GroveDeck

Your data stays in your tenant.

How GroveDeck accesses your Cornerstone tenant, handles data, governs AI use, and works inside your security controls. Your data stays in your tenant.

Contact us

Security and Data Handling

Running a vendor security review? This page answers the questions your team usually asks. For formal documentation (NDA, DPA, AI usage statement, SOC2 letters), email hello@grovedeck.com directly. Certified Cornerstone Experts respond, not a form.

How access works

You provision our access. You define the scope. You revoke it in a click.

  • Least-privilege access only, scoped to what the work requires.
  • No standing admin access beyond active engagement scope, and no production credentials kept between engagements.
  • Access is provisioned and deprovisioned through your own Cornerstone tenant controls.
  • We work within whatever access review cadence your security team runs.
  • Nothing requires us to bypass Cornerstone’s own access controls. We operate inside them.

Data handling

Your learner records, configurations, and reports stay in your Cornerstone tenant. The engine reads what it needs in the moment. It doesn’t replicate your data to external storage or export learner records outside your environment.

The AI we use to assist with your work does not train external models on your data. Tenant data is never training input: learner records, completion histories, org structures, anything the engine accesses.

Compliance posture

  • NDA and Data Processing Agreement signed before access is provisioned.
  • GDPR-aligned handling for UK and EU clients, including data residency awareness.
  • CCPA and state privacy law-aware for US clients.
  • Cornerstone’s own data controls remain authoritative. We don’t override tenant-level privacy settings.
  • Subprocessor list available on request.

AI governance

The AI the engine uses operates inside the guardrails your security and HR teams have already set. We don’t route around your organization’s AI policy.

If you have a formal AI use policy for third-party vendors, we can review it before engagement and confirm in writing how our tooling aligns. Healthcare, government, and financial services clients should ask about this upfront.

Common questions

Do you copy our data outside of our Cornerstone tenant?

No. The engine reads from your tenant in the moment it needs it. It doesn’t replicate learner records, org configurations, or completion histories to external storage.

Does your AI train on our tenant data?

No. When we use AI tools in your environment, your data is not training input for any external model. We can provide this in writing if procurement requires it.

What happens to our access when the engagement ends?

You deprovision it through your own Cornerstone tenant controls. We don’t hold credentials, and we confirm in writing that no standing access remains.

Will you sign our NDA, DPA, or data processing addendum?

Yes, both are standard pre-engagement documents. If you have a vendor-specific template, send it to hello@grovedeck.com and we’ll review it.

Ready to start, or still have procurement questions? Get in touch.