Our Security Story

At Groove, our commitment to data security goes beyond established protocols and industry compliance - it’s built into the foundation of our platform.

Third-Party Policies & Certifications

AIPCA

Groove undergoes an annual SOC2 (Services Organization Control 2) Type 2 assessment covering all industry standard trust principles (Security, Confidentiality, and Availability) that validates the suitability of the design and operating effectiveness of our security controls. We regularly review the compliance of our critical vendors, including AWS/Heroku. A copy of our latest SOC2 report is available upon request and under NDA.

iso

Groove’s data security governance is designed to be fully aligned with ISO 27001. While Groove is not an ISO 27001 certified organization, we push past basic compliance requirements to provide our customers with best-in-class information security.

pci

Groove’s security controls for data protection meet or exceed the Payment Card Industry Data Security Standard (PCI-DSS). Groove does not handle credit card data, but we’ve committed to this standard to ensure that our customers’ data is protected according to well-established, industry-standard data protection principles.

Data Security Features

AIPCA
Database Security

Groove uses Heroku and Amazon Web Services (AWS) and does not host customer data on its premises. See Amazon compliance and security docs for more detailed information.

AIPCA
Customer Data Segregation

Data is logically segregated using a tenant identifier with strong, validated access controls. Customer data in Groove belongs to a specific organization, and users can only query records for their own organization ID. Groove logically separates user data, and all access is authenticated using OAuth.

AIPCA
Encryption

Customer data is encrypted at rest and protected by TLS in transit. All encryption in use meets or exceeds industry standards (AES-256, TLS 1.2+, etc).

AIPCA
Integrated Services

Groove integrates directly with Salesforce and G Suite or Office 365 for access to email, calendar, and CRM data.

Groove uses these connections to help users log emails to Salesforce, synchronize calendar events, and detect engagement stats such as email replies.

Authentication to Groove uses Google/O365 and Salesforce OAuth exclusively. SSO is fully supported as part of that auth flow.

Groove uses the user’s own Salesforce and Google or Microsoft Graph tokens for all user-level API access. Existing access controls in those systems are honored by default.

AIPCA
Data Usage

Groove doesn’t mine or access your data for advertising purposes.

AIPCA
Data Privacy

Customer data is only used when necessary to deliver our services. Account data is never viewed without permission.

AIPCA
Data Ownership

Groove’s customers maintain ownership of their data at all times. We never delete customer account data without first notifying the customer and providing sufficient time for export.

API

Partner and Industry Compliance

Google API Services Data Compliance

Groove's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

ccpa
GDPR, CCPA, and Global Data Privacy Compliance

Groove complies with the GDPR, CCPA, and other global privacy laws and regulations. We are constantly monitoring changes to privacy laws and regulations, and evaluating how they impact our platform and services. As a Data Processor under GDPR, and Service Provider under CCPA, we are committed to assisting our customers with their end-user requests and compliance efforts and are ready to sign DPAs as needed to address data transfer and provide assurance of appropriate controls.

gdpr

Goove’s platform synchronizes with customer databases so that data subject actions are reconciled with the platform and ensure that deletion requests are carried out automatically once removed in the original database. Groove does not store additional personal data or data associated with identified individuals beyond the originating database source, so that it is not necessary to query the platform for DSAR events.

Responsible Disclosure

If you have a security-related concern or wish to disclose a vulnerability, please email security@groove.co and include the phrase “Security Vulnerability” in the subject line. Your reports should include a detailed description of your discovery with clear, concise, reproducible steps, or a working proof-of-concept (POC).