Ordergroove Security

Your data is our top priority!

Ordergroove constantly strives to deliver best-in-class services and security for all our customers. Ordergroove is compliant with the Payment Card Industry (PCI) and the General Data Protection Regulation (GDPR), holds a SOC 2 Type II attestation, and stores data securely with Google Cloud Platform. Our data is encrypted both in transit (TLS 1.2+) and at rest (AES-256), and we integrate directly with your eCommerce platform so that we never receive or store any payment sensitive information.

Compliance & Certifications

PCI Compliance – Level 1

Ordergroove holds a Level 1 compliance with the Payment Card Industry Data Security Standards (PCI DSS), commonly referred as “PCI compliance”, and undergoes an annual data security audit with a third party security assessor. To request the latest signed Attestation of Compliance, reach out to the Ordergroove Support team.

SOC 2 Type II

Ordergroove can provide a SOC 2 Type II report from our cloud provider upon request. Our services are hosted entirely on Google Cloud Platform and the report details the ways in which we leverage the massive investments that Google continues to make in security to the benefit of our merchants and your customers.

GDPR Compliance

The General Data Protection Regulation (GDPR) is a data regulation enacted by the European Union to safeguard the rights of consumers in the European Union, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive.

Ordergroove is GDPR Compliant.

CCPA Compliance

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

Ordergroove is CCPA Compliant.

Physical Security

Ordergroove production data is entirely processed and stored within Google Cloud Platform’s world-renowned data centers, which use state-of-the-art layered security model, alerting, and auditing measures, including:

  • custom-designed electronic access cards
  • vehicle access barriers
  • perimeter fencing
  • metal detectors
  • biometric checks
  • laser beam intrusion detection
  • monitored 24/7 by high-resolution interior and exterior cameras and trained security guards
  • redundant power systems

Our data centers are all in the United States. Our primary data center is located in Iowa (us-central1) and our disaster recovery data center is located in South Carolina (us-east1). All of our data centers leverage Google Cloud Firewalls for high scalability and granular control of our firewall rules and policies.

Data Protection

Encryption in Transit

All communications with Ordergroove UIs and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Ordergroove is fully secure during transit. Additionally, for email integrations, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

All Personally Identifiable Information (PII) data along with data backups are encrypted at rest in Google Cloud Platform using AES-256 key encryption.

Isolated Environments

Our production network segments are logically isolated from other Corporate, Staging, QA, and Development segments.

Data Policy

We maintain strict governance and protection standards to ensure data is appropriately stored, processed, and handled by our people, systems, and technology.

Software Security

Software Delivery Life Cycle (SDLC)

All changes to our source code destined for production systems are subject to code review by a qualified engineering peer or manager. The code change also has to pass an extensive automated test suite. Code Reviews and Automated Tests include security, performance, and potential-for-abuse analysis. Our engineers are continuously trained for security analysis, including OWASP Top 10 security risks.

Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.

API Authentication

Ordergroove relies on HMAC signatures for API Authentication. More information about our Authentication can be found inside our Developer Documentation.

Operational Security

Customer Payment Information

Integrating with Ordergroove means that you get the best security settings out of the box:

  • We do not have access to your customers’ Primary Account Number (PAN) or credit card numbers
  • We receive a token ID as a payment identifier during enrollment that we send back to your platform for processing recurring orders
  • For the best customer experience in the Subscription Management Interface (SMI) and easier management of expired credit cards, we can display information like the last four digits of the credit card and the expiration date

Access Management

Access to our systems and your data is restricted only to those who need access in order to provide you high-quality support, following the Principle of Least Privilege. We use Google account infrastructure to verify employee account identity and require physical security keys and/or two-factor authentication for all internal applications without exception. Additionally, all elevated permissions require the use of our corporate virtual private network (VPN).

Our dashboard password policy follows the NIST guidelines requiring a minimum length, usage of complex password, password rotation every 90 days, and account lockout after multiple consecutive failed login attempts.

We also have all the “people security” elements you’d expect to see:

  • Background checks for our employees
  • A process to maintain our information security policy
  • Annual Security Awareness Training for all employees
  • Termination/access removal processes

Activity Monitoring

Our systems gather extensive logs from all network devices and host systems. Our Intrusion Detection System will then alert on triggers that will notify the Security team based on correlated events for investigation and response. All our logs are entirely immutable and are available for one year.

Additionally, service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds.

Business Continuity

Our high-availability platform architecture, resiliency practices, and requirements built into our development and operational processes enable billions of global transactions every year. The infrastructure utilizes scalability best practices for increasingly reliable uptime, including the use of multiple data centers regions and multiple availability zones, auto-scaling, load balancing, task queues, and rolling deployments.

We take daily automated full backups of our databases and test the backup restores at least annually. All backups are encrypted at rest.

Outages, service degradation, and maintenances are communicated via our Status Page. Feel free to subscribe to our status page to get direct email or text updates.

Vulnerability Testing

Network Security Scanning

Recurring Network Security Scanning and Vulnerability Scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Vulnerability Patching

All servers and containers that run Ordergroove software in production are continuously patched Linux systems.

Penetration Tests

Once a year or upon major infrastructure changes, Ordergroove goes through penetration testing using a third-party security vendor. The vendor runs external and internal penetration tests and also goes through our code to identify any potential security vulnerabilities.

Vulnerability Disclosure

If you would like to report a security concern or are aware of an incident, please send us an email to security@ordergroove.com or our support team.