Security at Ground

Security is core to Ground. We design the Services so you can connect repositories, documentation, and packages with clear authentication boundaries, rate limits, and operational monitoring. This page summarizes our approach at a high level—it is not an exhaustive description of our architecture or controls.

Customer Content you index is processed to build search and retrieval artifacts (for example, chunks and embeddings) stored in infrastructure we operate or lease. Access to production systems is restricted on a least-privilege basis. Administrative access is logged and reviewed according to operational policy.

For details on categories of personal data and legal bases where applicable, see our Privacy Policy.

Data in transit is protected using TLS for our web applications and APIs. Sensitive credentials such as API keys are not stored in plaintext where hashing or secret-management patterns are appropriate. Encryption settings for data at rest depend on the cloud provider and storage layer we use for your tier and region.

We support dashboard authentication (including session and OAuth flows where configured) and programmatic access via API keys. Keys should be treated as secrets: store them in a secure secret manager, rotate them periodically, and revoke compromised keys immediately from your dashboard.

We monitor the Services for availability and anomalies, and we use structured logging to investigate incidents. We strive to minimize downtime and to communicate transparently during significant disruptions. Exact targets may vary by plan and are described in applicable agreements or status communications.

When we become aware of a security issue that materially affects customers, we work to contain, remediate, and notify impacted parties consistent with our obligations and the nature of the incident. Customers can reach us at ali@trygroundai.com for security-related reports.

If you believe you have found a vulnerability in Ground’s Services, please email ali@trygroundai.com with a clear description, reproduction steps, and impact. Do not access or exfiltrate customer data. We appreciate coordinated disclosure and will work with you to understand and address valid findings.

• Rotate API keys and review access after team changes.
• Scope connected sources to the minimum necessary, and avoid indexing secrets or regulated payloads unless your compliance program permits it.
• Keep dependencies and local environments patched when integrating our SDKs or examples.
• For organizational requirements (DPA, SSO, IP allowlists, or custom reviews), contact our team via Contact.

Specific certifications, attestations, and available questionnaires depend on your plan and contractual arrangements. Ask your Ground account contact or email ali@trygroundai.com for the latest information.