Grove HR
Back to Help Center

GDPR Compliance

How Grove protects your data and ensures compliance

Is Grove GDPR compliant?

Yes. Grove is fully compliant with UK GDPR and the Data Protection Act 2018. We process employee data as a data processor on behalf of your organisation (the data controller). Our Data Protection Addendum (DPA) is available at grove.hr/dpa and forms part of our terms of service.

Where is my data stored?

All customer data is stored on Hetzner Cloud servers in Helsinki, Finland (EU). Data never leaves European data centres. We do not use AWS, Google Cloud, or any US-based infrastructure for primary data storage.

How is my data encrypted?

We use TLS 1.3 encryption for all data in transit and AES-256 encryption for data at rest. Database backups are also encrypted. Sensitive fields like National Insurance numbers are additionally encrypted at the application level using field-level encryption keys.

Who are your sub-processors?

Our sub-processors are: Hetzner (cloud hosting, Finland), Resend (transactional email), Vercel (marketing website hosting), and Stripe (payment processing). A full list is maintained in our DPA at grove.hr/dpa. We notify customers before adding new sub-processors.

Can employees make data subject access requests (DSARs)?

Yes. Employees can request a copy of their personal data at any time. As an admin, you can export an employee’s full data record from their profile page (Profile > Actions > Export Data). This generates a JSON file with all stored personal data, leave records, and activity history.

How do I delete an employee’s data?

You can permanently delete an employee from People > [Employee] > Actions > Permanently Delete. This removes all personal data, leave records, documents, and activity logs. The action is irreversible. Note: you should deactivate employees first and only permanently delete when legally required (e.g. after the retention period expires).

What is your data retention policy?

Grove retains active employee data for as long as your account is active. When an employee is deactivated, their data remains accessible to admins for audit and compliance purposes. If you permanently delete an employee, all their data is purged within 30 days. When an account is cancelled, all organisation data is deleted after 30 days.

Do you conduct security audits?

Yes. We conduct regular security reviews of our infrastructure, application code, and access controls. Our codebase is version-controlled and all changes are reviewed before deployment. We use automated vulnerability scanning as part of our CI/CD pipeline.

How do I report a data breach?

If you suspect a data breach, email security@grove.hr immediately. Under our DPA, we commit to notifying affected customers within 72 hours of becoming aware of a personal data breach, in line with UK GDPR Article 33 requirements.

Where can I find your privacy policy and DPA?

Our privacy policy is at grove.hr/privacy, and our Data Protection Addendum (DPA) is at grove.hr/dpa. Both documents are kept up to date and form part of our terms of service.