Skip to content

Security

Loom uses enterprise-grade security practices to keep your data safe. Learn about Loom's security and bug bounty programs.

Our security commitment

Loom is committed to the security of our customers and their data. As a cloud-based company entrusted with some of our customers’ most valuable data, we are focused on keeping you and your data safe. Loom undergoes periodic penetration testing, is designed to be GDPR-compliant, and encrypts data at rest and in-transit. Our customers entrust sensitive data to our care. Keeping customer data safe is our priority.

Our Shared Security Responsibility Model

Loom utilizes a Software-as-a-Service (SaaS) model in which security is a shared responsibility among Amazon Web Services (AWS), Loom, and our customers. Loom leverages AWS as our cloud infrastructure provider to deliver a service that is highly available, scalable, and secure. AWS is responsible for physical facilities, hardware, networking, and virtualization platform security. Loom is responsible for, but is not limited to, customer data encryption, application-level security, security event logging and monitoring, and service uptime monitoring.

Customers are responsible for using the Loom service appropriately and configuring its security features. Examples of customer responsibilities include providing complete and accurate information to Loom, ensuring the security of devices used to access the service, setting up user authentication appropriately, managing access to the service and videos shared with users, reporting security issues to Loom, data security, and managing the security of any other applications or integrations used in customer environment including third party apps and plugins installed in their organization.

Secure and reliable infrastructure

Loom uses Amazon Web Services (AWS) for secure and resilient hosting of staging and production environments. Loom leverages multiple availability zones to redundantly store customer data. AWS data centers are monitored by 24×7 security, biometric scanning, video surveillance and are continuously certified across a variety of global security and compliance frameworks.

World Class Application Security

  • Data encryption

    Data is encrypted in-transit using TLS 1.2+ and at-rest using an industry standard AES-256 encryption algorithm.

  • Single Sign-On (SSO)

    SSO allows you to authenticate users in your own systems without requiring them to enter additional login credentials.

  • Data permission and authentication

    Use asynchronous video messaging to keep your team on the same page, without adding another meeting to the calendar.

  • Incident response

    Our incident response program addresses events which cause disruptions to the quality of our service. This includes defined escalation paths and engaging the appropriate teams to investigate, communicate and remediate the incident.

  • Software Development Lifecycle (SDLC) Security

    Loom implements human review processes in order to ensure consistent quality in our software development practices.

  • Vulnerability management

    Loom regularly scans production infrastructure, applications and networks for vulnerabilities using off-the-shelf tools to identify potential vulnerabilities that could impact our systems.

Corporate security

Loom leverages internal services which require TLS for network access and individually authenticate users by way of a central identity provider and leveraging two factor authentication wherever possible.

Loom personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are required to participate in helping secure our customer data and company assets.

Bug bounty

We partner with HackerOne to run a private bug bounty program to help surface and resolve security vulnerabilities before they can be exploited. We welcome your contributions by submitting reports using this form. Our Security Team will investigate, triage and respond to your report via the HackerOne platform.

Please read through our bug bounty policy and rules before submitting bugs. In order to remain compliant with our bug bounty policy and adequately compensate you, we ask you to refrain from publicly disclosing any of your findings until we have triaged and fixed the vulnerability. We appreciate your time and effort in helping us keep Loom secure.

Security questions or issues?

Reach out to security@loom.com

Enterprise-grade compliance

General Data Protection Regulation (GDPR)

At Loom, we have worked to enhance our products, processes, and procedures to ensure our practices are GDPR-compliant.

California Consumer Privacy Act (CCPA)

Loom acts as a service provider to customers under the California Consumer Privacy Act (CCPA), and we support our customers’ compliance with the CCPA.

SOC 2 Type 2

Our SOC 2 Type 2 report attests to the controls we have in place governing the security of customer data as they map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA). View a copy here.

SOC 3

Our SOC 3 is a general-use report and is an executive summary of the SOC 2 report and includes the independent third-party auditor’s opinion on the effective design and operation of our controls.

View report (552KB, PDF)