Grove holds patient information on behalf of independent practices across four jurisdictions. This page is our complete posture — what we comply with, how we protect data, and what we'll do when something goes wrong.
What Grove complies with, jurisdiction by jurisdiction, with the documentation you'll need for your own audits.
| Standard | Status | Documentation |
|---|---|---|
| HIPAA (United States) | Compliant | BAA signed automatically at signup · Available on request |
| PIPEDA (Canada) | Compliant | Privacy Policy · Provincial health act mappings · DPA on request |
| UK GDPR (United Kingdom) | Compliant | DPA available · Right of erasure · Standard Contractual Clauses |
| Australian Privacy Act 1988 (APPs) | Compliant | APP-compliant Privacy Policy · My Health Records Act mapping |
| SOC 2 Type 1 | In progress · Q4 2026 | Auditor engaged · Letter of intent available on request |
| SOC 2 Type 2 | In progress · Q2 2027 | Will follow Type 1 completion · 6-month observation period |
| HITRUST CSF | Evaluating · 2027 | Reviewing certification path post-SOC 2 |
| Penetration testing | Annual + on major releases | Executive summary available under NDA |
The technical and operational safeguards behind every Grove account.
All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Database backups are encrypted with separate keys. Encryption keys are rotated automatically and stored in AWS KMS.
Role-based access control on every record. Multi-factor authentication on every Grove staff account. Audit logs immutable for 7 years. Patient records require role plus explicit assignment to that patient.
Email + password with optional TOTP (Google Authenticator, 1Password, etc). Magic-link sign-in available. SSO via SAML available on Enterprise plans. Passwords stored as bcrypt hashes with high cost factor.
Continuous database replication with point-in-time recovery for the previous 7 days. Daily encrypted snapshots retained 90 days. Cross-region replication. Quarterly disaster recovery drills documented.
Hosted on AWS via Supabase. WAF in front of all customer-facing endpoints. DDoS protection via Cloudflare. Internal services on private subnets with no public ingress. VPC isolation per region.
Continuous dependency scanning via GitHub Dependabot. Quarterly external penetration testing. Annual full-scope security audit. Critical vulnerabilities patched within 24 hours; high within 7 days.
Your patient data is stored in your country. Always. No exceptions.
The third-party services Grove uses to deliver our platform. All are HIPAA-eligible or covered by appropriate data processing agreements.
| Sub-processor | Purpose | Data type | Region |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | All customer data | Customer's region |
| Stripe | Payment processing | Billing info only · No PHI | Global · PCI DSS Level 1 |
| Netlify | Web hosting, edge functions | Application code, public assets | Global edge · No PHI stored |
| Postmark * | Transactional email | Email metadata · Encrypted content for PHI | USA · BAA signed |
| Cloudflare | DDoS, WAF, DNS | Request metadata · No PHI in transit visible | Global edge |
| Anthropic | Grove Intelligence (AI features) | Practitioner queries · Configurable PHI handling | USA · Zero retention enabled |
| Sentry | Error monitoring | Error metadata · PHI scrubbed at SDK | USA · DPA in place |
* Currently using Resend for pre-launch (non-PHI emails only). Production patient-facing email migrating to Postmark with signed BAA prior to first practice going live.
If something goes wrong, here's exactly what happens — and when.
24/7 automated security monitoring across all systems. Suspicious activity triggers immediate alerts to the on-call engineering team. Confirmed incidents are escalated to the founder within 15 minutes.
Incident response playbook executed within 1 hour of confirmation. Affected systems isolated, credentials rotated, forensic snapshots captured. External security counsel engaged.
Affected practices notified within 24 hours, even before full forensics are complete. We share what we know, what we don't, and what we're doing about it. No spin.
HHS OCR notification within 60 days for US incidents involving PHI. Provincial privacy commissioners notified per PIPEDA. UK ICO notified within 72 hours per GDPR. Documented and public.
What you and your patients can do with the data Grove holds.
One-click export of all your practice data — patient records, appointments, messages, billing — in standard formats (CSV, JSON, FHIR). No fee, no limit, no waiting period.
Permanent account deletion on request. We don't hold your data hostage. Confirmation within 30 days, full deletion within 90 days (some audit logs retained per HIPAA's 6-year requirement, then destroyed).
Patients can request their complete record via your practice or directly through Grove. We provide it within HIPAA's 30-day requirement, in machine-readable form.
Sell aggregated data to advertisers. Use your patient data to train AI without explicit consent. Share data with insurers, employers, or law enforcement without legal compulsion. See all our promises →
Request our BAA, DPA, SOC 2 progress letter, penetration test executive summary, or anything else your compliance team needs.
Request documentation →