Loom Terms & Policies
Loom uses commercially reasonable efforts to implement and maintain the security measures listed below. Loom may update or modify these Security Measures from time to time provided that the updates and modifications will not result in any material degradation of the overall security of Loom's Services.
- Background Checks. Loom conducts background checks for employees and contractors with systems access to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
- Confidentiality. Loom personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Loom's internal policies.
- Security Education and Awareness Training. Loom personnel are required to attend security and privacy training upon hire and annually thereafter.
- Access Controls. Loom implements access provisioning based on the principle of least privilege and access removal controls promptly upon termination.
- Multi-factor Authentication (MFA). Loom employs multi-factor authentication for access across our production environment and internal systems containing Customer Data.
- Passwords. Loom requires and enforces password complexity requirements where passwords are employed for authentication (e.g., login to workstations). These requirements include restrictions on password reuse and sufficient password strength.
- Anti-Virus and Malware. Loom employs an anti-virus and malware solution with daily signature updates for end user devices.
- Endpoint Security. Loom-issued devices are configured by Loom's endpoint management solutions which include inactivity screensaver timeouts, full disk encryption, remote data wipe and lock capabilities, and regular patching.
- Information Security. Loom personnel are required to acknowledge and comply with Loom Information Security policies and standards. Noncompliance is subject to disciplinary action, up to and including termination of employment.
- Monitoring and Incident Response. Loom maintains incident detection capabilities and a documented incident response program. In the event of an incident, Loom will promptly take reasonable steps to minimize harm and secure Customer Data.
- Industry Standard Encryption. Data in transit is encrypted using TLS 1.2+, and data at rest is encrypted using AES-256. Loom hashes user passwords with bcrypt before storing them in an encrypted database.
- Retention and Deletion. Loom maintains backup data for up to 30 days after a video has been permanently deleted by an end user. Video data is then permanently deleted.
- Secure Destruction. Loom's primary hosting provider complies with Department of Defense standards for secure erasure and secure decommissioning of storage media.
- Storage. Loom stores data in a multi-tenant environment hosted on AWS servers and logically isolates Customer Data.
- Firewalls. Loom configures firewalls according to industry best practices and unnecessary ports and protocols are blocked by configuring AWS Security Groups and NACL (Network Access Control Lists). Configurations are regularly monitored using automated cloud security posture management tools.
- Monitoring, Logging, and Alerting. Loom logs application logs to monitor for any suspicious activity. This is done using an SIEM (Security Incident and Event Management) tool. All alerts are triaged by Loom's Security Team and a security incident is raised after log introspection.
- AWS WAF (Web Application Firewall). Loom uses AWS WAF for rate-limiting endpoints to prevent brute-force and DoS (Denial of Service) attacks. WAF is also used to configure ingress IP addresses for specific endpoints and to help Loom comply with U.S. export control laws and regulations.
- Vulnerability Scanning. Loom has a robust vulnerability management program which is used to define security risk scores, severity ratings and SLAs. This program helps prioritize security fixes and identify compensating controls.
- Dependency Management. Loom ensures both application level dependencies and OS level packages are updated regularly to patch security issues. Github Dependabot is used for application level libraries and AWS ECR (Elastic Container Registry) and Trivy (OSS) are used for OS level packages.
- Static Application Security Testing (SAST). Loom utilizes SAST to identify security vulnerabilities in our source code. This is integrated as a pull request level check in Github which preemptively identifies security issues before a branch is merged to Loom's main branch.
- RBAC (Role Based Access Control). Loom uses IAM (Identity and Access Management) policies to enforce strict access controls for employees to access customer personal data, videos and screenshots. All user activity is logged and monitored for anomalies.
- Zero Trust. Internal applications used by Loom personnel are secured using AWS Application Load Balancer's native integration with our identity provider. This is done using OpenID Connect which acts as an authentication layer over the OAuth 2.0 protocol. All access, permissions and scopes are defined centrally within our identity provider to manage and scale requests.
- Data Centers. Loom hosts data on Amazon Web Services (AWS), which maintains internationally recognized world-class compliance certifications and reports. AWS maintains industry-leading security practices, offers state-of-the art environmental and physical protection for the services and infrastructure that comprise Loom's operating environment.
- Backups. Loom conducts periodic database backups. Backups are retained for 30 days during the normal course of operations.
- Replication. Loom also replicates databases and database backups in alternate availability zones. We perform regular backups and restoration testing.
- Redundancy. Loom's infrastructure has been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. This design allows Loom to perform maintenance and improvements of the infrastructure with minimal impact on the production systems.
- Business Continuity. Loom replicates data across multiple systems to help protect against accidental destruction or loss.
- Due Diligence. Loom conducts security reviews for vendors prior to onboarding to ensure adequate level of security, compliance, and privacy for the scope of services provided.
- Confidentiality. Loom takes appropriate steps to ensure our security posture is maintained by establishing agreements that require subprocessors and service organizations to adhere to confidentiality commitments.
Security Certifications and Reports
- Security Compliance. Loom works with an independent third party firm to ensure our security practices consistently meet industry best practices by performing regular SOC 2 audits in compliance with the 2017 Trust Services Criteria.
- Penetration Testing. Loom engages with independent third party firms to conduct application-level and network-level penetration tests at least annually. Results of these tests are shared with senior management, triaged, prioritized, and remediated in a timely manner.