Everyone using our service trusts us to keep their data secure and confidential. We take security seriously and work constantly to ensure that trust is well-founded.
GroupMap is hosted on Amazon Web Services (AWS) infrastructure. Our datacenters feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored. All AWS data-center facilities are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). Learn more about AWS security.
USA or EU hosted – your choice
By default, our customers are served from data centers and data sub-processors in the United States of America, with our primary services hosted in Northern Virginia. Enterprise customers are offered the option of an EU-hosted environment with our primary services and data sub-processors located exclusively in EU member-state countries.
All communication with and between GroupMap servers is encrypted using the industry-standard Transport Layer Security (TLS) version v1.2 or v1.3. Additionally, your data is protected by AES256 encryption while at rest. Whether it’s on the move or not – your data won’t fall into the wrong hands. Our services have received an A+ rating from Qualys SSLLabs.
We aren’t in the business of handling or storing credit card numbers – your card details are directly captured and stored securely by Braintree (a PayPal company), our payments provider. Braintree is certiﬁed as PCI Level 1 compliant and listed as a Visa® Global Compliant Provider and MasterCard® Compliant Provider (SDP). Learn more about Braintree security and compliance.
Application security monitoring
- We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
- We use technologies to monitor exceptions, logs and detect anomalies in our applications.
- We collect and store comprehensive logs to provide an audit trail of our applications activity. Our logs are frequently reviewed by our security team to identify anomalies.
- Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.
Application security protection
- We use Amazon Web Application Firewall to protect our users from a wide variety of vulnerabilities. AWS WAF integrates protections against the most critical attack categories like SQL injections and cross-site scripting. It blocks attacks in real-time and warns us when attackers start stressing our applications.
- We use security headers to protect our users from attacks. Our services have received an A grade from SecurityHeaders.io.
Suspected security incidents, including any logical and physical security breaches, are ticketed, tracked, and resolved following our incident response policy and procedures.
If you have any questions or suspect an incident may have occurred, please contact email@example.com
We tweet from @groupmapapp, though this is rarely necessary. Enterprise customers can elect to be notified of any problems via email. Our deployment platform usually obviates the need for downtime when we make changes to GroupMap. However, we will notify customers by email at least 24 hours in advance of any planned downtime.
Your privacy, protected
Data retention and removal
Business continuity and disaster recovery
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. We capture a full backup of customer data every 12 hours. Backups are securely encrypted and stored for 30 days, at which point they are securely destroyed. We have established Business Continuity and Disaster Recovery plans and review them annually.
Single sign-on (SSO) via your SAML Identity Provider (IdP) is available for all GroupMap customers.
Passwords – protected
GroupMap passwords are stored salted and cryptographically hashed using the state-of-the-art bcrypt algorithm. GroupMap enforces a minimum password complexity requirement using Dropbox’s ZXCVBN library, ensuring passwords are safely unguessable and unbreakable.
Users are required to verify their ownership of an email address via a link provided in an automated e-mail prior to using for a GroupMap account. All users must be authenticated prior to gaining access to customer data.
Account takeover protection
We protect our users against data breaches by monitoring and blocking brute force attacks.
We allow for 2-factor authentication via Google or your own SAML Identity Provider to protect against account takeover attacks.
Role-based access control
Advanced role-based access control (RBAC) is offered on all accounts.
Our developers are required to follow our formally documented Application Security Policy, and follow security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:
- Developers participate in regular security training to learn about common vulnerabilities and threats
- We review our code for security vulnerabilities
- We regularly update our dependencies and make sure none of them has known vulnerabilities
- We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
- We use Dynamic Application Security Testing (DAST) to scan our applications
- We are also warned when application components with known vulnerabilities are used in production (dependencies).
GroupMap is scanned on a monthly basis, and after significant releases, by intruder.io to identify potential infrastructure, platform and application vulnerabilities. Any identified vulnerabilities are triaged and mitigated in accordance with our application security policies.
We periodically commission independent penetration testing, validating the security of the GroupMap platform. We fix all high or critical issues within a maximum of 7 days.
An annual risk assessment is conducted to identify threats and vulnerabilities for allGroupMap systems. Mitigation strategies are developed based on the results of the risk assessment.
SERVER CONTAINERIZATION – GroupMap uses OS containerization via AWS Fargate to ensure that access to GroupMap data and code is properly restricted. All GroupMap services run on dedicated compute resources isolated in their own virtual network.
SERVER EPHEMERAL FILESYSTEMS – GroupMap servers operate on an ephemeral filesystem, restored to a fresh copy of the most recently deployed code at minimum once per day, or every time a new version is deployed.
SYSTEM PATCHING – Platform-level patching (operating system, system libraries, and services) of GroupMap application and database servers is performed on an ongoing basis.
APPLICATION PATCHING – Application patching (application libraries etc) is performed by GroupMap on an ongoing basis.
COMPUTERS – All team assets (such as development laptops and desktops) utilize encrypted storage and are protected by up-to-date anti-virus software.
We maintain comprehensive logs of every transaction on the system; with specific logging for login attempts. Our logs are frequently reviewed by our security team to identify attempted unauthorized access.
Our team’s access
- Our employees and contractors sign a Non-Disclosure and Confidentiality Agreement to protect our customers sensitive information.
- Our employees and contractors are screened by a leading background checking service.
- The access level of each of our employees is determined by need, periodically reviewed, and revoked if no longer necessary. We enforce multi-factor authentication for all critical GroupMap systems.
- Two-factor authentication is required for administration access.
We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported. Learn more about the GroupMap responsible disclosure program
Third Party Vendors
Application and database hosting
Credit card processing and storage
OAuth2 sign on (optional)
OAuth2 sign on (optional)
Image and URL attachment processing
OAuth2 sign on (optional)
Real-time map data synchronization
Transactional emails, map activity emails
Profanity filtering (optional)