We provide a comprehensive Data Processing Agreement (DPA) that:
- Defines the subject matter, duration, nature, and purpose of processing
- Specifies the types of personal data and categories of data subjects
- Outlines our obligations and your rights as the data controller
- Includes Standard Contractual Clauses (SCCs) for international data transfers
- Details our security measures and sub-processor arrangements
Request a DPA
Your Data Subject Rights Under GDPR
GDPR grants individuals (data subjects) comprehensive rights over their personal data. MigroStack fully supports these rights:
π
Right to Access
You have the right to obtain confirmation as to whether we process your personal data and to access that data. We will provide you with a copy of your personal data in a commonly used electronic format.
How to exercise: Email privacy@migrostack.com with your request
βοΈ
Right to Rectification
You have the right to correct inaccurate or incomplete personal data we hold about you. We will update your information within 30 days of receiving your request.
How to exercise: Update your profile in your account settings or contact privacy@migrostack.com
ποΈ
Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected.
How to exercise: Email privacy@migrostack.com or delete your account through account settings
βΈοΈ
Right to Restrict Processing
You have the right to request that we limit the processing of your personal data in certain situations, such as while we verify the accuracy of contested data.
How to exercise: Contact privacy@migrostack.com with details of your request
π€
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
How to exercise: Request a data export through your account settings or email privacy@migrostack.com
π«
Right to Object
You have the right to object to our processing of your personal data in certain circumstances, particularly for direct marketing purposes or processing based on legitimate interests.
How to exercise: Contact privacy@migrostack.com or use opt-out links in marketing communications
π€
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you.
Our practice: We do not use automated decision-making or profiling that would require individual intervention
βοΈ
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR.
Your supervisory authority: Contact your local EU/EEA data protection authority
Exercising Your Rights
To exercise any of your GDPR rights, please contact us at privacy@migrostack.com or use our support portal. We will respond to your request within 30 days and will verify your identity before processing your request.
GDPR Data Protection Principles
We adhere to all GDPR data protection principles in our processing activities:
1. Lawfulness, Fairness, and Transparency
- We process data lawfully based on legitimate legal grounds (contract performance, legal obligation, or legitimate interests)
- We are transparent about our data processing activities through clear privacy notices
- We process data fairly and never use deceptive practices
2. Purpose Limitation
- We collect personal data for specific, explicit, and legitimate purposes
- We do not process data in a manner incompatible with those purposes
- Migration data is used solely for performing the migration service you requested
3. Data Minimization
- We collect only the minimum personal data necessary to provide our services
- We do not collect excessive or irrelevant data
- Our migration process only accesses data necessary to complete the migration
4. Accuracy
- We take reasonable steps to ensure personal data is accurate and up-to-date
- We provide tools for you to update your account information
- Inaccurate data is corrected or deleted without delay
5. Storage Limitation
- We retain personal data only for as long as necessary for the purposes collected
- Migration data is automatically purged after migration completion
- Account data is deleted within 30 days of account termination
- Audit logs are retained for 7 years for compliance and security purposes
6. Integrity and Confidentiality (Security)
- We implement comprehensive technical and organizational security measures
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access controls ensure only authorized personnel can access systems
- Regular security assessments and penetration testing
- 24/7 security monitoring and incident response
7. Accountability
- We are responsible for demonstrating compliance with GDPR principles
- We maintain comprehensive documentation of our data processing activities
- We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
- Regular compliance audits and reviews
International Data Transfers
Data Residency Options
We offer data residency in multiple regions to minimize or eliminate international data transfers:
- EU Regions: EU West (Ireland), EU Central (Frankfurt), EU North (Stockholm)
- UK Region: UK South (London)
- Data processed in these regions stays within the EU/EEA
Safeguards for International Transfers
When data transfers outside the EU/EEA are necessary, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs for transfers to third countries
- Adequacy Decisions: We transfer data to countries with EU adequacy decisions where possible
- Data Processing Agreements: All sub-processors sign agreements with appropriate data protection clauses
- Additional Security Measures: Encryption, pseudonymization, and access controls for all international transfers
Sub-Processors
We carefully select sub-processors who meet GDPR requirements:
- Cloud Infrastructure: AWS, Azure, Google Cloud (all with EU regions and GDPR compliance)
- Payment Processing: Stripe (GDPR compliant, EU data residency available)
- Support Services: Limited sub-processors with strict data protection agreements
We maintain a complete list of sub-processors and notify customers of any changes with 30 days' notice.
