No HIPAA BAA available
Gruv does not execute Business Associate Agreements. Never transmit protected health information through Gruv workflows.
Trust scope
HIPAA and PCI-DSS scope statement
Gruv orchestrates payment instructions, compliance evidence, and workflow automation over licensed partners. PHI and raw cardholder data are permanently out of scope.
Cardholder data excluded
The platform never collects, stores, or processes full primary account numbers, CVVs, or magnetic-stripe data. Keep cardholder data inside your PCI-certified payment processor.
Route regulated workflows through trust review
Workflows involving healthcare, benefits, insurance claims, or payment-card artifacts require trust review before data onboarding.
Do not send
- Protected health information (PHI)
- Clinical notes, claims, treatment records, diagnoses, or patient identifiers
- Full PANs, CVV/CVC values, magnetic-stripe data, or PIN blocks
- Screenshots, PDFs, exports, or support tickets that contain any of the above
Safe review context
- High-level workflow descriptions for procurement evaluation
- Vendor questionnaires describing regulated-data boundaries (no regulated records attached)
- Payment-provider tokens, status events, and masked metadata from approved processors
- Fully redacted examples with all PHI and cardholder data stripped before upload