Security
From housing records to behavioral health data, Groundrise is built with the security posture that nonprofits, government agencies, and their clients deserve.
How it works
Security at Groundrise is built in layers: infrastructure, access controls, and governance. Each one is independently meaningful. Together they cover what the organizations we serve actually need.
All data is encrypted with AES-256, scrambled so it can't be read even if intercepted, both when it's stored and when it's moving across the network. Automatic point-in-time backups run continuously, so data can be restored to any moment. The underlying infrastructure is ISO 27001 certified and SOC 2 compliant, meaning it has been independently audited and verified to meet internationally recognized security standards.
Every user sees only what they're permitted to see and that permission is enforced at the database level, not just the interface. A social service worker at one site cannot see clients or data from another site. One organization's data is completely isolated from every other organization on the platform. Role-based access is strict: admins, social service workers, and clients each have clearly defined and enforced boundaries.
Every action taken in Groundrise is logged: who accessed a record, who changed what, when, and from where. Admins can review the full activity log at any time. Groundrise maintains a written Information Security and Data Protection Protocol, available to clients upon request. For organizations subject to compliance requirements, documentation is available to support procurement and legal review.
Data ownership
We have a simple position on data: it belongs to your organization, not to us. That's not a marketing line. It has real implications for how we operate.
Full data export is available at any time, in a portable format. If you ever leave Groundrise, you leave with everything you brought in and everything you built. No data held hostage, no extraction fees.
Your client records are never sold to third parties, shared with advertisers, or used to train models. The only purpose your data serves is delivering the platform to your organization.
Annual contracts include a 30-day data export window upon termination. We'd rather earn your continued business than make it painful to leave. That's the only accountability that matters.
HIPAA
Standard Groundrise is not a HIPAA-covered platform, and for most housing, workforce, and social service organizations, it doesn't need to be. But for organizations that work with mental health, substance use disorder, or other protected health information, HIPAA-compliant infrastructure is available as an add-on.
Activating the HIPAA add-on upgrades your environment and includes a signed Business Associate Agreement (the formal legal commitment required under HIPAA when a vendor handles protected health information on your behalf).
Mental health programs, substance use disorder services, wraparound care organizations, and any org that handles protected health information as defined under HIPAA.
HIPAA-compliant infrastructure upgrade, signed Business Associate Agreement, and encrypted SMS messaging for clinical communications.
Available as an add-on to any tier. Activates upon signed BAA addendum. Discuss during your demo if this applies to your organization.
Security documentation
Groundrise maintains a formal Information Security and Data Protection Protocol covering 12 areas, from access controls and encryption to incident response and vendor management. It's available to clients and prospects upon request, and is designed to support procurement review for government agencies and large nonprofits.
If your organization requires security documentation as part of a procurement process, contact us and we'll provide what you need.
We're happy to provide documentation, answer procurement questions, or walk through our security posture on a call.