Security

At Grovs, we take security very seriously, even though we’re a small team. We understand that protecting your data is important, so we make sure our systems are safe and secure.

General Security Practices

We use strong two-factor authentication (2FA) to protect access to our servers, databases, source code, and third-party tools. Whenever possible, we prefer non-SMS 2FA.
We always create strong, unique passwords that we never reuse.
Every team member uses 2FA, and we require strong passwords, regardless of which method of 2FA is available. Our priority is using hardware keys, followed by TOTP (app-based), SMS, and email for 2FA.
We make it easy for you to protect your account too, offering TOTP 2FA for all users.
Since we’re a small team, contractors only get access to what they absolutely need to do their jobs.
We use tools like GitHub Advanced Security to detect vulnerabilities in our code and quickly apply updates. Heroku handles our infrastructure security.
We do regular vulnerability scans and security tests to stay on top of our security.
We choose third-party tools that have strong privacy and security measures, which align with our values.
We ensure our API code is thoroughly tested. If a bug or security issue is found, we write tests to make sure it doesn’t happen again.
We never copy production data to personal devices or external storage.

Infrastructure

Our servers are hosted by Heroku, which uses Amazon Web Services (AWS). This means our servers and data are managed securely through AWS’s powerful infrastructure. We also use Cloudflare for hosting distribution files. Both Cloudflare and AWS maintain top-tier security standards and undergo regular third-party audits.
Our main servers are located in European data centers, but we also offer storage in US data centers if needed. We keep encrypted backups in different locations within Europe, and some distribution files are stored in the US region for some customers.
Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)

Authorization

We operate a multi-tenant application using row-level multitenancy. We have extensive unit tests and multiple failsafes at the database- and application-level concerning data authorization and isolation.
We use role-based access control (RBAC) for permissions. Each API access token has a role that limits what it can do, ensuring only authorized users can access or manage certain resources.

Encryption

All communication between our service, your software, and our backend is protected by strong encryption (TLS). We use Automated Certificate Management provided by Cloudflare. User data is stored in Heroku PostgreSQL and details of their implementation can be found on the Security page at Heroku.
We use 256-bit encryption at all levels of our systems. We enforce TLS (HTTPS) to protect sensitive data transmitted to and from applications i.e. data in-transit.
All data is encrypted at-rest with industry-standard AES-256 block-level storage encryption. Keys are securely managed by Amazon EBS.Highly-sensitive data, such as private keys and secrets, is encrypted at-work using AES-256-GCM encryption.

Payments

Credit card and bank information is encrypted, stored, and processed by Stripe with AES-256 encryption. We process credit card and bank information securely through Stripe, using AES-256 encryption. We don’t store sensitive payment data on our servers. Stripe manages all the payment processing, and we store a temporary token to refer to the payment.
All communication with Stripe is encrypted using TLS.

Backups and Recovery

We rely on Heroku Postgres to back up our data continuously, using snapshots and backups stored securely on AWS S3.
Fork, follower, and recovery databases are created by retrieving these backups and replaying them on a new Postgres installation. This secure storage allows for complete database recovery in case of hardware failures, data corruption, or significant service interruptions.

Crashes and Errors

We monitor for crashes and errors closely and work to fix them quickly. We aim for 99.99% uptime and offer an SLA for enterprise customers.

FAQs

What user data do you collect?

We don’t make money from your data. We collect some basic information about how users interact with our system, like API requests and sign-ins, so we can improve the service and help you better. For more details, see our privacy policy.

How long is data kept, and can I have it removed?

We keep server logs for up to 30 days and account analytics for up to 90 days. You can ask us to delete your data at any time.

Do you fill out security questionnaire?

Since we’re a small team, we don’t fill out security questionnaires for customers on our Scale Up tiers. However, for Enterprise customers, we can make an exception. If you have a question that isn’t answered here, let us know.

Do you have security certifications like SOC 2 or ISO 27001?

We don’t have these certifications yet, but we hope to in the future. If you’re interested in working with us on them, feel free to reach out!

Is your system highly available?

Yes! We have automatic scaling, health checks, and failovers in place to ensure high availability.

How do I report a potential vulnerability or security concern?

If you find something, email us at [email protected], and we’ll address it as soon as possible.

Any other questions?

We’re happy to answer any questions. Just email us at [email protected], and we’ll update this page if needed.

Platform

Measure Analyse Engagement Cross-App Messaging

Team

Marketing Product Data & Analytics

Goal

App Growth Increase engagement

Environment

Mobile Web

Why

Use cases Privacy Security Service Level Agreements

Resources

Blog Developer Guide Guides Free Link generator Migrate from Firebase

Marketing

Documentation Redirect Setup Create Links Ad Platform Integration