At Groove, our commitment to data security goes beyond established protocols and industry compliance - it’s built into the foundation of our platform.
The only enterprise-level sales engagement platform built natively on Salesforce, Groove’s unique architecture eliminates risks introduced by syncing with third-party databases.
Groove only processes the data it needs.
We start protecting customer data before we even have it – by only processing the small amount that we need.
End-to-end encryption protects data in transit
All stored data is further protected by securely separating it from other customers and encrypting it at rest
Strict data retention protocols limit storage to current customers.
In addition to the security features of our platform, Groove is compliant with GDPR, CCPA, and other global privacy laws. In short, keeping our customers’ data secure is core to our business.
SOC2 Type 2
Groove undergoes an annual SOC2 Type 2 assessment that covers all industry standard trust principles (Security, Confidentiality, Availability) and validates the suitability of the design and operating effectiveness of our security controls. We regularly review the compliance of critical vendors, including AWS/Heroku. Our latest SOC2 report is available upon request and under NDA.
Groove’s data security governance is designed to be fully aligned with ISO 27001. While Groove is not an ISO 27001 certified organization, we push past basic compliance requirements to provide our customers with best-in-class information security.
Groove’s security controls for data protection meet or exceed the Payment Card Industry Data Security Standard (PCI-DSS). Groove does not handle credit card data, but we’ve committed to this standard to ensure that our customers’ data is protected according to well-established, industry-standard data protection principles.
Data Security Features
Database Security Groove uses Heroku and Amazon Web Services (AWS) and does not host customer data on its premises. See Amazon compliance and security docs for more detailed information.
Customer Data Segregation Data is logically segregated using a tenant identifier with strong, validated access controls. Customer data in Groove belongs to a specific organization, and users can only query records for their own organization ID. Groove logically separates user data, and all access is authenticated using OAuth.
Encryption Customer data is encrypted at rest and protected by TLS in transit. All encryption in use meets or exceeds industry standards (AES-256, TLS 1.2+, etc).
Groove integrates directly with Salesforce and Google Workspace or Office 365 for access to email, calendar, and CRM data.
Groove uses these connections to help users log emails to Salesforce, synchronize calendar events, and detect engagement stats such as email replies.
Authentication to Groove uses Google/O365 and Salesforce OAuth exclusively. SSO is fully supported as part of that auth flow.
Groove uses the user’s own Salesforce and Google or Microsoft Graph tokens for all user-level API access. Existing access controls in those systems are honored by default.
Groove will never mine or otherwise access your data for advertising purposes.
Customer data is only used when necessary to deliver our services. Account data is never viewed without permission.
Groove’s customers maintain ownership of their data at all times. Customer data is never deleted without ample prior notification.
Partner and Industry Compliance
Google API Services Data Compliance Groove’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
GDPR, CCPA, and Global Data Privacy Compliance Groove complies with the GDPR, CCPA, and other global privacy laws and regulations. We are constantly monitoring changes to privacy laws and regulations, and evaluating how they impact our platform and services. As a Data Processor under GDPR, and Service Provider under CCPA, we are committed to assisting our customers with their end-user requests and compliance efforts and are ready to sign DPAs as needed to address data transfer and provide assurance of appropriate controls.
Deletion Request Compliance Groove’s platform synchronizes with customer databases so that data subject actions are reconciled with the platform and ensure that deletion requests are carried out automatically once removed in the original database. Groove does not store additional personal data or data associated with identified individuals beyond the originating database source, so that it is not necessary to query the platform for DSAR events.
If you have a security-related concern or wish to disclose a vulnerability, please email email@example.com and include the phrase “Security Vulnerability” in the subject line. Your reports should include a detailed description of your discovery with clear, concise, reproducible steps, or a working proof-of-concept (POC).