Growee is built and operated in the European Union. Customer data stays on EU infrastructure, protected under GDPR, with a Data Processing Agreement available to every customer on request. This page documents the security controls we actually run, so your security review can start (and often finish) right here.
Growee is developed and operated by an EU company based in Cluj-Napoca, Romania. GDPR is not a bolt-on for us: it is the regulation we are directly subject to, and the platform is designed around it.
EU data residency. Customer data is stored and processed on AWS infrastructure located in the European Union.
DPA available on request. We sign a Data Processing Agreement covering GDPR Article 28 obligations, our subprocessor list, and Standard Contractual Clauses where a subprocessor is outside the EU. Email security@growee.ai.
Data subject rights. Access, rectification, portability, restriction and erasure are supported in-product or via support. Details are in our GDPR overview and Privacy Policy.
Data minimization. We collect only the data needed to provide the service, and sensitive employee fields (salary, contracts) are optional and role-restricted.
We do not currently hold a SOC 2 or ISO 27001 certification and we will never imply otherwise. The controls on this page describe what we actually operate today; for most European buyers, GDPR compliance with EU residency and a signed DPA covers the security review.
Infrastructure & hosting
Growee runs on Amazon Web Services in the European Union, inheriting AWS's physical security, network protection and compliance certifications (ISO 27001, SOC 1/2/3, and more) for the underlying infrastructure.
Tenant isolation. Every company gets a dedicated subdomain, and every database query is automatically scoped to your company. Cross-tenant access is prevented at the framework level, not by convention.
Segregated environments. Production is separated from development and staging, and production access is limited to authorized personnel with individual credentials.
Inherited compliance. Payments run exclusively through Stripe (PCI DSS Service Provider Level 1); Growee never stores or transmits card data.
Encryption in transit & at rest
In transit. All connections to Growee are encrypted with TLS. Plain HTTP is not served.
At rest. Databases and file storage are encrypted at rest on AWS.
Application-level encryption. High-sensitivity values, such as OAuth tokens and connected integration credentials, are additionally encrypted at the application level before they reach the database.
Passwords. User passwords are hashed with bcrypt. They are never stored or logged in plain text, and staff cannot read them.
Access control & authentication
Role-based access control. Built-in roles (Admin, HR, Manager, Employee, Collaborator) plus fully custom roles with granular, per-feature permissions. Sensitive data such as salaries, contracts, evaluations and invoices is restricted to authorized roles, enforced server-side on every request.
Authentication options. Email and password, or sign-in with Google and Microsoft (OAuth 2.0). Two-factor authentication via email verification codes can be enabled for your company.
API access. The REST API uses scoped bearer tokens (Laravel Sanctum) that can be revoked at any time. API requests respect the same role and tenant boundaries as the UI.
Internal access. Growee staff access to production data is limited to named engineers, used only for support and operations, and our team is trained on data handling and confidentiality.
Data retention, export & deletion
Retention. We keep your data for as long as your account is active. We do not retain it for unrelated purposes, and we do not sell it or use it to train AI models.
Export. Administrators can export company data (employees, documents, time and leave records) as downloadable archives at any time, at no cost. There is no lock-in and no long-term contract.
Deletion. Account deletion is self-serve and protected by an email confirmation code. It permanently removes your company's data, including uploaded files, from production systems. Residual copies in encrypted backups expire as backups rotate.
Subprocessors
We use a small set of vetted service providers to run Growee. Each is bound by a data processing agreement, and transfers outside the EU are covered by Standard Contractual Clauses. The Products column shows which Growee modules (Core HR, CRM, Knowledge Base, Hiring) rely on each provider, so you only need to review the ones for products you actually use. This list is kept current on this page and referenced in our DPA.
AI features: receipt scanning, CV parsing, lead enrichment, article search, Ask AIEngaged only when you use AI features. API data is not used for model training.
Hosting and CDN for the public website (growee.ai)Serves the marketing website only, not application data.
