Security
How we protect your data
MigrationFox handles credentials, file streams, and audit data for IT teams running migrations across 13 cloud connectors. Here's the short, honest summary of how that's secured.
Encryption at rest
All credentials — OAuth tokens, service-account keys, and agent secrets — are encrypted with AES-256 using a server-side key that is never co-located with the encrypted data. TLS is enforced for every API request and file transfer in flight.
Authentication
User passwords are hashed with Argon2id; pre-2026 legacy accounts upgrade to Argon2id automatically on next sign-in. Multi-factor authentication is available on every account — enable it from account settings (TOTP, with recovery codes). Sessions are JWT-signed with a server-side secret and scoped to a single tenant + role — no cross-tenant token reuse.
Your file data
File contents stream directly between source and destination platforms. MigrationFox does not retain user file content on its own servers after a migration completes. The only data we keep post-migration is operational metadata: file paths, sizes, success/failure status, and the audit log for the action.
Audit trails
Significant security and account events — sign-in (success and failure), sign-out, password changes, password resets, MFA enable / disable, account deletion, credential changes, migration jobs, governance scans, and admin actions — write to a tenant-scoped audit log. Audit rows include actor identity, action, target, timestamp, and (where relevant) IP. Visible in the in-app activity feed; full exports are available on request via your account contact.
Jurisdiction & data residency
MigrationFox Inc. is a Canadian federal corporation operating under PIPEDA — Canada's federal privacy law.
Your file content streams through our migration worker hosted in Toronto, Canada (Oracle Cloud, Canada Southeast region) and is never retained on our servers after a migration completes.
Operational metadata — file paths, sizes, success status, audit logs, and AES-256-encrypted credentials — is processed on cloud infrastructure located in the United States. Under PIPEDA, MigrationFox Inc. remains accountable for that data wherever it is processed.
Microsoft trust signals
Two independent credentials Microsoft validates separately.
Microsoft Cloud Partner. MigrationFox Inc. is enrolled in the Microsoft Cloud Partner Program — Microsoft's program for vendors building on Microsoft 365 and Azure.
Microsoft Verified Publisher. When you grant MigrationFox access to your Microsoft 365 tenant, the OAuth consent screen shows the publisher “MigrationFox Inc” alongside a blue checkmark. Microsoft only awards that mark after independently verifying the publishing entity. If you ever see a consent screen for MigrationFox without the verified mark, do not approve it — report it to security@migrationfox.com.
Subprocessors
MigrationFox uses the following third-party subprocessors to deliver the service. Each is contractually bound to handle data only on our instructions and to maintain security standards equivalent to ours.
| Subprocessor | Purpose | Region |
|---|---|---|
| Oracle Cloud Infrastructure | Migration worker (file content streaming) | Canada Southeast (Toronto) |
| Railway | API hosting, Postgres database, Redis queue | United States (us-west-2) |
| Vercel | Static landing site, web app, docs site hosting | Global edge network |
| Stripe | Payment processing, subscription billing | United States |
| Resend | Transactional email (password reset, receipts, notifications) | United States |
| Sentry | Error tracking and performance monitoring | United States |
| Microsoft Azure (optional) | Trusted Signing for desktop installer signature | Canada Central (when enabled) |
Customer file content streams through Oracle Cloud Toronto only and is not retained after migration completes. Operational metadata (file paths, sizes, audit logs, AES-256-encrypted credentials) lives on Railway in the US, accountable to MigrationFox Inc. under PIPEDA. We notify customers via email at least 30 days before adding or replacing any subprocessor.
Data Processing Agreement
We provide a standard Data Processing Agreement (DPA) covering the GDPR Article 28, UK GDPR, and PIPEDA requirements typical for enterprise customers and Managed Service Providers handling data on behalf of their own clients.
View the DPA template · To execute, email legal@migrationfox.com with your entity name and a contact for signature.
Reporting a security issue
Found a vulnerability? Email security@migrationfox.com. We acknowledge reports within one business day and aim to validate or dismiss within five.
For the specific Microsoft Graph scopes we read during governance assessments — and the strict read-only guard that blocks PATCH/POST/PUT/DELETE at runtime — see What We Check.