SOC 2

Groove undergoes its own annual SOC 2 Type 2 assessment, independently of AWS/Heroku, that validates the suitability of the design and operating effectiveness of our security controls. A copy of the report is available under NDA.

Data Security

Groove uses Heroku and Amazon Web Services (AWS) and does not host customer data on its premises. In addition to Groove's own annual SOC 2 Type 2 audit report, Amazon provides an extensive list of compliance and regulatory assurances. See Amazon compliance and security docs for more detailed information.

Additional security measures:

Your data is encrypted at rest and protected by TLS in transit.

Groove logically separates user data, and all access is authenticated using OAuth.

GDPR, CCPA, and Global Data Privacy Compliance

Groove complies with the GDPR, CCPA, and other global privacy laws and regulations. We are constantly monitoring charges to privacy laws and everything privacy regulations, and evaluating how they impact our platform and services. As a Data Processor under GDPR, and Service Provider Uber CCPA, we are committed to assisting our customers with their end-user requests and compliance efforts and are ready to sign DPAs as needed to address data transfer and provide assurance of appropriate controls.

Google API Services Data Compliance

Groove's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Responsible Disclosure

If you have a security-related concern or wish to disclose a vulnerability, please email security@groove.co and include the phrase “Security Vulnerability” in the subject line. Your reports should include a detailed description of your discovery with clear, concise, reproducible steps, or a working proof-of-concept (POC).