Website
Customer-controlled integrations
Separately from subprocessors, you can choose to connect Growee to third-party tools. Data flows to these services only if you or your administrator connects them, and you can disconnect at any time: Google (sign-in, Google Calendar, Gmail), Microsoft (sign-in, Microsoft 365 email), Slack (notifications), Atlassian Jira (timesheet sync), ANAF e-Factura (Romanian e-invoicing).
Backups, monitoring & incident response
Backups. Databases are backed up automatically every day, and backups are stored encrypted. Restores are part of our operational procedures.
Monitoring. Application errors, background jobs and system health are continuously monitored, with alerting to the engineering team.
Incident response. We have established procedures to identify, contain and mitigate security incidents. If an incident affects your data, we notify you and, where required, the supervisory authority within GDPR's 72-hour window.
Application security practices
Independent penetration testing. Growee has been penetration tested by Cyber Threat Defence, an independent cybersecurity firm, and received their Certificate of Trust. Findings are remediated and re-verified.
Secure development. Every change goes through code review and a CI pipeline with automated tests and static analysis before it can reach production.
Dependency management. Third-party dependencies are reviewed and updated regularly, and security advisories for our stack are tracked and patched.
Vendor due diligence. Before engaging any third-party provider we review its security posture and data protection compliance, and we bind it with a data processing agreement.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability in Growee, email security@growee.ai with enough detail for us to reproduce the issue (affected URL or endpoint, steps, impact).
What we commit to
Acknowledge your report within 3 business days
Keep you informed while we investigate and remediate
Fix confirmed vulnerabilities as a priority
Credit you for the discovery if you would like (no formal bounty program at this time)
What we ask of you
Test only against accounts you own or have permission to use
Do not access, modify or delete other customers' data
No denial-of-service, spam, or social engineering of our staff or customers
Give us reasonable time to fix the issue before public disclosure
Safe harbor: we will not pursue legal action against researchers who act in good faith, follow this policy, and avoid privacy violations or service disruption.
Last updated: July 2026
Security reviewer FAQ
Direct answers to the questions we see most often in security questionnaires. Anything missing? Email security@growee.ai.
Where is my data stored?
All customer data is stored and processed on Amazon Web Services infrastructure located in the European Union. Growee is built and operated by an EU company based in Cluj-Napoca, Romania.
Are you SOC 2 or ISO 27001 certified?
No. Growee does not currently hold a SOC 2 or ISO 27001 certification, and we will not claim otherwise. What we do have: full GDPR compliance as an EU company with EU data residency, an independent penetration test by Cyber Threat Defence, and the concrete controls documented on this page. For most European buyers this, together with a signed DPA, covers the security review. If your procurement process requires something more, contact us at security@growee.ai and we will work through your questionnaire with you.
Can I get a Data Processing Agreement (DPA)?
Yes. A DPA covering GDPR Article 28 requirements, including our subprocessor list and Standard Contractual Clauses where relevant, is available to all customers on request. Email security@growee.ai and we will send you a copy for signature.
Do AI features send my data to third parties?
AI features (receipt scanning, CV parsing, Ask AI, AI employees) call OpenAI and Anthropic APIs to process the specific content you submit. Both providers contractually commit not to train models on API data. AI features are optional: if you do not use them, no data is sent to AI providers.
Do you store credit card details?
No. All payments are processed by Stripe, which is certified as a PCI DSS Service Provider Level 1. Card details are entered directly into Stripe-hosted fields and never reach Growee servers.
How do I report a security vulnerability?
Email security@growee.ai with the details. We acknowledge reports within 3 business days and keep you informed while we investigate and fix confirmed issues. See our responsible disclosure policy above for scope and safe harbor.
What happens to my data if I cancel?
You can export all your data as archives before you leave, at any time and at no cost. Account deletion is self-serve with an email confirmation code and permanently removes your company's data from our production systems. Residual copies in encrypted backups expire as backups rotate.
Still have security questions?
Our engineers answer security questionnaires directly. Reach us at security@growee.ai and we will get back to you within 3 business days.