Your data is our top priority!
Ordergroove constantly strives to deliver best-in-class services and security for all our customers. Ordergroove is compliant with the Payment Card Industry (PCI) and the General Data Protection Regulation (GDPR). Ordergroove stores data securely with Google Cloud Platform which holds a SOC 2 Type II attestation. Our data is encrypted both in transit (TLS 1.2+) and at rest (AES-256), and we integrate directly with your eCommerce platform so that we never receive or store any payment sensitive information.
Ordergroove holds a Level 1 compliance with the Payment Card Industry Data Security Standards (PCI DSS), commonly referred as “PCI compliance”, and undergoes an annual data security audit with a third party security assessor. To request the latest signed Attestation of Compliance, reach out to the Ordergroove Support team.
Ordergroove can provide a SOC 2 Type II report from our cloud provider upon request. Our services are hosted entirely on Google Cloud Platform and the report details the ways in which we leverage the massive investments that Google continues to make in security to the benefit of our merchants and your customers.
The General Data Protection Regulation (GDPR) is a data regulation enacted by the European Union to safeguard the rights of consumers in the European Union, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive.
Ordergroove is GDPR Compliant.
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.
Ordergroove is CCPA Compliant.
Ordergroove production data is entirely processed and stored within Google Cloud Platform’s world-renowned data centers, which use state-of-the-art layered security model, alerting, and auditing measures, including:
Our data centers are all in the United States. Our primary data center is located in Iowa (us-central1) and our disaster recovery data center is located in South Carolina (us-east1). All of our data centers leverage Google Cloud Firewalls for high scalability and granular control of our firewall rules and policies.
All communications with Ordergroove UIs and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Ordergroove is fully secure during transit. Additionally, for email integrations, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
All Personally Identifiable Information (PII) data along with data backups are encrypted at rest in Google Cloud Platform using AES-256 key encryption.
Our production network segments are logically isolated from other Corporate, Staging, QA, and Development segments.
We maintain strict governance and protection standards to ensure data is appropriately stored, processed, and handled by our people, systems, and technology.
All changes to our source code destined for production systems are subject to code review by a qualified engineering peer or manager. The code change also has to pass an extensive automated test suite. Code Reviews and Automated Tests include security, performance, and potential-for-abuse analysis. Our engineers are continuously trained for security analysis, including OWASP Top 10 security risks.
Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.
API Terms of Use for Ordergroove. These terms outline the responsibilities and obligations of both the merchant (“Customer”) and Ordergroove (“Service Provider”) regarding the use of our API. By accessing and using our API, you agree to comply with these terms. Please read them carefully.
Authorization: Ordergroove provides the Customer with access to our API, allowing them to create and manage keys through a self-service interface. The Customer agrees to use the API strictly in accordance with these terms.
Key Security: The Customer is solely responsible for the security and confidentiality of their API keys. They must take all necessary precautions to prevent unauthorized access or use of their keys. Any unauthorized use of API keys should be reported immediately to Ordergroove. Following are some of the best practices we recommend that will help keeping the key secure:
Prohibited Activities: The Customer agrees not to engage in any activities that may cause harm to Ordergroove or its systems. Prohibited activities include, but are not limited to:
Ownership: Ordergroove retains all intellectual property rights in and to the API, including any updates, modifications, or enhancements made to it.
License: Ordergroove grants the Customer a limited, non-exclusive, non-transferable license to use the API solely for the purpose of integrating it with their applications and accessing the services provided by Ordergroove.
Limitation of Liability
Service Availability: While Ordergroove strives to provide uninterrupted access to the API, we do not guarantee that it will be error-free or available at all times. Ordergroove reserves the right to perform maintenance or updates that may temporarily disrupt API availability.
Indirect Damages: Ordergroove shall not be liable for any indirect, incidental, consequential, or punitive damages arising out of or in connection with the use or inability to use the API, even if we have been advised of the possibility of such damages.
Maximum Liability: In any event, the total liability of Ordergroove for any claims related to the API shall not exceed the total fees paid by the Customer to Ordergroove in the preceding twelve (12) months.
