Our Security Story
At Groove, our commitment to data security goes beyond established protocols and industry compliance - it’s built into the foundation of our platform.

At Groove, our commitment to data security goes beyond established protocols and industry compliance - it’s built into the foundation of our platform.
As the only enterprise-level sales engagement platform built natively on Salesforce, Groove’s unique architecture eliminates the risks introduced by syncing with a third-party database.
We start protecting each customer’s data before we even have it - by only processing the small amount that we need. We continue protecting that data in transit by maintaining end-to-end encryption. All stored data is further protected by securely separating it from other organizations and encrypting it at rest. Finally, strict data retention protocols limit storage to current customers only.
In addition to the security features of our platform, Groove is compliant with GDPR, CCPA, and other global privacy laws. In short, keeping our customers’ data secure is core to our business.
Groove undergoes an annual SOC2 (Services Organization Control 2) Type 2 assessment covering all industry standard trust principles (Security, Confidentiality, and Availability) that validates the suitability of the design and operating effectiveness of our security controls. We regularly review the compliance of our critical vendors, including AWS/Heroku. A copy of our latest SOC2 report is available upon request and under NDA.
Groove’s data security governance is designed to be fully aligned with ISO 27001. While Groove is not an ISO 27001 certified organization, we push past basic compliance requirements to provide our customers with best-in-class information security.
Groove’s security controls for data protection meet or exceed the Payment Card Industry Data Security Standard (PCI-DSS). Groove does not handle credit card data, but we’ve committed to this standard to ensure that our customers’ data is protected according to well-established, industry-standard data protection principles.
Groove uses Heroku and Amazon Web Services (AWS) and does not host customer data on its premises. See Amazon compliance and security docs for more detailed information.
Data is logically segregated using a tenant identifier with strong, validated access controls. Customer data in Groove belongs to a specific organization, and users can only query records for their own organization ID. Groove logically separates user data, and all access is authenticated using OAuth.
Customer data is encrypted at rest and protected by TLS in transit. All encryption in use meets or exceeds industry standards (AES-256, TLS 1.2+, etc).
Groove integrates directly with Salesforce and G Suite or Office 365 for access to email, calendar, and CRM data.
Groove uses these connections to help users log emails to Salesforce, synchronize calendar events, and detect engagement stats such as email replies.
Authentication to Groove uses Google/O365 and Salesforce OAuth exclusively. SSO is fully supported as part of that auth flow.
Groove uses the user’s own Salesforce and Google or Microsoft Graph tokens for all user-level API access. Existing access controls in those systems are honored by default.
Groove doesn’t mine or access your data for advertising purposes.
Customer data is only used when necessary to deliver our services. Account data is never viewed without permission.
Groove’s customers maintain ownership of their data at all times. We never delete customer account data without first notifying the customer and providing sufficient time for export.
Groove's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Groove complies with the GDPR, CCPA, and other global privacy laws and regulations. We are constantly monitoring changes to privacy laws and regulations, and evaluating how they impact our platform and services. As a Data Processor under GDPR, and Service Provider under CCPA, we are committed to assisting our customers with their end-user requests and compliance efforts and are ready to sign DPAs as needed to address data transfer and provide assurance of appropriate controls.
Goove’s platform synchronizes with customer databases so that data subject actions are reconciled with the platform and ensure that deletion requests are carried out automatically once removed in the original database. Groove does not store additional personal data or data associated with identified individuals beyond the originating database source, so that it is not necessary to query the platform for DSAR events.
If you have a security-related concern or wish to disclose a vulnerability, please email security@groove.co and include the phrase “Security Vulnerability” in the subject line. Your reports should include a detailed description of your discovery with clear, concise, reproducible steps, or a working proof-of-concept (POC).