Security at Groove

We care about data security and customer trust at Groove. Groove has deployed a corporate data security program, which aligns with ISO 27001.


Groove undergoes an annual SOC 2 Type 2 assessment, validating the suitability of the design and operating effectiveness of our security controls. A copy of the report is available under NDA.

Data Security

Groove uses Heroku and Amazon Web Services and does not host customer data on its premises. In addition to Groove's own SOC2 type 2 audit report, Amazon provides as extensive list of compliance and regulatory assurances, including SOC 1, 2, and 3, and ISO27001. See Amazon compliance and security docs for more detailed information.

Your data is encrypted at rest and protected by TLS in transit.

Groove logically separates user data, and all access is authenticated using OAuth.

GDPR and Data Privacy Compliance

Groove complies with the GDPR and all applicable privacy laws and regulations. As a Data Processor under the GDPR, we are committed to assisting our customers with their end-user requests and compliance efforts and are ready to sign a DPA as needed to address data transfer and provide assurance of appropriate controls.

Vulnerability Disclosure

If you have a security-related concern or wish to disclose a vulnerability, please email and include the phrase “Security Vulnerability” in the subject line. Your reports should include a detailed description of your discovery with clear, concise, reproducible steps, or a working proof-of-concept (POC).