Technical and Organizational Security Measures
GDPR requires appropriate security measures to protect personal data. Our comprehensive security program includes:
Technical Measures
- Encryption: AES-256 encryption at rest, TLS 1.3 in transit
- Access Controls: Multi-factor authentication, role-based access, least privilege principle
- Network Security: Firewalls, VPCs, intrusion detection/prevention systems
- Data Pseudonymization: Where applicable for privacy protection
- Secure Development: Security by design, code reviews, vulnerability scanning
- Backup and Recovery: Encrypted backups with geographic redundancy
Organizational Measures
- Data Protection Officer (DPO): Dedicated DPO overseeing GDPR compliance
- Privacy Policies: Clear, transparent policies on data collection and use
- Employee Training: Regular data protection and security awareness training
- Background Checks: All employees undergo background screening
- Confidentiality Agreements: All staff sign strict confidentiality agreements
- Incident Response Plan: Documented procedures for data breach response
- Regular Audits: Internal and external compliance audits
See our Security page for detailed information about our security practices.
Data Breach Notification
In the unlikely event of a personal data breach, we have comprehensive procedures in place:
Our Obligations
- Supervisory Authority Notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms
- Customer Notification: As our customer (the data controller), we will notify you without undue delay so you can fulfill your own notification obligations
- Data Subject Notification: If the breach is likely to result in a high risk to individuals' rights and freedoms, we will assist you in notifying affected data subjects
Breach Information Provided
- Nature of the breach, including categories and approximate number of affected data subjects and records
- Contact details of our Data Protection Officer
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its adverse effects
Prevention and Mitigation
We employ extensive security measures to prevent breaches, including 24/7 monitoring, automated threat detection, regular security assessments, and incident response drills. Our goal is to prevent breaches before they occur.
Data Protection Impact Assessments (DPIAs)
For processing activities that are likely to result in high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) to:
- Identify and assess potential privacy risks
- Evaluate the necessity and proportionality of processing
- Determine appropriate security measures and safeguards
- Consult with the supervisory authority when required
- Document our decision-making process
We have completed DPIAs for all our migration services and regularly review them as our services evolve.
Children's Privacy
Our services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent, as required by GDPR Article 8.
If we become aware that we have collected personal data from a child under 16 without proper consent, we will take steps to delete that information as soon as possible.
For educational institutions migrating student data, you (as the data controller) are responsible for obtaining appropriate parental consent where required.
GDPR Compliance for Each Migration Tool
We've designed each migration tool with GDPR principles in mind:
SharePoint & OneDrive Migration
- OAuth 2.0 authentication - no password storage
- Preservation of Microsoft 365 sensitivity labels and retention policies
- Maintains data classification and compliance metadata
- Audit trail of all migrated items and who accessed them
- Option to exclude personal folders or sensitive sites
Microsoft Teams Migration
- Private channel privacy maintained
- Chat history encrypted during processing
- Meeting recordings handled with appropriate permissions
- User consent considerations for personal data in chats
Mailbox Migration
- Email content encryption in transit and during processing
- No permanent storage of email content
- Preservation of retention and legal hold policies
- DLP (Data Loss Prevention) policies maintained
- Audit logging of mailbox access during migration
SMB/File Share Migration
- NTFS permissions preserved to maintain access controls
- File classification and sensitivity labels maintained
- Personal folders can be excluded from migration
- Credential encryption using OS-native secure storage
Remote Agents
- Certificate-based authentication - no credential transmission
- Encrypted communication channels
- Local data processing - data doesn't leave premises unnecessarily
- Audit logging of all agent activities
- Secure uninstall with credential cleanup
Contact Our Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance program and serve as your primary contact for data protection matters.
Data Protection Officer (DPO)
Email: dpo@migrostack.com
Privacy Team: privacy@migrostack.com
Response Time: We will respond to all privacy requests within 30 days
When to Contact Our DPO
- Questions about how we process your personal data
- Exercising your GDPR rights (access, rectification, erasure, etc.)
- Concerns about our data protection practices
- Requesting a Data Processing Agreement (DPA)
- Reporting a potential data breach or security concern
- Questions about international data transfers
- Requesting our sub-processor list
Additional GDPR Resources
Documentation Available
- Data Processing Agreement (DPA): Available upon request for enterprise customers
- Standard Contractual Clauses (SCCs): Included in our DPA for international transfers
- Sub-Processor List: Complete list of third-party sub-processors
- DPIA Summary: Executive summary of our Data Protection Impact Assessments
- Security Documentation: Technical and organizational security measures
Learn More
Need More Information?
If you have questions about GDPR compliance or would like to request documentation, please contact our privacy team:
Privacy Team: privacy@migrostack.com
Data Protection Officer: dpo@migrostack.com
Contact Support