HIPAA BAAs are not offered
Gruv does not offer Business Associate Agreements. Do not use Gruv workflows to transmit protected health information.
Trust scope
HIPAA and PCI-DSS scope statement
Gruv is built for money movement operations, compliance review, and workflow evidence. It is not a system for protected health information or raw payment-card data.
Cardholder data is out of scope
Gruv does not ask customers to enter, store, or attach full cardholder data in the platform. Payment-card data should stay inside approved payment-provider checkout surfaces.
Review before rollout
If your workflow may involve healthcare, benefits, insurance, claims, or payment-card artifacts, route it through trust review before onboarding data.
Do not send
- Protected health information
- Clinical notes, claims, treatment, diagnosis, or patient identifiers
- Full payment-card primary account numbers, CVV/CVC values, magnetic-stripe data, or PIN data
- Screenshots, PDFs, exports, or support tickets containing the data above
Safe review context
- High-level workflow descriptions for procurement review
- Vendor questionnaires that describe regulated-data boundaries without including regulated records
- Payment-provider references, tokens, status events, and masked metadata generated by approved processors
- Redacted examples that remove PHI and cardholder data before upload or sharing