Security

Loom uses enterprise-grade security practices to keep your data safe.

Our security commitment

Loom is committed to the security of our customers and their data. As a cloud-based company entrusted with some of our customers’ most valuable data, we are focused on keeping you and your data safe. Loom undergoes periodic penetration testing, is designed to be GDPR-compliant, and encrypts data at rest and in-transit.‍ Our customers entrust sensitive data to our care. Keeping customer data safe is our priority.

Secure and reliable infrastructure

Loom uses Amazon Web Services (AWS) for secure and resilient hosting of staging and production environments. Loom leverages multiple availability zones to redundantly store customer data. AWS data centers are monitored by 24×7 security, biometric scanning, video surveillance and are continuously certified across a variety of global security and compliance frameworks.

World Class Application Security

Data
encryption

Data is encrypted in-transit using TLS 1.2+ and at-rest using an industry standard AES-256 encryption algorithm.

Single
Sign-On (SSO)

SSO allows you to authenticate users in your own systems without requiring them to enter additional login credentials.

Data permission and authentication

Access to customer data is limited to authorized employees who require it for their job and data access is logged.

Incident
response

Our incident response program addresses events which cause disruptions to the quality of our service. This includes defined escalation paths and engaging the appropriate teams to investigate, communicate and remediate the incident.

Software Development Lifecycle (SDLC) Security

Loom implements human review processes in order to ensure consistent quality in our software development practices.

Vulnerability
management

Loom regularly scans production infrastructure, applications and networks for vulnerabilities using off-the-shelf tools to identify potential vulnerabilities that could impact our systems.

Corporate security

Loom leverages internal services which require TLS for network access and individually authenticate users by way of a central identity provider and leveraging two factor authentication wherever possible.

Loom personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are required to participate in helping secure our customer data and company assets.

Bug bounty

We partner with HackerOne to run a private bug bounty program to help surface and resolve security vulnerabilities before they can be exploited. We welcome your contributions by submitting reports using this form. Our Security Team will investigate, triage and respond to your report via the HackerOne platform.

Please read through our bug bounty policy and rules before submitting bugs. In order to remain compliant with our bug bounty policy and adequately compensate you, we ask you to refrain from publicly disclosing any of your findings until we have triaged and fixed the vulnerability. We appreciate your time and effort in helping us keep Loom secure.

Enterprise-grade compliance

GDPR

General Data Protection Regulation (GDPR)

At Loom, we have worked to enhance our products, processes, and procedures to ensure our practices are GDPR-compliant.

CCPA

California Consumer Privacy Act (CCPA)

Loom acts as a service provider to customers under the California Consumer Privacy Act (CCPA), and we support our customers' compliance with the CCPA.

AICPA SOC

SOC 2 Type 1

Our SOC 2 Type 1 report attests to the controls we have in place governing the security of customer data as they map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA).