Security

Industry-Leading Data Protection

At Groove, our commitment to data security goes beyond established protocols and industry compliance - it’s built into the foundation of our platform.

Our sales productivity platform is built natively on Salesforce, which eliminates the risks introduced by syncing with third-party databases.

Groove only processes the data it needs.

We start protecting customer data before we even have it – by only processing the small amount that we need.
End-to-end encryption protects data in transit
All stored data is further protected by securely separating it from other customers and encrypting it at rest
Strict data retention protocols limit storage to current customers.

In addition to the security features of our platform, Groove is compliant with GDPR, CCPA, and other global privacy laws. In short, keeping our customers’ data secure is core to our business.

SOC2 Type 2

Groove undergoes an annual SOC2 Type 2 assessment that covers all industry standard trust principles (Security, Confidentiality, Availability) and validates the suitability of the design and operating effectiveness of our security controls. We regularly review the compliance of critical vendors, including AWS/Heroku. Our latest SOC2 report is available upon request and under NDA.

ISO 27001

Groove established the Information Security Management System in accordance with the ISO 27001 framework to provide our customers with best-in-class information security. Groove’s ISO 27001:2013 Certification is available upon request.

PCI-DSS

Groove’s security controls for data protection meet or exceed the Payment Card Industry Data Security Standard (PCI-DSS). Groove does not handle credit card data, but we’ve committed to this standard to ensure that our customers’ data is protected according to well-established, industry-standard data protection principles.

Data Security Features

Database Security
Groove uses Heroku and Amazon Web Services (AWS) and does not host customer data on its premises. See Amazon compliance and security docs for more detailed information.
Customer Data Segregation
Data is logically segregated using a tenant identifier with strong, validated access controls. Customer data in Groove belongs to a specific organization, and users can only query records for their own organization ID. Groove logically separates user data, and all access is authenticated using OAuth.

Encryption
Customer data is encrypted at rest and protected by TLS in transit. All encryption in use meets or exceeds industry standards (AES-256, TLS 1.2+, etc).

Integrated Services

Groove integrates directly with Salesforce and Google Workspace or Office 365 for access to email, calendar, and CRM data.
Groove uses these connections to help users log emails to Salesforce, synchronize calendar events, and detect engagement stats such as email replies.
Authentication to Groove uses Google/O365 and Salesforce OAuth exclusively. SSO is fully supported as part of that auth flow.
Groove uses the user’s own Salesforce and Google or Microsoft Graph tokens for all user-level API access. Existing access controls in those systems are honored by default.

Data Usage

Groove will never mine or otherwise access your data for advertising purposes.

Data Privacy

Customer data is only used when necessary to deliver our services. Account data is never viewed without permission.

Data Ownership

Groove’s customers maintain ownership of their data at all times. Customer data is never deleted without ample prior notification.

Partner and Industry Compliance

Google API Services Data Compliance
Groove’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
GDPR, CCPA, and Global Data Privacy Compliance
Groove complies with the GDPR, CCPA, and other global privacy laws and regulations. We are constantly monitoring changes to privacy laws and regulations, and evaluating how they impact our platform and services. As a Data Processor under GDPR, and Service Provider under CCPA, we are committed to assisting our customers with their end-user requests and compliance efforts and are ready to sign DPAs as needed to address data transfer and provide assurance of appropriate controls.
Deletion Request Compliance
Groove’s platform synchronizes with customer databases so that data subject actions are reconciled with the platform and ensure that deletion requests are carried out automatically once removed in the original database. Groove does not store additional personal data or data associated with identified individuals beyond the originating database source, so that it is not necessary to query the platform for DSAR events.

Responsible Disclosure

If you have a security-related concern or wish to disclose a vulnerability, please email security@groove.co and include the phrase “Security Vulnerability” in the subject line. Your reports should include a detailed description of your discovery with clear, concise, reproducible steps, or a working proof-of-concept (POC).

Ready to experience consistently great sales execution?

Request a Demo