Skip to main content

ShareGate Protect and Migration assessment: security and privacy overview

ShareGate Protect and the Migration assessment utilize similar security and privacy mechanisms, as explained in this article.

Updated today

ShareGate Protect and the Migration Assessment need access to Microsoft 365 tenant data to enable you to accomplish tasks within that environment.

Required permissions and access

A global or privileged role admin must consent to several Microsoft 365 permissions and grant access to the assessments.

Note: The apps are registered under their parent company, Workleap.

For more information about Microsoft 365 permission consent, see ShareGate's Enterprise applications in Microsoft Entra.

To learn more about the specific permissions required for ShareGate Protect and the migration assessment, see Microsoft 365 permission sets required for ShareGate.

Data storage

These apps can store the required data in North America or in Europe.

Note: Currently, only data at rest can be stored in Europe. The data is still processed in Microsoft Azure's East US 2 region.

To learn more about where the data can be stored, see Data residency for ShareGate Protect and the migration assessment.

Data collected

Some of the collected data to provide insights includes the following:

  • Tenant display name

  • Available licenses and activation status

  • Workspace names, members, and permissions metadata

    • Workspaces include SharePoint sites, Microsoft 365 groups, and OneDrive for Business.

  • User display names and job titles

  • Shared document names and metadata

The data is continuously updated to reflect changes in your Microsoft 365 environment.

Data that ShareGate Protect and the migration assessment do not collect

ShareGate Protect and the migration assessment only store data necessary for governance and assessment insights.

They do not collect:

  • User access tokens

  • Full document contents (only document names and metadata are analyzed)

  • Personal messages or email content

Data processing and encryption

All data processed follows industry-standard security protocols, ensuring encryption at rest and in transit.

This section outlines 3 data types that the assessments access and explains how they're secured.

User data

This includes Microsoft 365 membership and ownership information.

All data in this category has 3 layers of encryption:

  • Encryption in transit (TLS 1.2).

  • Encryption at rest (256-bit AES).

  • Application-level encryption (256-bit AES) using a per-tenant key stored in the Azure Key Vault.

Application state data

This data is used to track various settings and options associated with your account and actions performed using ShareGate.

Data in this category has 2 layers of encryption:

  • Encryption in transit (TLS 1.2).

  • Encryption at rest (256-bit AES encryption).

To learn more about these encryption technologies, see 256-bit AES encryption at rest and TLS 1.2 in transit

Sub-processors

The data transitions from Azure to two other sub-processors:

  • MongoDB is used as a cache for data that's hard to process directly from Microsoft 365. That data is refreshed at a certain frequency.

  • LogRocket is used for research purposes. All data that transitions to LogRocket is anonymized.

Telemetry Data

Some non-sensitive data is sent to telemetry services for performance monitoring and improvement. If telemetry data contains sensitive information, it is fully anonymized before transmission.

Data retention & purging

All data related to a tenant is permanently deleted a day after an admin revokes application consent, and access is blocked immediately.

Terms and privacy

You can find links to our official terms and privacy pages in the footer below.

Did this answer your question?