Data Security

Your Data. Your Rules.
Our Responsibility.

When you hand us your data, you're trusting us with your organization's most valuable asset. Here's exactly how we handle it—no vague promises, no "industry-leading" hand-waving. Just the specifics.

Isolation

One Client. One Drive.

Your data never touches another client's data. Every engagement gets its own dedicated, encrypted storage device.

Dedicated Hardware

Each client gets a dedicated encrypted drive. We don't use shared storage, shared partitions, or multi-tenant file systems. Your data lives on hardware that only touches your project.

Zero Commingling

Client A's donor records never share physical media with Client B's financial data. Complete isolation eliminates cross-contamination risk entirely.

Room to Work

Migrating 4TB? We provision an 8TB drive. Ample workspace means we never compress data to fit, skip validation steps, or cut corners on staging environments.

Standards

Encryption and Compliance

We follow established standards because your data deserves more than good intentions.

Encrypted at Every Stage

Data is encrypted from the moment it leaves your system until we securely delete it.

  • AES-256 hardware-level encryption on all storage devices
  • Encrypted transfers during extraction and loading
  • No unencrypted copies—staging, working, and archive volumes are all encrypted
  • Professional-grade NVMe drives rated for sustained workloads

Chain of Custody

We track every interaction with your data from intake to deletion.

  • Drive serial numbers recorded at provisioning
  • Access limited to assigned migration engineers
  • All operations logged with timestamps
  • Physical custody maintained—no cloud staging unless explicitly agreed
Lifecycle

How We Handle Your Data

From first extraction to final deletion, every step is documented.

1

Provision

A new encrypted drive is provisioned and labeled for your project. Serial number, capacity, and encryption method are documented.

2

Extract

Data is pulled from your source system directly to the dedicated drive. No intermediate shared storage.

3

Transform

Mapping, cleansing, and transformation happen on-drive. Working copies stay on the same encrypted media.

4

Load

Validated data is loaded to your target system. We verify record counts and referential integrity before and after.

5

Verify

Post-migration validation confirms data landed correctly. You sign off before we proceed to deletion.

6

Delete

After your sign-off, all client data is securely erased. You receive a deletion certificate with full details.

Post-Migration

Secure Deletion. Documented Proof.

When the engagement ends, your data doesn't linger. We destroy it—and prove it.

What We Delete

All source extracts, working copies, staging data, transformation outputs, and any temporary files created during the engagement. Everything.

How We Delete

Secure erasure following NIST 800-88 guidelines. For SSDs, this means cryptographic erase (CE) or block erase commands that render data unrecoverable. No simple "empty the recycle bin" deletion.

No Data Retention

We don't keep copies "just in case." We don't archive your data for future reference. When the project is done, your data exists in exactly one place: your systems.

# Deletion Certificate
# Provided to client after secure erase

Client:        Acme Nonprofit
Project:       SF Exit Migration
Drive Model:   Samsung 990 Pro 8TB
Serial:        S6XNNS0T123456
Encryption:    AES-256 (hardware)

Method:        NIST 800-88 Clear
Erase Type:    Cryptographic Erase (CE)
Completed:     2026-02-10 14:32:07 UTC
Verified By:   Tyler Colby

Data Removed:
   Source extracts     3.2 TB
   Working copies      1.8 TB
   Staging data        0.4 TB
   Transform outputs   2.1 TB

Status:        VERIFIED COMPLETE

Why This Matters

Most migration vendors don't talk about what happens to your data after the project ends. We think that's a problem.

Your Data Is Yours

Our entire business is built on the principle that you own your data. That doesn't stop being true when your data is in our hands during a migration.

Regulatory Reality

HIPAA, FERPA, PCI, state privacy laws—if your data is subject to regulation, your vendors' data handling is your liability. We give you documentation that proves compliance.

Trust Is Earned

We don't ask you to take our word for it. Documented processes, deletion certificates, and drive serial numbers create a verifiable audit trail.

Frequently Asked Questions

Can we get our own copy of the extracted data?
Yes. If you want a copy of the raw extraction or transformed data on your own media, we'll provide it before deletion. It's your data.
What if we need to re-run the migration after deletion?
We re-extract from source. The mapping configurations and transformation logic are project documentation—we retain those unless you ask us not to. The actual data is always re-pulled fresh.
Do you use cloud storage during migrations?
Not by default. All data stays on local encrypted hardware. If your migration requires cloud staging (e.g., for geographic reasons), we discuss it explicitly and document the arrangement in our engagement agreement.
What about backups?
We don't back up client data to secondary systems. The dedicated drive is the single location. If drive failure is a concern, we can provision mirrored drives as part of the engagement—but both are tracked and both are securely erased at completion.
Will you sign a DPA or BAA?
Yes. We sign Data Processing Agreements and Business Associate Agreements as needed. Standard mutual NDA before any data touches our systems.

Questions About Our Security Process?

We're happy to walk through our data handling procedures in detail before any engagement begins.

Get in Touch tyler@colbysdatamovers.com