GroupMap runs on Salesforce’s Heroku platform (www.heroku.com). We opted for Heroku for a variety of reasons, including trust, security and reliability. Heroku has a thorough security policy published at https://www.heroku.com/policy/security
GroupMap runs in the Heroku platform’s US region, which runs in Amazon Web Services (AWS)’s main data center located in Northern Virginia, United States of America.
GroupMap makes use of a number of third- party vendors to enable a rich online brainstorming experience. These include:
|Platform, database and backup provider
Profanity filtering (can be disabled per map)
|ImgIX||Image and file attachment resizing
Image and URL attachment processing
|Amazon Web Services (AWS)
|Amazon Web Services (AWS)
|Windows Live||OAuth2 sign on (optional)
Our platform vendor hosts services on Amazon Web Services (AWS), whose facilities are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). More information can be found at https://aws.amazon.com/security/
Our AWS data center facilities feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored. Heroku provides the following additional information regarding their data centers https://devcenter.heroku.com/articles/regions#data-center-locations
Information about our platform vulnerability assessment, reporting and management practices, as well as information on physical, network and data security, can be found on Heroku’s security page at https://www.heroku.com/policy/security
GroupMap utilizes Heroku’s PG Backup service to store a full backup of all data daily.
GroupMap maintains daily backups for 90 days, at which point they are destroyed. More information about this service can be found here https://devcenter.heroku.com/articles/heroku-postgres-backups.
All communications with and between GroupMap servers is encrypted using industry-standard Transport Layer Security (TLS/SSL). GroupMap utilizes Heroku’s Premium Postgres tier, which automatically encrypts all data on-disk. More information can be found here https://devcenter.heroku.com/articles/heroku-postgres-plans
Yes. All prospective GroupMap employees are screened by a leading background checking service.
Yes. GroupMap relies on industry-leading vendors like Heroku, Google, Amazon and Dropbox to provide services like application hosting, corporate email security and corporate file security.
GroupMap’s credit card processing vendor Braintree (a PayPal company) uses industry standard Transport Layer Security (TLS/SSL) technology for secure transactions. Braintree is certiﬁed as PCI Level 1 compliant, and listed as a Visa® Global Compliant Provider and MasterCard® Compliant Provider (SDP). Learn more about Braintree security at https://www.braintreepayments.com/products-and-features/data-security
GroupMap uses OS containerization via Heroku to ensure that access to GroupMap data and code is properly restricted. All GroupMap services run on dedicated compute resources isolated in their own virtual network.
Server ephemeral filesystems
GroupMap servers operate on an ephemeral filesystem, restored to a fresh copy of the most recently deployed code at minimum once per day, or every time there is a GroupMap deployment.
Platform-level patching (operating system, system libraries and services) of the GroupMap application and database servers is performed on an ongoing basis by our platform provider – Heroku. Further information about Heroku’s security practices can be found at https://www.heroku.com/policy/security.
Application patching (application libraries etc) is performed by the GroupMap team on an ongoing basis.
All GroupMap assets (such as development laptops and desktops) are protected by up-to-date anti-virus software.
Map data is logically segregated between customers. In order to join a GroupMap map, a user must either:
- be invited to join a map via email, with access to the 24-character (base-52) unique invitation key.
- As a facilitator you can specify whether an invitation is single-use only
- As a facilitator you can revoke an invitation at any time
- be invited to join via a Map ID, a 9 digit unique code (XXX-XXX-XXX) and URL (https://join.groupmap.com/XXX-XXX-XXX).
- Map IDs automatically expire within 6 months of map creation
- As a facilitator you can cancel or reset Map ID expiration
- As a facilitator you can revoke Map IDs at any point in time
- As a facilitator you can generate new Map IDs at any point in time
- or be the creator of the map
For subsequent access to map data, a user must:
- own or have previously joined the map, and authenticated with GroupMap via:
- GroupMap email + password
- Social Login (Facebook, Google, Twitter, LinkedIn, Windows Live OAUTH2)
- LDAP or SAML integration
- or have access to the 24-character (base-52) participant key emailed to them after they joined the map
GroupMap runs in the Heroku US region, hosted in Amazon Web Services (AWS’s) main data center in Northern Virginia, United States of America.
Your map content is owned by you, and only you choose with whom to share your maps.
Maps are owned by the map creator and and managed by the map creator or nominated map facilitators.
Only GroupMap administrators and customer/technical support managers have access to your map data. Our staff will not access your map data, grant access to third parties or otherwise disseminate your map data. If there is a request for support, the person assigned to the request may, with your permission, log into your account for the purpose of troubleshooting and correcting the reported issue or performing the requested task.
In the following limited situations, we may disclose information that we collect or that you provide to us:
- To our contractors, service providers and other third parties we use to support our business and who are obligated to keep personal information conﬁdential and use it only for the purposes for which we disclose it to them.
- In an aggregated or anonymized format where no individual can be identiﬁed or linked to any part of the information.
- To comply with any court order, law or legal process, including responding to a governmental or regulatory request.
- To enforce our rights arising from any contracts entered into between you and us and for billing and collection.
- To a buyer or other successor in the event of a merger, sale or transfer of some or all of GroupMap Technology Pty. Ltd. assets.
- With your consent.
We only use information that we collect about or from map participants, including personal information, to:
- Improve our services and resolve technical issues.
- Provide customer support.
- Fulfill any other purpose for which you provide it.
No. Production data is never used in test environments.
Deleting your maps may not immediately remove the content you have published from our systems, because of caching, backups, or other references to your account. GroupMap guarantees full erasure of deleted data within 90-days of deletion.
Yes. GroupMap’s application security architecture ensures full logical segregation of customer data.
GroupMap runs in facilities powered by redundant power, each with UPS and backup generators. Heroku’s application deployment model minimizes the risk that changes to the GroupMap application will significantly disrupt service.
GroupMap’s availability over the most recent 12-month period was above 99.9%.
The Heroku platform has exceeded 99.9% uptime in each of the most recent 12 months.
We tweet from @groupmapapp, though this is rarely necessary.
Enterprise customers can elect to be notified of any problems via email.
Heroku publishes their uptime here: https://status.heroku.com/uptime
Our deployment platform usually obviates the need for downtime when we make changes to GroupMap. However, we will notify customers by email at least 24 hours in advance of any planned downtime.
GroupMap security is fully reviewed on an annual basis to ensure we continue to meet industry standards.
Still have a question? Just write to us and we’ll be happy to answer it.