security-ssl

Security

Every group using our service trusts us to keep their data to remain secure and confidential.
We take security seriously and work constantly to ensure that trust is well-founded.

Secure platform

GroupMap is hosted on Salesforces’ Heroku platform. We opted for Heroku for a variety of reasons, including their industry-leading security and reliability. Heroku provides advanced network and operational security protections that are periodically reviewed as part of our vendor management processes. Learn more about Heroku security.

Secure infrastructure

GroupMap is hosted on Amazon Web Services (AWS) infrastructure. Our datacenters feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored. All AWS data-center facilities are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). Learn more about AWS security.

Hosted in the USA

GroupMap exclusively uses datacenters located in the United States; with our primary datacenter in Northern Virginia. All third party services that support theGroupMap experience (Pusher, SendGrid, Braintree, ImgIX) are also based in the United States.

High availability

All our facilities are powered by redundant power, each with UPS and backup generators. TheGroupMap platform maintains a backup environment in a secondary datacenter – always ready to take over if there are infrastructure issues with our primary datacenter – to guarantee business continuity.

Securely backed up

GroupMap captures a full backup of customer data every 12 hours. Backups are maintained for 30 days, at which point they are securely destroyed. All backups are stored encrypted.

Always encrypted

All communication with and between GroupMap servers is encrypted using the industry-standard Transport Layer Security (TLS) version v1.2. Additionally your data is protected by AES256 encryption while at rest. Whether it’s on the move or not – your data won’t fall into the wrong hands.

Secure payments

We aren’t in the business of handling or storing credit card numbers – your card details are directly captured and stored securely by Braintree (a PayPal company), our payments provider. Braintree is certified as PCI Level 1 compliant, and listed as a Visa® Global Compliant Provider and MasterCard® Compliant Provider (SDP). Learn more about Braintree security and compliance.

Account verification

Users are required to verify their ownership of an email address via a link provided in an automated e-mail prior to using for aGroupMap account. All users must be authenticated prior to gaining access to customer data.

Passwords – protected

GroupMap passwords are stored salted and cryptographically hashed using the state-of-the-art bcrypt algorithm.GroupMap enforces a minimum password complexity requirement using Dropbox’s ZXCVBN library, ensuring passwords are safely unguessable and unbreakable.

Your privacy

Your maps and workspaces remain owned by you; and only accessible to those whom you to choose to share. GroupMap may only access your data in limited circumstances such as when required by law or to provide technical support. Full details can be found in the GroupMap Privacy Policy.

Security Practices

Secure coding

Our developers are required to follow our formally documented Application Security Policy, as well as OWASP secure coding practices. All code is reviewed by a member of the engineering lead team.

Penetration testing

We periodically commission independent penetration testing, validating the security of the GroupMap platform. We fix all high or critical issues within a maximum of 7 days.

Risk assessments

An annual risk assessment is conducted to identify threats and vulnerabilities for allGroupMap systems. Mitigation strategies are developed based on the results of the risk assessment.

System hardening

SERVER CONTAINERIZATION

GroupMap uses OS containerization via Heroku to ensure that access to GroupMap data and code is properly restricted. AllGroupMap services run on dedicated compute resources isolated in their own virtual network.

SERVER EPHEMERAL FILESYSTEMS

GroupMap servers operate on an ephemeral filesystem, restored to a fresh copy of the most recently deployed code at minimum once per day, or every time a new version is deployed.

SYSTEM PATCHING

Platform-level patching (operating system, system libraries and services) of GroupMap application and database servers is performed on an ongoing basis by Heroku. Further information.

APPLICATION PATCHING

Application patching (application libraries etc) is performed by GroupMap on an ongoing basis.

COMPUTERS

All team assets (such as development laptops and desktops) utilize encrypted storage and are protected by up-to-date anti-virus software.

Comprehensive logging

We maintain comprehensive logs of every transaction on the system; with specific logging for login attempts. Our logs are frequently reviewed by our security team to identify attempted unauthorized access.

Our team

We screen all prospective GroupMap Technology Pty. Ltd. employees with access to GroupMap systems or who may come in contact with customer information through a leading background checking service. All employees are covered by non-disclosure agreements.

Our team’s access

The access level of each of our employees is determined by need, periodically reviewed and revoked if no longer necessary. We enforce multi-factor authentication for all critical GroupMap systems.

Downtime reporting

We tweet from @groupmapapp, though this is rarely necessary. Enterprise customers can elect to be notified of any problems via email. Our deployment platform usually obviates the need for downtime when we make changes to GroupMap. However, we will notify customers by email at least 24 hours in advance of any planned downtime.

Incident management

Suspected security incidents, including logical and physical security breaches and other concerns should be immediately addressed to security@groupmap.com and will be ticketed, tracked and resolved following our incident response policy.

Third Party Vendors

GroupMap makes use of a number of third-party vendors to enable a rich online experience.

HerokuPlatform, database and backup providerPrivacy Policy – Security Policy – Service Status
PusherReal-time map data synchronizationPrivacy Policy – Service Status
BraintreeCredit card processing and storagePrivacy Policy – Security Statement – Service Status
WebPurifyProfanity filtering (optional)Privacy Policy
ImgIXImage and file attachment resizingPrivacy Policy – Service Status
IFrame.lyImage and URL attachment processingPrivacy Policy
Amazon Web Services (AWS)
S3 Storage
Image and file attachment storagePrivacy Policy – Security Statement – Service Status
Amazon Web Services (AWS)
EC2
LDAP sign on proxy (optional)Privacy Policy – Security Statement – Service Status
SendgridTransactional emails, map activity emailsPrivacy Policy – Security Statement – Service Status
FacebookOAuth2 sign on (optional)Privacy Policy – Service Status
GoogleOAuth2 sign on (optional)Privacy Policy – Security Statement – Service Status
LinkedInOAuth2 sign on (optional)Privacy Policy – Security Statement