Security & data handling

How we protect the data you bring to Groundskeeper

Groundskeeper is a project-management platform built for consultants, fractional leaders, and advisory firms running complex client work. The data you bring in — engagement notes, client context, decisions, and plans — is sensitive. This overview explains how we protect it, where it lives, and how long we keep it.

Last updated: June 30, 2026
Encrypted in transit & at rest
TLS everywhere, plus app-layer encryption on sensitive fields.
Isolated per workspace
Row-level security enforced at the data layer, not just in code.
Never used to train models
Customer content is not used to train or improve any AI model.
Infrastructure & vendors

A small, deliberately chosen foundation

Groundskeeper runs on a short list of enterprise infrastructure providers. Each holds an independently audited SOC 2 Type II report, so the foundation our service runs on is held to a recognized security and operational standard.

Provider Role Assurance
Supabase Application database, authentication, file storage SOC 2 II
Vercel Application hosting SOC 2 II
Anthropic AI processing for in-app assistance and document understanding SOC 2 II
Stripe Subscription billing — no card data touches our systems SOC 2 II
Resend Transactional and notification email SOC 2 II
Google Workspace / Microsoft 365 Identity / single sign-on SOC 2 II

We maintain a current subprocessor list and keep a data-processing agreement (DPA) on file with each provider. An updated subprocessor list is available to customers on request.

Encryption

Protected end to end

In transit

All traffic to and within Groundskeeper is protected with industry-standard TLS encryption.

At rest

Data is encrypted at the storage layer by our database provider. Sensitive fields receive an additional application-layer encryption step before they are written, so they are protected independently of the underlying infrastructure.

Tenant isolation & access

Least privilege by default

Workspace isolation

Every customer's data lives behind row-level security — access is scoped to the owning workspace and enforced at the data layer, not merely in application code.

Role-based access

Internal and external users receive least-privilege access for their role. External collaborators see only the engagements they are assigned to, and production access is limited to authorized personnel.

Data retention & AI processing

How AI processing is handled

Groundskeeper uses AI to help your team capture, organize, and surface project work. That processing is performed by Anthropic, a SOC 2 Type II provider, under a commercial agreement that includes a data-processing agreement.

No model training

Under our agreement with Anthropic, customer content is never used to train or improve any model.

30 day retention

Content processed by our AI provider is retained for up to 30 days, then handled per the provider's standard policy.

This retention window is integral to how Groundskeeper works — the assistant relies on durable, stateful project context to do its job, so it is a functional requirement of the product rather than an optional setting. We have evaluated zero-retention configurations and they are incompatible with this core functionality. Customers may request deletion of their workspace data, including AI session history and stored project context; we action these requests manually and confirm completion.

Audit trail

Every change, with a reason

Status-changing actions — closing, approving, rejecting, or completing items — require an accompanying note, so the record shows not just what changed but why.

Availability & backups

Managed and backed up

Groundskeeper runs on managed cloud infrastructure with automated database backups. Hosting and database providers each operate to a SOC 2 Type II standard for availability.

Privacy

Yours to control

We maintain a privacy policy and, for customers acting as data controllers, are prepared to enter into a DPA as your processor.

Vulnerability disclosure

Reporting a security issue

If you believe you've found a security vulnerability, email security@groundskeeperpm.com. We welcome good-faith research, acknowledge reports we receive, and ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure. Please don't access or modify data that isn't yours while testing.

Questions
Security teams are welcome to reach out — we'll walk through our architecture, share the current subprocessor list, or complete a vendor security questionnaire.
security@groundskeeperpm.com

This overview reflects Groundskeeper's practices as of the date of publication and is provided for informational purposes. It does not constitute a certification or a contractual commitment except where incorporated into a signed agreement.