Our APIs may evolve and change over time. While we do our best to notify developers of major changes in advance, we reserve the right to modify our APIs, cease to offer support for our APIs, or require you to use our APIs in a different manner at any time without notice.
We may update these API Terms from time to time by posting an updated version to our website and any such updates will be effective upon posting. When we update these API Terms, the “Updated” date above will be updated to reflect the date of the most recent version. Your continued use of our APIs constitutes your acceptance of the modified API Terms. We encourage you to review these API Terms regularly.
You may be given access to certain non-public information, software, and specifications relating to our APIs (“Confidential Information“), which may include your credentials as well as any materials, communications or other information that is marked confidential or that would reasonably be considered confidential under the circumstances. You may use Confidential Information only as necessary in exercising your rights granted under these API Terms. You may not disclose any Confidential Information to any third party without our prior written consent. You agree that you will protect any Confidential Information from unauthorized use, access, or disclosure in the same manner that you would use to protect your own confidential and proprietary information.
Termination by Customer: The Customer may terminate their access to the API at any time by providing written notice to Ordergroove. Upon termination, the Customer’s API keys will be deactivated, and they will no longer have access to the API.
Termination by Ordergroove: Ordergroove reserves the right to suspend or terminate the Customer’s access to the API immediately, without prior notice, if the Customer violates these terms or engages in any unauthorized or prohibited activities.
Termination by Ordergroove: Ordergroove reserves the right to suspend or terminate the Customer’s access to the API immediately, without prior notice, if the Customer violates these terms or engages in any unauthorized or prohibited activities.
Modification: Ordergroove reserves the right to modify these API Terms of Use at any time. Any changes will be communicated to the Customer through the API documentation or by other means.
Governing Law: These terms shall be governed by and construed in accordance with the laws of [Your Jurisdiction]. Any disputes arising out of or in connection with these terms shall be subject to the exclusive jurisdiction of the courts of [Your Jurisdiction].
Entire Agreement: These API Terms of Use constitute the entire agreement between the Customer and Ordergroove regarding the use of the API and supersede any prior agreements or understandings, whether written or oral.
If you have any questions or concerns about these terms, please contact Ordergroove at support@ordergroove.com
By using our API, you acknowledge that you have read, understood, and agree to be bound by these API Terms of Use.
Integrating with Ordergroove means that you get the best security settings out of the box:
Access to our systems and your data is restricted only to those who need access in order to provide you high-quality support, following the Principle of Least Privilege. We use Google account infrastructure to verify employee account identity and require physical security keys and/or two-factor authentication for all internal applications without exception. Additionally, all elevated permissions require the use of our corporate virtual private network (VPN).
Our dashboard password policy follows the NIST guidelines requiring a minimum length, usage of complex password, password rotation every 90 days, and account lockout after multiple consecutive failed login attempts.
We also have all the “people security” elements you’d expect to see:
Our systems gather extensive logs from all network devices and host systems. Our Intrusion Detection System will then alert on triggers that will notify the Security team based on correlated events for investigation and response. All our logs are entirely immutable and are available for one year.
Additionally, service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds.
Our high-availability platform architecture, resiliency practices, and requirements built into our development and operational processes enable billions of global transactions every year. The infrastructure utilizes scalability best practices for increasingly reliable uptime, including the use of multiple data centers regions and multiple availability zones, auto-scaling, load balancing, task queues, and rolling deployments.
We take daily automated full backups of our databases and test the backup restores at least annually. All backups are encrypted at rest.
Outages, service degradation, and maintenances are communicated via our Status Page. Feel free to subscribe to our status page to get direct email or text updates.
Recurring Network Security Scanning and Vulnerability Scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
All servers and containers that run Ordergroove software in production are continuously patched Linux systems.
Once a year or upon major infrastructure changes, Ordergroove goes through penetration testing using a third-party security vendor. The vendor runs external and internal penetration tests and also goes through our code to identify any potential security vulnerabilities.
If you would like to report a security concern or are aware of an incident, please send us an email to security@ordergroove.com or our support team.