Overview
Growblocks takes data security, and ensuring the security and privacy of Growblocks customer data, seriously.
We are GDPR compliant, and minimise the use of and access to personal data across our data stack. Growblocks is currently working towards SOC2 and have ensured that all technical controls are in place and are working through our policy documentation.
Growblocks DPA is always available on our website: https://growblocks.com/dpa/
Some key principles:
- Strong authentication, including 2FA where possible, is used across our data stack and we have adopted the principle of least privilege with role based access for all employees.
- We constrain data processing to within Europe with our subprocessors all having their data hosting with the European Economic Area (EEA).
- Within our data stack data is encrypted at rest (AES-256) and in transit (TLS 1.2).
- Growblocks uses the best practices advised by our subprocessors, to ensure the configuration of our service is to the highest standard.
- We have adopted both Security and Privacy By Design principles and continue to review & improve our approach to both on an ongoing basis.
Growblocks Technical Architecture
Our technical stack comprises of Remix (development framework), Prefect, Snowflake and Fivetran - all hosted in the Google Cloud Platform. Prefect is hosted in Growblocks Google Cloud Platform, where Fivetran and Snowflake are cloud services which are hosted in their own instances of Google Cloud Platform.
Please contact the Growblocks team at support@growblocks.com if you require a technical architecture diagram.
Data Residency & Our Subprocessors
Please refer to our DPA, Appendix B for details on our subprocessors. All data is hosted in the EU. https://growblocks.com/dpa/
Growblocks Key Sub Processors
1. Snowflake: Data Warehouse
Security documentation: https://docs.snowflake.com/en/user-guide/admin-security.html
2. Data Pipelines: Fivetran
Security documentation: https://fivetran.com/docs/security
3. Data Hosting: Google Cloud Platform
Security Documentation:
Data protection
Data is stored in Snowflake. Snowflake encrypts data at rest using AES-256 encryption. See the header "Data Security" in the Snowflake security documentation for more details (https://docs.snowflake.com/en/user-guide/admin-security.html)
- All ingested data stored in Snowflake tables is encrypted using AES-256 strong encryption.
- All files stored in internal and external stages for data loading and unloading are automatically encrypted using AES-256 strong encryption.
- Periodic rekeying of encrypted data.
Data in transit is encrypted using TLS 1.2 or better with both Fivetran
(https://fivetran.com/docs/security#connectors) and Snowflake
Google also enforces encryption at rest (AES-256) and in transit (TLS 1.2 or higher) https://services.google.com/fh/files/misc/google-workspace-encryption-wp.pdf.
Audit Logging
Snowflake maintains a detailed query history, which can be used to verify if data has been accessed and by who: https://docs.snowflake.com/en/sql-reference/functions/query_history.html
It also maintains a login history:
Fivetran provides detailed logs on connector actions (e.g. connect, revoke, pause, changes to data schema etc.) and other user actions in the platform: https://fivetran.com/docs/logs
Google Workspace also provides a detailed change log and version history as part of the core functionality of the apps.
Anonymisation & Deletion
As required, Growblocks is able to anonymize personal data which we bring from the customer systems to our data stack. As per our DPA Growblocks will anonymize customer data 30 days after the completion of the contracted services.
Growblocks will only be able to access and pull the data that you, the customer, specify based on the access permissions you provide from your systems to the Growblocks Fivetran data loader.
If there are specific records, customer files etc., that you would like excluded then please talk to us so we can help you configure this correctly.
Password Management
Growblocks does not manage any user passwords. We provide a secure login either via Google SSO, Microsoft SSO or via an emailed magic link which provides a 1 time link for a registered user to login.
Role Based Access
We have developed our application to support role based access. Currently we only have 2 roles enabled:
- Customer User: Administrator
- Growblocks facing: CS Manager - used to provide support during Setup, Onboarding, and Support requests
Additional user roles with varying access rights will be enabled in the future. Rights are granted either by the CS Manager (during initial set up) or by the Administrator.
Software Development Lifecycle
We work in an agile manner with the following structures:
- Product Roadmap: 6 cycle rolling roadmap of prioritized features which is reviewed on a monthly basis. The review includes understanding user feedback and bringing in feature requests into the prioritization process
- 2 weeks cycles (also known as sprints): Scope of a cycle is guided by the Product Roadmap and broken down into detailed specifications during a refinement process
Cycle retrospective: reviewing the prior cycle with a focus of continuous improvement and customer feedback
- Continuous integration to PreProduction with automated regression testing
- Controlled releases to production - Production releases managed by the Lead Developers and Product managers.
- Separation of environments: Development, PreProduction, Production
- Enforced code reviews with at least two peers needing to review and approve any code changes prior to packing into a production release
Development tooling includes:
- Github: source control and release management
- Linear: Agile project management
- Notion: Documentation
Incident Management
We have a defined incident management process in place, which covers both security incidents and bugs. Issues can be reported to the Customer Success Manager either directly via email, or via Slack (if the customer has elected to set up a shared Slack channel). Additionally, the security team can always be contacted at security@growblocks.com