Ordergroove Security Overview

Your data is our top priority at Ordergroove

Ordergroove constantly strives to deliver the best-in-class services, reliability and security for all our customers. Ordergroove is compliant with the Payment Card Industry (PCI) and the General Data Protection Regulation (GDPR), holds a SOC 2 Type II attestation, and stores data securely with Google Cloud Platform. Our data is encrypted both in transit (TLS 1.2+) and at rest (AES-256), and we integrate directly with your eCommerce platform so that we never receive or store any payment sensitive information.


Compliance & Certifications

PCI Compliance - Level 1

Ordergroove holds a Level 1 compliance with the Payment Card Industry Data Security Standards (PCI DSS), commonly referred as “PCI compliance”, and undergoes an annual data security audit with a third party security assessor. To request the latest signed Attestation of Compliance, please reach out to the Ordergroove Support team.

SOC 2 Type II

Ordergroove can provide a SOC 2 Type II report from our cloud provider upon request. Our services are hosted entirely on Google Cloud Platform. The report details how we leverage the massive investments that Google continues to make in security to the benefit of our merchants and your customers. To request the latest SOC 2 Report, please reach out to the Ordergroove Support team.

GDPR Compliance

The General Data Protection Regulation (GDPR) is a data regulation enacted by the European Union to safeguard the rights of consumers in the EU, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive. The GDPR became enforceable on May 25, 2018.

Ordergroove is GDPR Compliant. Please refer to this document in order to submit Data Subject Access Requests (DSARs) to Ordergroove.

CCPA Compliance

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them, and the CCPA regulations provide guidance on how to implement the law.

Ordergroove is CCPA Compliant. Please refer to this document in order to submit Data Subject Access Requests (DSARs) to Ordergroove.


Physical Security

Ordergroove production data is entirely processed and stored within Google Cloud Platform’s world-renowned data centers, which use state-of-the-art layered security model, alerting, and auditing measures, including:

  • Custom-designed electronic access cards
  • Vehicle access barriers
  • Perimeter fencing
  • Metal detectors
  • Biometric checks
  • Laser beam intrusion detection
  • Monitored 24/7 by high-resolution interior and exterior cameras and trained security guards
  • Redundant power systems

Our data centers are all in the United States. Our primary data center is located in Iowa (us-central1) and our disaster recovery data center is located in South Carolina (us-east1). All of our data centers leverage Google Cloud Firewalls for high scalability and granular control of our firewall rules and policies.


Data Protection

Encryption in Transit

All communications with Ordergroove UIs and APIs are encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Ordergroove is fully secure during transit. Additionally, for email integrations, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

All Personally Identifiable Information (PII) data along with data backups are encrypted at rest in Google Cloud Platform using AES-256 key encryption.

Isolated Environments

Our production network segments are logically isolated from other Corporate, Staging, QA, and Development segments.

Data Policy

We maintain strict governance and protection standards to ensure data is appropriately stored, processed, and handled by our people, systems, and technology.


Software Security

Software Delivery Life Cycle (SDLC)

All changes to our source code destined for production systems are subject to code review by a qualified engineering peer or manager. The code change also has to pass an extensive automated test suite. Code Reviews and Automated Tests include security, performance, and potential-for-abuse analysis. Our engineers are continuously trained for security analysis, including OWASP Top 10 security risks.

Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.

Responsibility for using API keys

Today API keys give access to all the API endpoints exposed in the public docs. As we continue building these API keys, we will allow merchants the ability to only give access/permissions to specific endpoints on a certain key. Until we build that, the Merchant will have to own the responsibility to safeguard the key and to be responsible for any use of those keys to access and perform any actions in the Ordergroove system.

