Loom uses enterprise-grade security practices to keep your data safe. Learn about Loom's security and bug bounty programs.
Our security commitment
Loom is committed to the security of our customers and their data. As a cloud-based company entrusted with some of our customers’ most valuable data, we are focused on keeping you and your data safe. Loom undergoes periodic penetration testing, is designed to be GDPR-compliant, and encrypts data at rest and in-transit. Our customers entrust sensitive data to our care. Keeping customer data safe is our priority.
Secure and reliable infrastructure
Loom uses Amazon Web Services (AWS) for secure and resilient hosting of staging and production environments. Loom leverages multiple availability zones to redundantly store customer data. AWS data centers are monitored by 24×7 security, biometric scanning, video surveillance and are continuously certified across a variety of global security and compliance frameworks.
World Class Application Security
Data is encrypted in-transit using TLS 1.2+ and at-rest using an industry standard AES-256 encryption algorithm.
Single Sign-On (SSO)
SSO allows you to authenticate users in your own systems without requiring them to enter additional login credentials.
Data permission and authentication
Access to customer data is limited to authorized employees who require it for their job and data access is logged.
Our incident response program addresses events which cause disruptions to the quality of our service. This includes defined escalation paths and engaging the appropriate teams to investigate, communicate and remediate the incident.
Software Development Lifecycle (SDLC) Security
Loom implements human review processes in order to ensure consistent quality in our software development practices.
Loom regularly scans production infrastructure, applications and networks for vulnerabilities using off-the-shelf tools to identify potential vulnerabilities that could impact our systems.
Loom leverages internal services which require TLS for network access and individually authenticate users by way of a central identity provider and leveraging two factor authentication wherever possible.
Loom personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are required to participate in helping secure our customer data and company assets.
We partner with HackerOne to run a private bug bounty program to help surface and resolve security vulnerabilities before they can be exploited. We welcome your contributions by submitting reports using this form. Our Security Team will investigate, triage and respond to your report via the HackerOne platform.
Please read through our bug bounty policy and rules before submitting bugs. In order to remain compliant with our bug bounty policy and adequately compensate you, we ask you to refrain from publicly disclosing any of your findings until we have triaged and fixed the vulnerability. We appreciate your time and effort in helping us keep Loom secure.
General Data Protection Regulation (GDPR)
At Loom, we have worked to enhance our products, processes, and procedures to ensure our practices are GDPR-compliant.
California Consumer Privacy Act (CCPA)
Loom acts as a service provider to customers under the California Consumer Privacy Act (CCPA), and we support our customers’ compliance with the CCPA.
SOC 2 Type 2
Our SOC 2 Type 2 report attests to the controls we have in place governing the security of customer data as they map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA).