Migration Wizard
This section is for Concerto team members running data migrations for new tenants. The Migration Wizard is restricted to concerto_super_admin, concerto_team, and tenant_admin roles.
The Migration Wizard is a one-time data import tool for onboarding tenants migrating from other GRC platforms. It handles authentication, data fetching, AI-assisted field mapping, and dependency-ordered import with cross-entity relationship linking.
Supported Sources
| Source | Auth Method | Imports |
|---|---|---|
| Vanta | API key | Controls, evidence, risks, vendors, policies |
| Drata | API key | Controls, evidence, risks, vendors |
| Secureframe | API key | Controls, evidence, risks |
| Sprinto | API key | Controls, evidence, risks, vendors |
| Airtable | API key + Base ID | Custom field mapping from Airtable bases |
| CSV | File upload | Any entity type via field mapping |
Migration Workflow
The wizard follows a 6-step process:
Step 1: Create Session
Start a new migration session:
- Select the source platform
- Select the target tenant
Step 2: Authenticate
Provide credentials for the source platform:
- API keys or access tokens
- Additional config (base IDs for Airtable, etc.)
Credentials are encrypted at rest (AES-256-GCM) and deleted after the migration completes.
Step 3: Fetch Data
The wizard connects to the source platform and fetches available data:
- Shows what entity types are available for import
- Displays record counts per entity type
- Identifies which entities have dependencies on others
Step 4: Preview & Field Mapping
Review the data before import:
- Map source fields to ConcertoGRC fields
- AI-assisted mapping — Claude Haiku suggests column-to-field mappings based on header names and sample data
- Review sample records for accuracy
- Configure how enums and statuses translate
- Set owner resolution rules (how to match people)
Step 5: Execute Import
Run the import with real-time progress:
- Entities import in dependency order (see below)
- Deduplication prevents creating duplicates
- Owner resolution matches people by email or name
- Computed fields are populated automatically
- Cross-entity relationships are linked (control → evidence)
Step 6: Review Results
After import completes:
- Summary of imported vs. skipped records per entity
- List of any errors or warnings
- Records that couldn't be mapped (require manual review)
- Links to browse the imported data
Key Features
Dependency-Ordered Import
Entities are imported in the correct order to satisfy foreign key relationships:
| Order | Entity | Depends On |
|---|---|---|
| 1 | Frameworks | — |
| 2 | Controls | Frameworks |
| 3 | Evidence requests | Controls |
| 4 | Recurring activities | Controls |
| 5 | Risks, vendors, policies | — (independent) |
Owner Resolution
The wizard matches owners from the source platform to ConcertoGRC users:
| Method | Priority | Description |
|---|---|---|
| Email match | Primary | Match by email address |
| Name match | Fallback | Match by full name |
| Unresolved | Manual | Flagged for manual assignment post-import |
Deduplication
If records already exist in the target tenant (e.g., from a partial previous import), the wizard identifies duplicates by name/ID and skips them rather than creating duplicates.
AI-Assisted Field Mapping
For CSV imports and platforms with non-standard field names, Claude Haiku analyzes column headers and sample data to suggest the best ConcertoGRC field mappings. Operators review and adjust before executing.
Security
- Source platform credentials are encrypted at rest using AES-256-GCM
- Credentials are automatically deleted after migration completes
- All imported data is scoped to the target tenant
- Migration sessions are logged for audit purposes