Security and Trust Guide for IT, InfoSec, and Procurement Teams.
What you need to know before Chameleon touches your CMS estate.
Chameleon is a migration intelligence tool used by enterprise teams managing large, multi-site CMS estates. It does not store your content on external servers. Everything it reads and writes stays within your own infrastructure - your source CMS and your Sitefinity instance.
It is not a plugin, not a background agent, and requires no installation on your CMS. It connects, does its job, and disconnects.
Choose what fits your team and your security requirements.
The web-based version of Chameleon runs entirely within your own infrastructure. There is no executable to approve, no software to install on end-user machines, and no external dependency to manage. IT teams in regulated environments - financial services, insurance, government - typically prefer this option because the tool runs under their control from the start.
The Windows desktop application is designed for content strategists who need to run a migration assessment without involving IT at every step. A content planner can install Chameleon, point it at a source CMS, and produce a full content inventory and migration readiness report. IT stays out of the loop until the actual migration planning begins.
Both options connect to the same sources, use the same APIs, and produce the same output.
Chameleon connects to Sitefinity using a standard Sitefinity user account - one your team creates, configures, and controls. The permissions of that account define exactly what Chameleon can and cannot access.
If you create a user scoped to a single site within a multi-site Sitefinity instance, Chameleon operates within that scope and nothing beyond it. This is the same permission and access control model your own editorial and developer teams already use daily. There is no special mode, no elevated access, and no mechanism for Chameleon to discover or interact with other sites on the same instance.
For enterprise clients running 20, 50, or 100+ sites on a single Sitefinity instance - which is common in insurance groups, government departments, and large media organisations - this is a straightforward and auditable control.
No - and this is worth understanding clearly, because it is a question that comes up in almost every enterprise procurement process.
Chameleon connects to Sitefinity exclusively through the APIs that Progress themselves expose, document, and actively promote as best practice for modern Sitefinity connectivity. These are the same APIs that form the backbone of the .NET Core and Next.js renderers that Progress recommends for all new Sitefinity projects. They are not workarounds, undocumented hooks, or internal interfaces - they are the intended, supported, and publicly documented integration surface for Sitefinity.
Chameleon only has access to what your configured Sitefinity user has access to. Nothing more. It installs nothing on your Sitefinity instance, touches no files, no databases, no server internals. The Sitefinity installation itself is completely unchanged before, during, and after a migration run. Your Progress support contract is fully intact.
One of the most common concerns in enterprise Sitefinity migrations is the risk of content going live before it has been reviewed. Chameleon addresses this by design.
All content migrated by Chameleon arrives in Sitefinity as Draft items. Nothing is published. Nothing is visible to end users. Your editorial team reviews the migrated content inside Sitefinity's standard workflow, makes corrections where needed, and publishes on their own schedule.
This has a significant practical benefit for large migrations: it removes the need for an extended content freeze. You do not need to lock your live site for the entire duration of a migration run. Content can be migrated in the background, reviewed at pace, and published incrementally - site by site, section by section.
For enterprise teams managing large Sitefinity instances - particularly those migrating from Sitecore or Umbraco where content volume can be substantial - we recommend the following before any production migration run:
Because content arrives as Drafts, a full database restore is rarely needed in practice. But having the backup means your change management process is clean and auditable - which matters in regulated industries.
If your security, compliance, or legal team has questions not addressed above, contact us directly. We work regularly with InfoSec teams, legal departments, and regulated-industry procurement processes.
Chameleon is available as a free assessment tool - no engagement required to get started.