Data Migration Security and Sanitization
When transitioning to a new Customer Identity and Access Management (CIAM) platform, ensuring the secure and accurate transfer of sensitive customer data is critical. LoginRadius follows rigorous security protocols and comprehensive sanitization procedures to ensure your data is handled safely and meets the highest quality and compliance standards.
This document outlines the security protocols, data sanitization processes, supported hashing algorithms, and best practices in migrating user data into the LoginRadius Identity Platform.
Data Migration Security
To eliminate any exposure during this sensitive transition of user data, LoginRadius has developed specific protocols and tools to migrate your user data into the LoginRadius platform. This document details the mechanisms and protocols we have in place to ensure the safe, secure, and successful migration of your user data.
- In-Transit Data Protection
- Access Management
- Infrastructure and Data Handling
All data transfers to LoginRadius are encrypted using secure protocols to prevent interception or unauthorized access during migration.
The following are the key security measures applied during data transfer:
| Secure HTTPS Tunnel via server-to-server process | The communications are handled via a server-to-server transaction over HTTPS, meaning that data transfer is entirely secure. |
|---|---|
| SFTP-Based File Delivery | LoginRadius provides a dedicated, write-only SFTP server secured via SSH for bulk migration projects. Only authorized users can upload files; no external read/write access is permitted. |
| IP/Domain Whitelisting | Migration access is restricted to pre-approved IP addresses or domains. This adds a network-layer barrier to ensure only verified systems can initiate data transfers. |
Strict access controls and credential handling ensure that only authorized systems and personnel can interact with migration resources.
The following controls are enforced to protect access during the migration process:
| Secure Credentials Storage | Any access credentials provided for testing or migration are securely stored in an encrypted key vault and only leveraged by the Migration Service when required. |
|---|---|
| One-Way Password Hashing | LoginRadius only accepts one-way hashed passwords, meaning that it is impossible to decrypt and, therefore, impossible for anyone (even the LoginRadius team) to see your users' passwords. We support the most up-to-date security algorithms and can assist in rolling your existing passwords over into the most secure algorithm if your currently used algorithm is outdated. |
| Password Hash Upgrades | LoginRadius can automatically upgrade passwords to stronger standards (e.g., bcrypt, Argon2) during import if you use older or less secure hashing algorithms. |
Migration operations run within LoginRadius's secured infrastructure, with temporary data storage and strict deletion protocols post-migration.
The following practices ensure secure handling within our infrastructure:
| System-wide Security protocols | We use our standard security policies and practices to ensure we comply with security standards. All SFTP servers, data files storage, etc, are behind the firewall and protected in LoginRadius Infrastructure. Full details on the system infrastructure security can be found here |
|---|---|
| Secured Infrastructure | All migration services operate within the LoginRadius private cloud, behind firewalls, with multi-layer security controls, and under our enterprise-grade security framework. |
| Data Preservation | All data is temporarily maintained in transit storage. Once the data migration process is complete, data is disposed of based on industry standard data governance procedures for deletion of records. |
| Audit Trails and Logging | All migration activities are logged for auditability. Access logs, error logs, and operational metrics are available upon request for compliance and review. |
Data Migration Sanitization
All data transferred into the LoginRadius system undergoes a complete data sanitization process. This process guarantees that the data you are transferring is normalized into the LoginRadius format, contains only valid records, and any data preprocessing is applied.
Data Sanitization covers the following cases by default:
- Core Sanitization Workflow
- Custom Sanitization and Transformation
| Data Deduplication | The data migration process checks for the duplicate data points during the migration and allows for customizable rectification of duplicate data. |
|---|---|
| Type Checking | All fields are verified and converted to the correct format. |
| Required Field Verification | Any fields deemed necessary for the migration are checked for inclusion. |
| Data Normalization | Data is transformed into the LoginRadius Normalized User Profile Format. |
The data migration sanitization process also includes customizable flows to handle additional data Sanitization based on your requirements, such as:
| Field level preprocessing | Modify or supplement field data based on your requirements. |
|---|---|
| Custom field or Custom object normalization | Full support is available for all LoginRadius data storage options. |
Supported Hashing Algorithms
LoginRadius supports a broad range of hashing algorithms. Regardless of the type of migration, LoginRadius will work closely with your security team to ensure that your desired hashing algorithm is applied.
Our Data Migration service is built to support legacy data, multiple data sources, and further scenarios in which customers may have complex password hashing requirements. This support provides a seamless transition, allowing you to preserve your customers' credentials without requiring a password reset. Moreover, LoginRadius includes support for upgrading your existing hashing algorithm.
To learn more about supported hashing algorithms, refer to this documentation.
Key Capabilities:
- No password resets are required — existing hashes are retained.
- Supports upgrading to more secure algorithms during migration.
- Migration services can validate hash formats and apply fallback options.
Compliance and Regulatory Alignment
LoginRadius is committed to maintaining the highest data security, privacy, and compliance standards, especially during sensitive operations like customer data migration. Our migration process is built on security-first principles and is aligned with industry-recognized frameworks and best practices.
For a complete overview of our compliance frameworks, security certifications, and infrastructure safeguards, visit the LoginRadius Trust Vault.
Best Practices for Secure Data Migration
To ensure a smooth, secure, and compliant migration, LoginRadius recommends the following best practices:
| Best Practice | Why its matter |
|---|---|
| Restrict Access to Migration Data and Credentials | Minimizes the risk of data leaks or unauthorized modifications before migration starts. |
| Use Encrypted, Access-Controlled Storage for Exported Data | Prevents exposure or tampering of sensitive data during staging or handoff. |
| Share Credentials Securely Using Encrypted Channels Only | Ensures encrypted and authenticated transfer of data directly to LoginRadius. |
| Provide your organization’s IP addresses to LoginRadius for whitelisting | Restrict access to the secure SFTP upload endpoint to your trusted network, minimizing the risk of unauthorized access or malicious file transfers. |
| Implement File Integrity Checks (e.g., checksums) Before Upload. | Verify that exported data hasn't been tampered with or corrupted before it reaches LoginRadius. |