The following are some of the best practices that you should follow:

  • DO NOT embed API keys directly in code. API keys that are embedded in code can be accidentally exposed to the public. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application’s source code.
  • DO NOT store API keys in files inside your application’s source tree. If you store API keys in files, keep the files outside your application’s source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub or BitBucket.
  • DO NOT store or expose your API keys on the client-side.
    • If you are developing a web app, always store your API keys in a backend server that orchestrates the calls to the Ordergroove API. DO NOT expose the key to any browser.
    • If you are developing a mobile app, it’s equally important to NOT store your API keys in the mobile app.
    • If you need to make a call from the front end, create a proxy endpoint in your backend and make the calls to Ordergroove API from there.
      • Tools exist today that allow a malicious actor to reverse engineer your app and retrieve API keys. Additionally, if you ever need to rotate your API keys, you will need to rely on your users to update your app without which your app will stop working. Instead, we recommend storing third-party API keys such as the ones issued by Ordergroove in a backend server you own.
  • Review your code before public release to ensure your code does not contain API keys or any other private information. Ensuring your code is peer reviewed will strengthen code quality and shared responsibility.
  • Do not share the key with anyone unless they absolutely need that access to run your applications.
  • Never share the key through a web based communication (email, instant messenger, print, screenshare, picture, screenshots). If you must share the key with someone use a Vault or Password Manager.
  • Do not reuse the same API Key across multiple applications. You should generate a separate API Key for each application.
  • In the case your API Key is compromised, you should immediately contact Ordergroove to revoke the API Key and generate a new one.

Operational Security

Customer Payment Information

Integrating with Ordergroove means that you get the best security settings out of the box:

  • We do not have access to your customers’ Primary Account Number (PAN) or credit card numbers
  • We receive a token ID as a payment identifier during enrollment that we send back to your platform for processing recurring orders
  • For the best customer experience in the Subscription Manager and easier management of expired credit cards, we can display information like the last four digits of the credit card and the expiration date
  • We require 2-factor authorization for data exports that contain a customer's Personally Identifiable Information (PII).

Access Management

Access to our systems and your data is restricted only to those who need access in order to provide you high-quality support, following the Principle of Least Privilege. We use Google account infrastructure to verify employee account identity and require physical security keys and/or two-factor authentication for all internal applications without exception. Additionally, all elevated permissions require the use of our corporate virtual private network (VPN).

Our dashboard password policy follows the NIST guidelines requiring a minimum length, usage of a complex password, password rotation every 90 days, and account lockout after multiple consecutive failed login attempts.

We also have all the “people security” elements you’d expect to see:

  • Background checks for our employees
  • A process to maintain our information security policy
  • Annual Security Awareness Training for all employees
  • Termination/access removal processes

Activity Monitoring

Our systems gather extensive logs from all network devices and host systems. Our Intrusion Detection System will then alert on triggers that will notify the Security team based on correlated events for investigation and response. All our logs are entirely immutable and are available for one year.

Additionally, service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds.

Business Continuity

Our high-availability platform architecture, resiliency practices, and requirements built into our development and operational processes enable billions of global transactions every year. The infrastructure utilizes scalability best practices for increasingly reliable uptime, including the use of multiple data center regions and multiple availability zones, auto-scaling, load balancing, task queues, and rolling deployments. 

We take automated full backups of our databases every 12 hours and test the backup restores at least annually. All backups are encrypted at rest.

Outages, service degradation, and maintenances are communicated via our Status Page. Feel free to subscribe to our status page to get direct email or text updates.


Vulnerability Testing

Network Security Scanning

Recurring Network Security Scanning and Vulnerability Scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Vulnerability Patching

All servers and containers that run Ordergroove software in production are continuously patched Linux systems.

Penetration Tests

Once a year or upon major infrastructure changes, Ordergroove goes through penetration testing using a 3rd party security vendor.  The vendor runs external and internal penetration tests and also goes through our code to identify any potential security vulnerabilities.

Vulnerability Disclosure

If you would like to report a security concern or are aware of an incident, please email us at security@ordergroove.com or our support team. 

 

The same content is also publicly available if you navigate to https://www.ordergroove.com/security/