We know how important data security is to our customers and for the video messages they create with Loom, which is why we are happy to announce that Loom is now SOC 2 Type I compliant. 🎉 🔓 Meeting SOC 2 compliance is a key part of Loom’s ongoing commitment to our existing and future customers who can be confident about the security of their data with Loom.
A SOC 2 Type 1 report is granted after a company undergoes an auditing process administered by an independent, third-party audit firm. Successfully completing the SOC 2 examination signifies Loom has voluntarily developed and implemented a system of controls and operational processes to meet a renowned security standard of excellence.
What is SOC 2 and why does compliance matter?
A SOC 2 report is for service organizations that hold, store, or process the information of their users. When recording and creating with Loom, you have the option to store videos and screenshots that can contain sensitive information, including but not limited to people’s names, faces, locations, confidential or proprietary company work, and other personal details. Because of this, our customer data privacy is paramount — you should never worry that the looms you create and the information they contain are available to anyone but the intended recipients.
System and Organization Controls (SOC) are regulations established by the American Institute of Certified Public Accountants (AICPA). While the concepts of SOC 2 may seem abstract, here’s how to differentiate between the two types of SOC 2 reports:
SOC 2 Type 1: The Type 1 report describes a service provider’s systems and whether the system is suitably designed to meet relevant trust principles.
SOC 2 Type 2: The Type 2 report details the operational effectiveness of those systems and includes a historical element that shows how controls were managed by a business over a period of time.
The purpose of a SOC 2 report is to evaluate an organization's information systems that are relevant to security controls, availability, data processing integrity, confidentiality, or privacy. These reports provide valuable information that users need to assess and address the potential security risks associated with utilizing a service provider.
Some basic questions you should ask when evaluating a company’s adherence to data security compliance standards include:
What type of personal data will be shared?
Does the company have any security or compliance certifications and reports that are available?
How is the data encrypted — is it encrypted both in transit and at rest?
Where is the data stored?
How and when will customers be notified if an incident occurs?
Does the company have internal policies and procedures in place?
How is access to sensitive systems delegated?
The questions above demonstrate that SOC 2 compliance is an ongoing activity, which is how we approach SOC 2 compliance at Loom.
Announcing SOC 2 and data security at Loom
We recognize that we are in an era where more people are working remotely than ever before — where everything may and can be stored in the cloud. As a SaaS company, we are continuously ensuring our product and features are geared toward abiding by the highest standards of SOC 2 compliance.
To help us reach this milestone, we partnered with Vanta to help automate a lot of the processes associated with maintaining SOC 2 compliance. Vanta adds another layer of continuous monitoring on items such as encrypted data stores, timely access disablement dates, vulnerability identification, and policy management. They integrate with our third-party systems to recommend SOC 2 industry best practices, aggregate audit evidence, and provide ongoing monitoring and support.
Our SOC 2 Type 1 report covers important processes across the organization related to infrastructure, HR operations and policies, device management, incident response, vulnerability management, and third-party risk management.
Security and compliance can be seen in our day-to-day operations across teams at Loom and for every Loommate in the following ways:
Enabling screensaver timeouts and device management: All company owned devices have automated IT security measures installed, such as anti-virus software on computers.
Ensuring devices are encrypted: Our customers want to know the video content they create and store in the cloud is properly encrypted. We take security precautions of enabling encryption on all company-owned devices to ensure both Loom company data and our customers’ data are secure.
Tracking and documenting access requests and ensuring no unauthorized access: We use Okta to manage access to applications at Loom. Not everyone at Loom should be able to access customer videos; Loom employees from our Engineering and Customer Support teams, for example, only have access when necessary.
Strengthening our code review and development process: When engineers make changes to Loom UI, there are checks and balances in place to prevent code errors.
Implementing an incident response program which involves cross-functional collaboration: We proactively alert customers in the case of a data breach or when other cybersecurity incidents occur. We use a combination of AWS GuardDuty, GitHub Dependabot, and Vanta for vulnerability scanning which report to alerting systems that notify our Engineering team of any issues. In addition, periodic independent third-party penetration testing (security researchers) is a part of this program.
What’s next for compliance at Loom?
A SOC 2 Type 1 compliance certification is a major data security milestone for Loom. Our next step is to pursue a SOC 2 Type 2 audit, which builds on what we have already achieved with Type 1, but will validate the effectiveness of these controls over a period of time. In the future, Loom will continue to work with our auditors to complete SOC 2 Type 2 evaluations on a regular basis so our users can be confident that their data is secure