Security
Security at Grove
Patient health data is among the most sensitive information that exists. We treat it that way. Security is not a feature — it is the foundation everything is built on.
PIPEDA Compliant
HIPAA Ready
UK GDPR
AES-256 Encryption
TLS 1.2+
Canadian Data Residency
BAA at Signup
Immutable Audit Logs
Encryption
Data encrypted everywhere
All data is encrypted in transit using TLS 1.2 or higher. All data at rest is encrypted using AES-256. Encryption keys are managed separately from data.
Access Control
Role-based permissions
Owner, Provider, Staff, and Patient roles have distinct access levels. Patients can only see their own released records. Staff cannot access billing. Every rule is enforced at the database layer.
Audit Trail
Every action logged
An immutable audit log records who accessed what, when, and from which device. Result releases, patient notifications, and record edits are permanently timestamped. Required for medico-legal protection.
Infrastructure
Canadian data residency
All patient data is stored in Canada (ca-central-1, Montreal) on Supabase infrastructure. Data does not leave Canada except as required for the core service with non-health information only.
Authentication
Secure login
Email and password authentication with bcrypt hashing. Magic link (passwordless) login available. MFA available on request. Sessions expire automatically after inactivity.
Business Associate
BAA signed at signup
A Business Associate Agreement is executed automatically at signup for all plans. This satisfies the HIPAA requirement for covered entities and business associates. A copy is available in your dashboard.
Vulnerability Disclosure
If you discover a security vulnerability in Grove, please report it responsibly to security@getgrovemd.com. We will acknowledge your report within 24 hours and work to resolve confirmed vulnerabilities as quickly as possible. We do not pursue legal action against good-faith security researchers.
Incident Response
In the event of a security incident affecting patient data, Grove will notify affected practices within 72 hours as required by PIPEDA, HIPAA, and other applicable regulations. We maintain an incident response plan that is reviewed and tested regularly.
Questions
Security questions: security@getgrovemd.com
General: hello@getgrovemd.com