Trust

Security

Effective May 19, 2026.

groupr is a young product. We don't have SOC 2 certification yet. What we do have, and how to talk to us if something looks wrong:

In transit

All traffic to groupr is served over TLS 1.2 or higher. We use HSTS to prevent protocol downgrade.

At rest

Customer data is stored in encrypted DigitalOcean managed Postgres and Spaces volumes (AES-256). Passwords are hashed with bcrypt (work factor 12). OAuth access tokens for integrations are held by Composio, our integrations broker (see sub-processors).

Authentication

Today, groupr supports password login with an email verification step on signup. Multi-factor authentication (TOTP and WebAuthn) and SSO (SAML 2.0 / SCIM 2.0) are on the roadmap for enterprise tiers — not shipped yet. If your organization needs SSO, write to [email protected] and tell us so we can prioritize.

AI content

We do not train AI models on your content. Your messages are sent to the LLM provider you've configured for a given agent (default: Anthropic Claude), and only when that agent is invoked. We use zero-retention configurations with the providers where they're offered. For channels where you'd rather not send any content to a model, you can disable AI per channel — that's coming in Sprint 2 and will be reflected in the channel UI when shipped.

Compliance and certifications

groupr is not currently SOC 2, ISO 27001, or HIPAA-certified, and we do not offer a Business Associate Agreement. If you handle Protected Health Information, payment card data, or other regulated content, please don't put it into groupr today. We'll update this page when we earn certifications.

Reporting a vulnerability

If you find a security issue, please report it privately to [email protected] with the subject line "Security report." We'll respond within two business days. Please don't publicly disclose the issue until we've had a chance to investigate. We don't have a paid bug bounty yet, but we'll acknowledge contributors publicly with permission.

Incident response

If a security incident affects your data, we will notify you by email within 72 hours of confirming the incident, describe what we know, and tell you what we're doing about it.

Appmakey LLC · [email protected]