Groove and the GDPR

On May 25, 2018, the European Union began enforcing the General Data Protection Regulation (GDPR), in an effort to strengthen the security and protection of the personal data of EU residents.

Groove is committed to protecting the security and privacy of entrusted data as well as helping our customers comply with regulations such as the GDPR. Product capabilities and design paradigms help your company be GDPR compliant.

Our Commitments as a Data Processor

As a Salesforce customer, you are likely a data controller under the GDPR. This is the case if you supply goods or services to EU residents - or if you track or monitor EU residents and decide why and how data is collected and processed - e.g. in Salesforce. One of your requirements as a data controller is to only work with compliant data processors

Data processors are vendors or businesses that process data on behalf of data controllers. As a sales engagement platform, Groove is considered a data processor, just like Salesforce is. We will be ready for the GDPR when acting as a data processor on your behalf.

Here are measures Groove is committed to as one of your data processors:

  • Data Protection Supervision: Groove has appointed an individual to oversee Privacy aspects in the organization. Privacy questions can be directed to

  • Secure data transfer and storage outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted as long as certain safeguards apply. Our customer DPA contains the EU Model Clauses, which are industry standard for data safety. This means that Groove agrees to protect any data originating from the EEA in line with European data protection standards. 

  • Technical and organizational security measures:

  • All data is encrypted in transit and at rest.

  • Groove has deployed a corporate data security program, which is controlled by ISO 27001-complaint procedures.

  • Groove has obtained a SOC-2 certificate, which provides an attestation from an independent assessor that our controls are designed, implemented and operating effectively to align with the trust services principles and criteria defined by the AICPA. The program is audited and endorsed by a 3rd party auditor on an annual basis.

  • Processing according to controller instructions: Groove is deeply integrated with Salesforce, giving you full control over how data is utilized in Groove.

  • Prompt breach notifications: In line with our current policies, Groove will promptly inform you of any incidents involving your users’ personal data. 

Helping You Achieve Compliance

If you collect data about EU residents, you are likely considered a data controller under the GDPR. One of the biggest challenges you will face as a controller will be managing individuals’ requests to exercise their rights as defined by the regulation.

With regards to the additional rights defined in the GDPR, Groove enables you to comply in case EU residents exercise the following rights:

Right to Access and Portability

Since Groove is deeply integrated into Salesforce, it is implied that Groove won't have any PII data about individuals that differs from what you already have in Salesforce. Any activities that are carried out via Groove (i.e. Groove Flow) will be saved to the activity history of the related lead or contact in Salesforce. Data that might reflect an individual's engagement data (such as email opens or link clicks) is synced back to Salesforce. These three paradigms enable you to build a complete picture of all the data you have related to an EU resident by solely pulling data from Salesforce - Groove won't store any data beyond that.

Right to Rectify

The GDPR also empowers individuals to correct any personal data that is deemed inaccurate or incomplete. When you update data in Salesforce, Groove's data will automatically be updated if applicable. This single-source-of-truth paradigm avoids you having to maintain two separate data repositories.

Right to Erasure

Groove allows you to honor requests to delete an individual's data. After you have deleted the related records in Salesforce, you can send us a request to erase the data and we will do so immediately.

If you have any questions about the GDPR or want to learn how Groove can help you be compliant, please contact!

Did this answer your question?