• Product

    Back

    Why Ordergroove?

    We help merchants thrive by putting relationships at the center of commerce.

    Subscriber Experience

    Delightful experiences shoppers will love

    Subscription-first Experiences

    Innovative, customized subscriptions with powerful APIs

    Incentives

    Unique promotions that drive enrollment and retention

    Experiments

    A/B testing built for serious subscription brands

    Involuntary Churn Suite

    Diagnose, treat, and prevent involuntary churn

    Performance

    Optimize profitability through data insights and more

    Integrations

    Seamlessly plugin to your eCommerce platform and tools

    Frontier

    Enter a new era of AI-powered Relationship Commerce with a suite of AI, ML, and smart solutions

    Customer Success & Support

    Experts and resources to help you every step of the way

  • Solutions

    Back

    Business Stage

    Launch Subscriptions

    Get started on your preferred eCommerce platform

    Migrate to Ordergroove

    Keep your existing subscribers as you improve your experience

    Scale Subscriptions

    Technology built for fast-growth and high-order volumes

    Industries

    Beauty & Personal Care

    Fashion & Apparel

    Health & Wellness

    Pet Supplies

    Food & Beverage

    Retail & Home Goods

  • Integrations

    Back

    Integrate with any eCommerce platform

    Ordergroove is platform agnostic and natively integrates with a variety of eCommerce platforms and tools.

  • Customer Stories

    Back

  • Company

    Back

    Relationship Commerce

    Transform one-time transactions into profitable customer relationships.

    Leadership

    Careers

    Press

    Security

    Contact

    Partners

  • Resources

    Back

    How Bonafide grew cLTV by 50% with flexible subscriptions

    By switching to Ordergroove, Bonafide was able to offer a more personalized and flexible subscription offering that included bundles, cross-sells, and upsells catered to each subscriber’s individual needs.

    Watch video

    Customer Stories

    Case Studies

    Ordergroove Blog

    Webinars

    Guides & Reports

    Knowledge Center

  • Login

    Back

Get started

Ordergroove Security

Your data is our top priority!

Ordergroove constantly strives to deliver best-in-class services and security for all our customers. Ordergroove is compliant with the Payment Card Industry (PCI) and the General Data Protection Regulation (GDPR). Ordergroove stores data securely with Google Cloud Platform which holds a SOC 2 Type II attestation. Our data is encrypted both in transit (TLS 1.2+) and at rest (AES-256), and we integrate directly with your eCommerce platform so that we never receive or store any payment sensitive information.

  • Compliance & Certifications
  • Physical Security
  • Data Protection
  • Software Security
  • API Terms of Use
  • Operational Security
  • Vulnerability Testing

Compliance & Certifications

PCI Compliance – Level 1

Ordergroove holds a Level 1 compliance with the Payment Card Industry Data Security Standards (PCI DSS), commonly referred as “PCI compliance”, and undergoes an annual data security audit with a third party security assessor. To request the latest signed Attestation of Compliance, reach out to the Ordergroove Support team.

SOC 2 Type II

Ordergroove can provide a SOC 2 Type II report from our cloud provider upon request. Our services are hosted entirely on Google Cloud Platform and the report details the ways in which we leverage the massive investments that Google continues to make in security to the benefit of our merchants and your customers.

GDPR Compliance

The General Data Protection Regulation (GDPR) is a data regulation enacted by the European Union to safeguard the rights of consumers in the European Union, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive.

Ordergroove is GDPR Compliant.

CCPA Compliance

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

Ordergroove is CCPA Compliant.

Physical Security

Ordergroove production data is entirely processed and stored within Google Cloud Platform’s world-renowned data centers, which use state-of-the-art layered security model, alerting, and auditing measures, including:

  • custom-designed electronic access cards
  • vehicle access barriers
  • perimeter fencing
  • metal detectors
  • biometric checks
  • laser beam intrusion detection
  • monitored 24/7 by high-resolution interior and exterior cameras and trained security guards
  • redundant power systems

Our data centers are all in the United States. Our primary data center is located in Iowa (us-central1) and our disaster recovery data center is located in South Carolina (us-east1). All of our data centers leverage Google Cloud Firewalls for high scalability and granular control of our firewall rules and policies.

Data Protection

Encryption in Transit

All communications with Ordergroove UIs and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Ordergroove is fully secure during transit. Additionally, for email integrations, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

All Personally Identifiable Information (PII) data along with data backups are encrypted at rest in Google Cloud Platform using AES-256 key encryption.

Isolated Environments

Our production network segments are logically isolated from other Corporate, Staging, QA, and Development segments.

Data Policy

We maintain strict governance and protection standards to ensure data is appropriately stored, processed, and handled by our people, systems, and technology.

