GDPR Compliance

GroupBy is GDPR Ready

The General Data Protection Regulation (GDPR) is a European mandate that regulates the collection and processing of personal information (“PI”) of European residents. The GDPR became effective on May 25, 2018, and obligates organizations globally to protect this information.

This FAQ proves answers to questions from our customers about how the GroupBy platform is ready to meet GDRP compliance regulations.

What Personal Information ("PI") Data Does GroupBy Collect

In accordance with GDPR, GroupBy only collects PI required to provide services for our platform. GroupBy believes in the importance of privacy, and end-user privacy should be protected. To that end, the only PI data GroupBy collects is end-user IP addresses using cookies placed on an end-user device, and only with consent provided by the end-user via customer’s website privacy controls. The GroupBy platform never collects, accepts, processes or stores any direct PI information (e.g. name, email) from end-users.

Data Security

GroupBy employs a wide range of security controls to protect customer data:

  • Data encryption (AES-256) at rest and in transit.

  • Secured service APIs and authenticated access.

  • Intrusion detection and resolution.

  • Access to systems is based on the principle of business need and requires approval.

  • Security is configured to grant the least amount of access required for functionality.

  • Watch Dogs monitor system functionality and notify appropriate staff when operational issues are identified.

  • Full system logging on all systems and applications is enabled.

  • Physical data center controls include electronic access cards, vehicle access barriers, perimeter fencing, metal detectors, bio-metrics access, and 24/7 monitoring of high-resolution interior and exterior cameras for intrusion detection.

Where Is Data Stored (Locality)

For North American customers, data is stored in data centers in the U.S., with the primary data center located in Idaho. For European customers or subsidiaries, data is stored in a data center in Belgium.

Data Access

Customers can only access data associated with their specific account via user accounts and passwords managed by the customer in combination with a randomly generated security key. All data is encrypted at rest and in transit by default using AES256.

Data Deletion and Date Retention

GroupBy permanently deletes all customer data within 180 days of the end of a contract, or at an earlier date upon customer request. Data is never retained beyond 180 days. Deleted data can never be recovered.

Third-Party Audits and Certifications

GroupBy completes annual audits for their Subscription Service for the following standards:

  • SOC 2 Type II (Security, Confidentiality, Availability, Processing Integrity, and Privacy)

The GroupBy Subscription Service operates on the Google Cloud Platform ("GCP"). Google undergoes independent audits regularly to provide assurances to customers on controls present in Google Cloud Platform data centers, infrastructure, and operations. Google has annual audits for the Google Cloud Platform for the following standards:

  • SSAE16 / ISAE 3402 Type II (SOC 1, SOC 2 and SOC3)

  • ISO 27001

  • ISO 27017, Cloud Security

  • ISO 27018, Cloud Privacy

  • FedRAMP ATO for Google App Engine

Where can I obtain more information about Data Privacy at GroupBy?

Any questions or general comments can be directed to

Mailing address:

GroupBy Inc.

2 Berkeley Street, Suite 210

Toronto, Ontario M5A 4J5


ATTN: Privacy Officer