ISO 27001
Certified infrastructure
SOC 2 Compliant
Independently audited
AES-256 Encryption
At rest and in transit
Point-in-time backups
Continuous & restorable
Full audit log
Every action recorded
HIPAA-ready
BAA available

How it works

Three layers of
protection.

Security at Groundrise is built in layers: infrastructure, access controls, and governance. Each one is independently meaningful. Together they cover what the organizations we serve actually need.

Layer 01
Infrastructure & Encryption

All data is encrypted with AES-256, scrambled so it can't be read even if intercepted, both when it's stored and when it's moving across the network. Automatic point-in-time backups run continuously, so data can be restored to any moment. The underlying infrastructure is ISO 27001 certified and SOC 2 compliant, meaning it has been independently audited and verified to meet internationally recognized security standards.

ISO 27001: internationally recognized information security certification
SOC 2 compliant: independently audited data handling and controls
AES-256 encryption: data protected at rest and in transit
Point-in-time backups: continuous and restorable to any moment
U.S.-based storage: all data stored domestically
Layer 02
Access Controls

Every user sees only what they're permitted to see and that permission is enforced at the database level, not just the interface. A social service worker at one site cannot see clients or data from another site. One organization's data is completely isolated from every other organization on the platform. Role-based access is strict: admins, social service workers, and clients each have clearly defined and enforced boundaries.

Row-level security: access enforced in the database, not just the UI
Role-based permissions: admin, social service worker, and client tiers strictly enforced
Org data isolation: your organization's data never mingles with any other
Site-level scoping: workers see only the clients assigned to their sites
Layer 03
Governance & Audit

Every action taken in Groundrise is logged: who accessed a record, who changed what, when, and from where. Admins can review the full activity log at any time. Groundrise maintains a written Information Security and Data Protection Protocol, available to clients upon request. For organizations subject to compliance requirements, documentation is available to support procurement and legal review.

Full audit log: every login, record view, change, and export logged with timestamp
Admin-accessible activity log: reviewable directly in the platform
Written security protocol: available for review upon request
Procurement documentation: available for government and NGO requirements

Data ownership

Your data.
Always.

We have a simple position on data: it belongs to your organization, not to us. That's not a marketing line. It has real implications for how we operate.

You can export everything, anytime.

Full data export is available at any time, in a portable format. If you ever leave Groundrise, you leave with everything you brought in and everything you built. No data held hostage, no extraction fees.

We never sell or share your data.

Your client records are never sold to third parties, shared with advertisers, or used to train models. The only purpose your data serves is delivering the platform to your organization.

No lock-in by design.

Annual contracts include a 30-day data export window upon termination. We'd rather earn your continued business than make it painful to leave. That's the only accountability that matters.

HIPAA

For organizations handling health data.

Standard Groundrise is not a HIPAA-covered platform, and for most housing, workforce, and social service organizations, it doesn't need to be. But for organizations that work with mental health, substance use disorder, or other protected health information, HIPAA-compliant infrastructure is available as an add-on.

Activating the HIPAA add-on upgrades your environment and includes a signed Business Associate Agreement (the formal legal commitment required under HIPAA when a vendor handles protected health information on your behalf).

Who needs it

Mental health programs, substance use disorder services, wraparound care organizations, and any org that handles protected health information as defined under HIPAA.

What's included

HIPAA-compliant infrastructure upgrade, signed Business Associate Agreement, and encrypted SMS messaging for clinical communications.

How to activate

Available as an add-on to any tier. Activates upon signed BAA addendum. Discuss during your demo if this applies to your organization.

Security documentation

A written protocol,
not just a checkbox.

Groundrise maintains a formal Information Security and Data Protection Protocol covering 12 areas, from access controls and encryption to incident response and vendor management. It's available to clients and prospects upon request, and is designed to support procurement review for government agencies and large nonprofits.

If your organization requires security documentation as part of a procurement process, contact us and we'll provide what you need.

Information Security & Data Protection Protocol
Groundrise Corporation · v1.0
01
Information Security Policy
02
Data Classification & Handling
03
Access Control & Authentication
04
Encryption Standards
05
Audit Logging & Monitoring
06
Incident Response
07
Vendor & Third-Party Management
08
Data Retention & Deletion
09
Business Continuity & Backup
10
HIPAA Readiness
11
Staff Security Training
12
Compliance Roadmap

Questions about
security or compliance?

We're happy to provide documentation, answer procurement questions, or walk through our security posture on a call.