Software Security

Software Delivery Life Cycle (SDLC)

All changes to our source code destined for production systems are subject to code review by a qualified engineering peer or manager. The code change also has to pass an extensive automated test suite. Code Reviews and Automated Tests include security, performance, and potential-for-abuse analysis. Our engineers are continuously trained for security analysis, including OWASP Top 10 security risks.

Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.

API Terms of Use:

API Terms of Use for Ordergroove. These terms outline the responsibilities and obligations of both the merchant (“Customer”) and Ordergroove (“Service Provider”) regarding the use of our API. By accessing and using our API, you agree to comply with these terms. Please read them carefully.

API Access and Usage

Authorization: Ordergroove provides the Customer with access to our API, allowing them to create and manage keys through a self-service interface. The Customer agrees to use the API strictly in accordance with these terms.

Key Security: The Customer is solely responsible for the security and confidentiality of their API keys. They must take all necessary precautions to prevent unauthorized access or use of their keys. Any unauthorized use of API keys should be reported immediately to Ordergroove. Following are some of the best practices we recommend that will help keeping the key secure:

  • DO NOT embed API keys directly in code.API keys that are embedded in code can be accidentally exposed to the public. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application’s source code.
  • DO NOT store API keys in files inside your application’s source tree. If you store API keys in files, keep the files outside your application’s source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub or BitBucket.
  • DO NOT store or expose your API keys on the client-side.
    • If you are developing a web app, always store your API keys in a backend server that orchestrates the calls to the Ordergroove API. DO NOT expose the key to any browser.
    • If you are developing a mobile app, it’s equally important to NOT store your API keys in the mobile app.
    • If you need to make a call from the front end, create a proxy endpoint in your backend and make the calls to Ordergroove API from there.
      • Tools exist today that allow a malicious actor to reverse engineer your app and retrieve API keys. Additionally, if you ever need to rotate your API keys, you will need to rely on your users to update your app without which your app will stop working. Instead, we recommend storing third-party API keys such as the ones issued by Ordergroove in a backend server you own.
  • Review your code before public release to ensure your code does not contain API keys or any other private information. Ensuring your code is peer reviewed will strengthen code quality and shared responsibility.
  • Do not share the key with anyone unless they absolutely need that access to run your applications.
  • Never share the key through a web based communication (email, instant messenger, print, screenshare, picture, screenshots). If you must share the key with someone use a Vault or Password Manager.
  • Do not reuse the same API Key across multiple applications. You should generate a separate API Key for each application.
  • In the case your API Key is compromised, you should immediately contact Ordergroove to revoke the API Key and generate a new one.

Prohibited Activities: The Customer agrees not to engage in any activities that may cause harm to Ordergroove or its systems. Prohibited activities include, but are not limited to:

  • Initiating Distributed Denial of Service (DDoS) attacks against Ordergroove or any other system.
  • Overloading or flooding Ordergroove’s systems or infrastructure with excessive concurrent API requests.
  • Using APIs to fetch program wide data when there are offline processes available to do the same.
  • Attempting to access, retrieve, or modify data or resources beyond the scope of the permissions granted by the API.
  • Engaging in any malicious or fraudulent activities that may compromise the integrity or security of the API or Ordergroove systems.
Intellectual Property

Ownership: Ordergroove retains all intellectual property rights in and to the API, including any updates, modifications, or enhancements made to it.

License: Ordergroove grants the Customer a limited, non-exclusive, non-transferable license to use the API solely for the purpose of integrating it with their applications and accessing the services provided by Ordergroove.

Limitation of Liability

Service Availability: While Ordergroove strives to provide uninterrupted access to the API, we do not guarantee that it will be error-free or available at all times. Ordergroove reserves the right to perform maintenance or updates that may temporarily disrupt API availability.

Indirect Damages: Ordergroove shall not be liable for any indirect, incidental, consequential, or punitive damages arising out of or in connection with the use or inability to use the API, even if we have been advised of the possibility of such damages.

Maximum Liability: In any event, the total liability of Ordergroove for any claims related to the API shall not exceed the total fees paid by the Customer to Ordergroove in the preceding twelve (12) months.

Updates

Our APIs may evolve and change over time. While we do our best to notify developers of major changes in advance, we reserve the right to modify our APIs, cease to offer support for our APIs, or require you to use our APIs in a different manner at any time without notice.

We may update these API Terms from time to time by posting an updated version to our website and any such updates will be effective upon posting. When we update these API Terms, the “Updated” date above will be updated to reflect the date of the most recent version. Your continued use of our APIs constitutes your acceptance of the modified API Terms. We encourage you to review these API Terms regularly.

Confidentiality

You may be given access to certain non-public information, software, and specifications relating to our APIs (“Confidential Information“), which may include your credentials as well as any materials, communications or other information that is marked confidential or that would reasonably be considered confidential under the circumstances. You may use Confidential Information only as necessary in exercising your rights granted under these API Terms. You may not disclose any Confidential Information to any third party without our prior written consent. You agree that you will protect any Confidential Information from unauthorized use, access, or disclosure in the same manner that you would use to protect your own confidential and proprietary information.

