Legal

Security

At Grovs, we take security very seriously. We understand that protecting your data is important, so we make sure our systems are safe and secure.

General Security Practices

We use strong two-factor authentication (2FA) to protect access to our servers, databases, source code, and third-party tools. Whenever possible, we prefer non-SMS 2FA.
We always create strong, unique passwords that we never reuse.
Every team member uses 2FA, and we require strong passwords, regardless of which method of 2FA is available. Our priority is using hardware keys, followed by TOTP (app-based), SMS, and email for 2FA.
We make it easy for you to protect your account too, offering TOTP 2FA for all users.
Since we're a small team, contractors only get access to what they absolutely need to do their jobs.
We use tools like GitHub Advanced Security to detect vulnerabilities in our code and quickly apply updates.
We do regular vulnerability scans and security tests to stay on top of our security.
We choose third-party tools that have strong privacy and security measures, which align with our values.
We ensure our API code is thoroughly tested. If a bug or security issue is found, we write tests to make sure it doesn't happen again.
We never copy production data to personal devices or external storage.

Infrastructure

Our servers are hosted by Hetzner, a leading European infrastructure provider. We also use Cloudflare for parts of our infrastructure. Both Hetzner and Cloudflare maintain top-tier security standards and undergo regular third-party audits.
Our servers are located in European data centers (Nuremberg, Falkenstein, and Helsinki). We keep encrypted backups in different locations within Europe.
Hetzner continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Hetzner's data center operations are certified under:
- DIN ISO/IEC 27001:2022 (Information Security Management)

Authorization

We operate a multi-tenant application using row-level multitenancy. We have extensive unit tests and multiple failsafes at the database- and application-level concerning data authorization and isolation.
We use role-based access control (RBAC) for permissions. Each API access token has a role that limits what it can do, ensuring only authorized users can access or manage certain resources.

Encryption

All communication between our service, your software, and our backend is protected by strong encryption (TLS).
We use 256-bit encryption at all levels of our systems. We enforce TLS (HTTPS) to protect sensitive data transmitted to and from applications.
All data is encrypted at-rest with industry-standard AES-256 block-level storage encryption. Highly-sensitive data, such as private keys and secrets, is encrypted at-work using AES-256-GCM encryption.

Payments

Credit card and bank information is encrypted, stored, and processed by Stripe with AES-256 encryption. We don't store sensitive payment data on our servers. Stripe manages all payment processing, and we store a temporary token to refer to the payment.
All communication with Stripe is encrypted using TLS.

Backups and Recovery

We back up our data continuously using automated snapshots and backups stored securely on European servers.
Recovery databases are created by retrieving these backups and replaying them on a new Postgres installation. This allows for complete database recovery in case of hardware failures, data corruption, or significant service interruptions.

Crashes and Errors

We monitor for crashes and errors closely and work to fix them quickly. We aim for 99.99% uptime and offer an SLA for enterprise customers.

FAQs

What user data do you collect?

We don't make money from your data. We collect some basic information about how users interact with our system, like API requests and sign-ins, so we can improve the service and help you better. For more details, see our privacy policy.

How long is data kept, and can I have it removed?

We keep server logs for up to 30 days and account analytics for up to 90 days. You can ask us to delete your data at any time.

Do you fill out security questionnaires?

Since we're a small team, we don't fill out security questionnaires for customers on our Scale Up tiers. However, for Enterprise customers, we can make an exception.

Do you have security certifications like SOC 2 or ISO 27001?

We don't have these certifications yet, but we hope to in the future. If you're interested in working with us on them, feel free to reach out.

Is your system highly available?

Yes. We have automatic scaling, health checks, and failovers in place to ensure high availability.

How do I report a potential vulnerability or security concern?

If you find something, email us at [email protected], and we'll address it as soon as possible.

Any other questions?

We're happy to answer any questions. Just email us at [email protected], and we'll update this page if needed.

General Security Practices

We use strong two-factor authentication (2FA) to protect access to our servers, databases, source code, and third-party tools. Whenever possible, we prefer non-SMS 2FA.

We always create strong, unique passwords that we never reuse.

Every team member uses 2FA, and we require strong passwords, regardless of which method of 2FA is available. Our priority is using hardware keys, followed by TOTP (app-based), SMS, and email for 2FA.

We make it easy for you to protect your account too, offering TOTP 2FA for all users.

Since we're a small team, contractors only get access to what they absolutely need to do their jobs.

We use tools like GitHub Advanced Security to detect vulnerabilities in our code and quickly apply updates.

We do regular vulnerability scans and security tests to stay on top of our security.

We choose third-party tools that have strong privacy and security measures, which align with our values.

We ensure our API code is thoroughly tested. If a bug or security issue is found, we write tests to make sure it doesn't happen again.

We never copy production data to personal devices or external storage.

Infrastructure

Our servers are hosted by Hetzner, a leading European infrastructure provider. We also use Cloudflare for parts of our infrastructure. Both Hetzner and Cloudflare maintain top-tier security standards and undergo regular third-party audits.

Our servers are located in European data centers (Nuremberg, Falkenstein, and Helsinki). We keep encrypted backups in different locations within Europe.

Hetzner continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Hetzner's data center operations are certified under:

DIN ISO/IEC 27001:2022 (Information Security Management)

Authorization

We operate a multi-tenant application using row-level multitenancy. We have extensive unit tests and multiple failsafes at the database- and application-level concerning data authorization and isolation.

We use role-based access control (RBAC) for permissions. Each API access token has a role that limits what it can do, ensuring only authorized users can access or manage certain resources.

Encryption

All communication between our service, your software, and our backend is protected by strong encryption (TLS).

We use 256-bit encryption at all levels of our systems. We enforce TLS (HTTPS) to protect sensitive data transmitted to and from applications.

All data is encrypted at-rest with industry-standard AES-256 block-level storage encryption. Highly-sensitive data, such as private keys and secrets, is encrypted at-work using AES-256-GCM encryption.

Payments

Credit card and bank information is encrypted, stored, and processed by Stripe with AES-256 encryption. We don't store sensitive payment data on our servers. Stripe manages all payment processing, and we store a temporary token to refer to the payment.

All communication with Stripe is encrypted using TLS.

Backups and Recovery

We back up our data continuously using automated snapshots and backups stored securely on European servers.

Recovery databases are created by retrieving these backups and replaying them on a new Postgres installation. This allows for complete database recovery in case of hardware failures, data corruption, or significant service interruptions.

FAQs

What user data do you collect?

How long is data kept, and can I have it removed?

We keep server logs for up to 30 days and account analytics for up to 90 days. You can ask us to delete your data at any time.

Do you fill out security questionnaires?

Since we're a small team, we don't fill out security questionnaires for customers on our Scale Up tiers. However, for Enterprise customers, we can make an exception.

Do you have security certifications like SOC 2 or ISO 27001?

We don't have these certifications yet, but we hope to in the future. If you're interested in working with us on them, feel free to reach out.

Is your system highly available?

Yes. We have automatic scaling, health checks, and failovers in place to ensure high availability.

How do I report a potential vulnerability or security concern?

If you find something, email us at [email protected], and we'll address it as soon as possible.

Any other questions?

We're happy to answer any questions. Just email us at [email protected], and we'll update this page if needed.