Where are your servers located?

GroupMap runs on Salesforce’s Heroku platform (www.heroku.com). We opted for Heroku for a variety of reasons, including trust, security and reliability. Heroku has a thorough security policy published at https://www.heroku.com/policy/security

GroupMap runs in the Heroku platform’s US region, which runs in Amazon Web Services (AWS)’s main data center located in Northern Virginia, United States of America.

Which third-party vendors do you use?

GroupMap makes use of a number of third- party vendors to enable a rich online brainstorming experience. These include:


Platform, database and backup provider
Privacy Policy – Security Policy – Service Status

Real-time map data synchronization
Privacy Policy – Service Status


Credit card processing and storage
Privacy Policy – Security Statement – Service Status


Profanity filtering (can be disabled per map)
Privacy Policy

ImgIX Image and file attachment resizing
Privacy Policy – Service Status

Image and URL attachment processing
Privacy Policy

Amazon Web Services (AWS)
S3 Storage

Image and file attachment storage
Privacy Policy – Security Statement – Service Status


Transactional emails, map activity emails
Privacy Policy – Security Statement – Service Status

Amazon Web Services (AWS)

LDAP sign on proxy (optional)
Privacy Policy – Security Statement – Service Status


OAuth2 sign on (optional)
Privacy Policy – Service Status


OAuth2 sign on (optional)
Privacy Policy – Security Statement – Service Status


OAuth2 sign on (optional)
Privacy Policy – Security Statement


OAuth2 sign on (optional)
Privacy Policy – Security Statement – Service Status

Windows Live OAuth2 sign on (optional)
Privacy Policy – Security Statement – Service Status


What security certifications do you or your vendors have?

Our platform vendor hosts services on Amazon Web Services (AWS), whose facilities are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). More information can be found at https://aws.amazon.com/security/

What security provisions and practices are in place at your data center(s)?

Our AWS data center facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored. Heroku provides the following additional information regarding their data centers https://devcenter.heroku.com/articles/regions#data-center-locations

What security monitoring do you offer?

Information about our platform vulnerability assessment, reporting and management practices, as well as information on physical, network and data security, can be found on Heroku’s security page at https://www.heroku.com/policy/security

How is our data backed up?

GroupMap utilizes Heroku’s PG Backup service to store a full backup of all data daily.
GroupMap maintains daily backups for 90 days, at which point they are destroyed. More information about this service can be found here https://devcenter.heroku.com/articles/heroku-postgres-backups.

Is our data encrypted?

All communications with and between GroupMap servers is encrypted using industry-standard Transport Layer Security (TLS/SSL). GroupMap utilizes Heroku’s Premium Postgres tier, which automatically encrypts all data on-disk. More information can be found here https://devcenter.heroku.com/articles/heroku-postgres-plans

Does your hiring process require a full background check?

Yes. All prospective GroupMap employees are screened by a leading background checking service.

Does your company outsource any portion of your information security?

Yes. GroupMap relies on industry-leading vendors like Heroku, Google, Amazon and Dropbox to provide services like application hosting, corporate email security and corporate file security.

How is my credit card information protected?

GroupMap’s credit card processing vendor Braintree (a PayPal company) uses industry standard Transport Layer Security (TLS/SSL) technology for secure transactions. Braintree is certified as PCI Level 1 compliant, and listed as a Visa® Global Compliant Provider and MasterCard® Compliant Provider (SDP). Learn more about Braintree security at https://www.braintreepayments.com/products-and-features/data-security

How is my GroupMap password protected?

GroupMap passwords are stored hashed and salted using the state-of-the-art secure bcrypt algorithm. GroupMap enforces a minimum password complexity requirement using Dropbox’s  ZXCVBN library, ensuring GroupMap passwords are safely unguessable and unbreakable.

How are your systems hardened?

Server containerization
GroupMap uses OS containerization via Heroku to ensure that access to GroupMap data and code is properly restricted. All GroupMap services run on dedicated compute resources isolated in their own virtual network.

Server ephemeral filesystems
GroupMap servers operate on an ephemeral filesystem, restored to a fresh copy of the most recently deployed code at minimum once per day, or every time there is a GroupMap deployment.