Termination

Termination by Customer: The Customer may terminate their access to the API at any time by providing written notice to Ordergroove. Upon termination, the Customer’s API keys will be deactivated, and they will no longer have access to the API.

Termination by Ordergroove: Ordergroove reserves the right to suspend or terminate the Customer’s access to the API immediately, without prior notice, if the Customer violates these terms or engages in any unauthorized or prohibited activities.

Termination by Ordergroove: Ordergroove reserves the right to suspend or terminate the Customer’s access to the API immediately, without prior notice, if the Customer violates these terms or engages in any unauthorized or prohibited activities.

General

Modification: Ordergroove reserves the right to modify these API Terms of Use at any time. Any changes will be communicated to the Customer through the API documentation or by other means.

Governing Law: These terms shall be governed by and construed in accordance with the laws of [Your Jurisdiction]. Any disputes arising out of or in connection with these terms shall be subject to the exclusive jurisdiction of the courts of [Your Jurisdiction].

Entire Agreement: These API Terms of Use constitute the entire agreement between the Customer and Ordergroove regarding the use of the API and supersede any prior agreements or understandings, whether written or oral.

If you have any questions or concerns about these terms, please contact Ordergroove at support@ordergroove.com

By using our API, you acknowledge that you have read, understood, and agree to be bound by these API Terms of Use.

Operational Security

Customer Payment Information

Integrating with Ordergroove means that you get the best security settings out of the box:

  • We do not have access to your customers’ Primary Account Number (PAN) or credit card numbers
  • We receive a token ID as a payment identifier during enrollment that we send back to your platform for processing recurring orders
  • For the best customer experience in the Subscription Management Interface (SMI) and easier management of expired credit cards, we can display information like the last four digits of the credit card and the expiration date
Access Management

Access to our systems and your data is restricted only to those who need access in order to provide you high-quality support, following the Principle of Least Privilege. We use Google account infrastructure to verify employee account identity and require physical security keys and/or two-factor authentication for all internal applications without exception. Additionally, all elevated permissions require the use of our corporate virtual private network (VPN).

Our dashboard password policy follows the NIST guidelines requiring a minimum length, usage of complex password, password rotation every 90 days, and account lockout after multiple consecutive failed login attempts.

We also have all the “people security” elements you’d expect to see:

  • Background checks for our employees
  • A process to maintain our information security policy
  • Annual Security Awareness Training for all employees
  • Termination/access removal processes
Activity Monitoring

Our systems gather extensive logs from all network devices and host systems. Our Intrusion Detection System will then alert on triggers that will notify the Security team based on correlated events for investigation and response. All our logs are entirely immutable and are available for one year.

Additionally, service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds.

Business Continuity

Our high-availability platform architecture, resiliency practices, and requirements built into our development and operational processes enable billions of global transactions every year. The infrastructure utilizes scalability best practices for increasingly reliable uptime, including the use of multiple data centers regions and multiple availability zones, auto-scaling, load balancing, task queues, and rolling deployments.

We take daily automated full backups of our databases and test the backup restores at least annually. All backups are encrypted at rest.

Outages, service degradation, and maintenances are communicated via our Status Page. Feel free to subscribe to our status page to get direct email or text updates.

Vulnerability Testing

Network Security Scanning

Recurring Network Security Scanning and Vulnerability Scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Vulnerability Patching

All servers and containers that run Ordergroove software in production are continuously patched Linux systems.

Penetration Tests

Once a year or upon major infrastructure changes, Ordergroove goes through penetration testing using a third-party security vendor. The vendor runs external and internal penetration tests and also goes through our code to identify any potential security vulnerabilities.

Vulnerability Disclosure

If you would like to report a security concern or are aware of an incident, please send us an email to security@ordergroove.com or our support team.

Putting relationships at the center of commerce to help all merchants thrive.

382 NE 191st Street, Suite 56661
Miami, FL 33179

Products

  • Why Ordergroove
  • Incentives
  • Subscriber Experience
  • Performance
  • Integrations
  • Subscription-first Experiences
  • Customer Success & Support
  • Get started

Solutions

By Strategy

  • Launch Subscriptions
  • Migrate to Ordergroove
  • Scale Subscriptions

By Platform

  • Shopify Plus
  • Commercetools
  • Shopify
  • Salesforce
  • Magento
  • BigCommerce
  • Adobe Commerce
  • Custom Cart

Company

  • Contact
  • Careers
  • Leadership
  • Press
  • Partners
  • Security

Resources

  • Blog
  • Case Studies
  • Webinars
  • Guides & Reports
  • Knowledge Center

© 2025 Ordergroove. All rights reserved.

Privacy Policy Terms of Use Cookie Settings