This document provides a general overview of Groove's commitment to protecting the security and privacy of entrusted data as well as how we help customers comply with global privacy regulations such as the GDPR, CCPA/CPRA, and LGPD.

For more information outside the scope of this overview, please contact Groove at support@groove.co.

Privacy on the Groove Platform

Purpose and Approach

Groove’s privacy program is designed to support our global customers and the various regions where they may operate as a Data Processor, Service Provider, or other similar definition for companies processing data at the written instructions of their customers. Groove’s privacy program meets the most rigorous privacy regulations (such as the GDPR, CCPA/CPRA, LGPD, PIPA, PIPEDA, etc.) and applies relevant standards across our entire platform for customer end-user data. Groove also adheres to privacy regulations in handling the personal data of individuals using our platform in regions where we market our platform and offer our services as a Data Controller or Organization. We never sell Personal Data or Personal Information to third parties.

Roles (Privacy Notice vs DPA)

Groove’s collection and processing of Personal Data directly collected from individuals who visit our website or are in our marketing database is governed by our Privacy Policy. Groove’s handling of Personal Data sent from customers to our platform as part of our service is governed by our Data Protection Addendum to the MSA or Terms of Service.

For the purpose of providing our platform to our customers, Groove is always a Data Processor under the GDPR and a Service Provider under the CCPA/CPRA.

Groove and the GDPR

On May 25, 2018, the European Union began enforcing the General Data Protection Regulation (GDPR) to strengthen the security and protection of the personal data of EU residents.

Groove is committed to protecting the security and privacy of entrusted data as well as helping our customers comply with regulations such as the GDPR. Groove offers numerous product capabilities and design paradigms to help its customers comply with the GDPR.

The July 2020 Schrems II case ruling by the Court of Justice of the European Union (CJEU) has prompted organizations to revisit their approach for handling Personal Data transfers outside of the European Union (EU)/European Economic Area (EEA), and to reassess their transfer mechanisms for ensuring compliance with the GDPR.

Though the decision provides that the (updated) controller-to-processor (SCCs) are a viable mechanism for data transfers from the EU/EEA to third countries, it identified further conditions that need to be considered when implementing them to address the requirement to provide ‘adequate protection’ to such transfers. Groove has committed to meeting a higher bar for Personal Data protection through enhanced processes and controls to ensure an adequate level of protection appropriate for the type of data we process on behalf of our customers. A detailed control list is available as part of our DPA.

Our Commitments as a Data Processor

  • Data Protection Supervision: Groove has appointed an individual to oversee Privacy aspects in the organization. Privacy questions can be directed to privacy@groove.co.

  • Secure Data Transfer and Storage Outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted as long as certain safeguards are in place. Our customer DPA relies on the recent EU Model Clauses, updated in June 2021, which ensures that Personal Data can be sent to Groove's platform in compliance with European data protection regulations. This means that Groove's platform can afford equivalent protections for Personal Data originating from the EEA and process the data in line with European data protection laws and regulations.

Technical and Organizational Measures (TOMs):

  • Encryption: All data is encrypted in transit and at rest.

  • Corporate Data Security Program: Groove has deployed a corporate data security program, which is based on ISO 27001 information security standards.

  • SOC 2: Groove has obtained a SOC 2 Type 2 report, which provides an attestation from an independent assessor that our controls are designed, implemented, and operating effectively to align with the trust services principles and criteria defined by the AICPA. The program is audited and endorsed by a 3rd party auditor on an annual basis.

  • Processing According to Controller Instructions: Groove's platform processes data only with the written instruction of our customers. Our platform is deeply integrated with Salesforce, and customers can determine the data they want to send to Groove's platform for processing.

  • Prompt Breach Notifications: In line with our current policies, Groove will promptly inform its customers of any incidents involving or affecting Personal Data Groove processes on their behalf.

Helping You Achieve Compliance

If you collect data about EU residents, you are likely considered a data controller under the GDPR. One of the biggest challenges you will face as a controller will be managing individuals’ requests to exercise their rights as defined by the regulation.

With regards to the additional rights defined in the GDPR, Groove enables you to comply in case EU residents exercise the following rights:

Right to Access and Portability

Since Groove is deeply integrated into Salesforce, it is implied that Groove won't have any PII data about individuals that differs from what you already have in Salesforce.

Any activities that are carried out via Groove (i.e. with a Groove Flow) will be saved to the activity history of the related Lead or Contact record in Salesforce. Data that might reflect an individual's engagement data (e.g. email opens or link clicks) is synced back to Salesforce. These three paradigms enable you to build a complete picture of all the data you have related to an EU resident by solely pulling data from Salesforce - Groove doesn’t store any data beyond that.

Right to Rectify

The GDPR also empowers individuals to correct any personal data that is deemed inaccurate or incomplete. When you update data in Salesforce, Groove's data will automatically be updated if applicable. This single-source-of truth paradigm eliminates the need to maintain two separate data repositories.

Right to Erasure

Groove allows you to honor requests to delete an individual's data. After you have deleted the related records in Salesforce, you can send us a request to erase the data, and we will do so immediately.

Groove and GDPR Compliance

If you have any questions about the GDPR or want to learn how Groove can help you be compliant, please contact support@groove.co.

Did this answer your question?