Groupho

Groupho Security Policy

EFFECTIVE DATE: APRIL 11, 2025

Overview

At Groupho, we take the protection of user data extremely seriously. This Security Policy describes the organizational and technical measures Groupho implements platform-wide, designed to prevent unauthorized access, use, alteration, or disclosure of user data. Groupho services are built with Next.js and run on Vercel and Supabase platforms. We recommend you also review our Terms of Service and Privacy Policy.

Security Team

Our team consists of developers with web application security experience who are dedicated to ensuring the security and reliability of our platform.

Best Practices

Incident Response Plan

  • We have implemented formal security incident handling procedures and trained all team members on our policies.
  • When security events are detected, they are promptly escalated, and our team is assembled to rapidly address the issue.
  • After resolving a security incident, we conduct a post-incident analysis.
  • Analysis results are reviewed within the team and include action items to improve detection and prevention of similar incidents in the future.
  • If a security breach affecting your data occurs, Groupho will promptly notify you in writing once verified. The notification will describe the breach and our investigation status.

Build Process Automation

  • We use automated deployment processes to ensure safe and reliable updates to our application and platform in a timely manner.
  • Our ability to quickly deploy code updates enables rapid deployment of security fixes when needed.

Authentication

  • We leverage Supabase's robust authentication system, supporting email/password login and Google OAuth login.
  • We implement strong password policies and industry-standard authentication flows.
  • Sensitive operations require users to re-authenticate.

Infrastructure

  • All our services run in the cloud. Groupho does not operate its own routers, load balancers, DNS servers, or physical servers.
  • Our application is hosted on Vercel and protected by Vercel's security measures.
  • Our data is hosted on Supabase and protected by Supabase's security measures, with underlying infrastructure provided by AWS.
  • Groupho services are designed with disaster recovery in mind. We back up all data stores containing user data.

Application Monitoring

  • All access to Groupho applications is logged.
  • Actions taken in production environments or the Groupho application are logged.

Data

  • Groupho data is hosted on Supabase, with underlying infrastructure using AWS in the US region.
  • User data is stored in multi-tenant data stores; we do not have individual data stores for each user. However, strict privacy controls in our application code ensure data privacy and prevent one user from accessing another user's data (logical separation).
  • Each Groupho system used to process user data is properly configured and patched using industry-recognized system hardening standards.
  • Groupho uses specific third-party processors (including Vercel, Supabase, and AWS) to process user data.

Data Transfer

  • Groupho is served entirely over HTTPS.
  • All data sent to or from Groupho is encrypted in transit using 256-bit encryption.
  • Our API and application endpoints only support TLS/SSL.
  • We use industry-standard encryption algorithms to encrypt all sensitive data.

User Responsibilities

  • Managing your own user account on Groupho.
  • Protecting your account and credentials by securing your email when accessing Groupho services.
  • Complying with the terms of service agreement with Groupho, including adherence to applicable laws.
  • Promptly notifying Groupho if your credentials have been compromised or if you suspect potentially suspicious activities that could negatively impact Groupho services or your account.
  • Not performing any security penetration tests or security assessment activities without Groupho's express prior written consent.