System patching
Platform-level patching (operating system, system libraries and services) of the GroupMap application and database servers is performed on an ongoing basis by our platform provider – Heroku. Further information about Heroku’s security practices can be found at https://www.heroku.com/policy/security.

Application patching
Application patching (application libraries etc) is performed by the GroupMap team on an ongoing basis.

All GroupMap assets (such as development laptops and desktops) are protected by up-to-date anti-virus software.

How is access to my map data controlled?

Map data is logically segregated between customers. In order to join a GroupMap map, a user must either:

  • be invited to join a map via email, with access to the 24-character (base-52) unique invitation key.
    • As a facilitator you can specify whether an invitation is single-use only
    • As a facilitator you can revoke an invitation at any time

  • be invited to join via a Map ID, a 9 digit unique code (XXX-XXX-XXX) and URL (https://join.groupmap.com/XXX-XXX-XXX).
    • Map IDs automatically expire within 6 months of map creation
    • As a facilitator you can cancel or reset Map ID expiration
    • As a facilitator you can revoke Map IDs at any point in time
    • As a facilitator you can generate new Map IDs at any point in time

  • or be the creator of the map


For subsequent access to map data, a user must:

  • own or have previously joined the map, and authenticated with GroupMap via:
    • GroupMap email + password
    • Social Login (Facebook, Google, Twitter, LinkedIn, Windows Live OAUTH2)
    • LDAP or SAML integration

  • or have access to the 24-character (base-52) participant key emailed to them after they joined the map
Do you have a privacy policy?

Yes. GroupMap’s privacy policy can be found at https://www.groupmap.com/privacy

Where will our data be stored?

GroupMap runs in the Heroku US region, hosted in Amazon Web Services (AWS’s) main data center in Northern Virginia, United States of America.

Who owns our data?

Your map content is owned by you, and only you choose with whom to share your maps.
Maps are owned by the map creator and and managed by the map creator or nominated map facilitators.

Who has access to our data?

Only GroupMap administrators and customer/technical support managers have access to your map data. Our staff will not access your map data, grant access to third parties or otherwise disseminate your map data. If there is a request for support, the person assigned to the request may, with your permission, log into your account for the purpose of troubleshooting and correcting the reported issue or performing the requested task.


In the following limited situations, we may disclose information that we collect or that you provide to us:

  • To our contractors, service providers and other third parties we use to support our business and who are obligated to keep personal information confidential and use it only for the purposes for which we disclose it to them.
  • In an aggregated or anonymized format where no individual can be identified or linked to any part of the information.
  • To comply with any court order, law or legal process, including responding to a governmental or regulatory request.
  • To enforce our rights arising from any contracts entered into between you and us and for billing and collection.
  • To a buyer or other successor in the event of a merger, sale or transfer of some or all of GroupMap Technology Pty. Ltd. assets.
  • With your consent.


We only use information that we collect about or from map participants, including personal information, to:

  • Improve our services and resolve technical issues.
  • Provide customer support.
  • Fulfill any other purpose for which you provide it.
Will our data be used for test purposes?

No. Production data is never used in test environments.

Do you guarantee full erasure of data?

Deleting your maps may not immediately remove the content you have published from our systems, because of caching, backups, or other references to your account. GroupMap guarantees full erasure of deleted data within 90-days of deletion.

Will my data kept separate from other customers’ data?

Yes. GroupMap’s application security architecture ensures full logical segregation of customer data.

What practices and controls are in place to maximize uptime?

GroupMap runs in facilities powered by redundant power, each with UPS and backup generators. Heroku’s application deployment model minimizes the risk that changes to the GroupMap application will significantly disrupt service.

What is your uptime?

GroupMap’s availability over the most recent 12-month period was above 99.9%.
The Heroku platform has exceeded 99.9% uptime in each of the most recent 12 months.

How do you communicate when there is a problem?

We tweet from @groupmapapp, though this is rarely necessary.
Enterprise customers can elect to be notified of any problems via email.
Heroku publishes their uptime here: https://status.heroku.com/uptime

How is downtime scheduled?

Our deployment platform usually obviates the need for downtime when we make changes to GroupMap. However, we will notify customers by email at least 24 hours in advance of any planned downtime.

GroupMap security is fully reviewed on an annual basis to ensure we continue to meet industry standards.

Still have a question? Just write to us and we’ll be happy to answer it.