At Loomly, we are committed to protecting the confidentiality, integrity and availability of our information systems and our customer's data. We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution.

Here we provide an overview of some of the security controls in place to protect your data.

You can reach our security team at security@loomly.com.

Cloud Security

Data Center Physical Security

Facilities

Loomly uses infrastructure from AWS for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, SOC 1, SOC 2 and SOC 3 compliant. Learn more about AWS certifications and compliance standards at AWS Compliance offerings.

Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, and secure device destruction, amongst others. 

On-Site Security

AWS implements layered physical security controls to ensure on-site security, including vetted security guards, fencing, video monitoring, intrusion detection technology and more. Learn more about AWS Physical Security.

Network Security

In-house Security Team

Loomly has a dedicated and passionate security team to respond to security alerts and events, continuously improve the security posture of the product and organization, and perform periodic internal security assessments.

Third-party Penetration Tests

Third-party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked for remediation.

Threat Detection

Loomly leverages threat detection services within AWS to continuously monitor for malicious and unauthorized activity.

Vulnerability Scanning

We perform regular internal vulnerability scans. Where issues are identified, these are tracked until remediation. These activities cover all aspects of our organization, including the code we write, dependencies and infrastructure.

DDoS Mitigation and Defense at the Edge

Loomly uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize AWS’s CDN and its DDoS protection as well as other native AWS tools and application-specific mitigation techniques. We monitor and block common types of attacks at the edge, aiming to prevent malicious traffic from reaching our servers at all.

Access Control

We comply with the least privilege principle by granting our staff the minimum permissions needed to carry out their jobs. Plus, access is granted for a limited time and is scoped to the minimum number of services needed. Permissions are subject to frequent internal assessment, technical enforcement, and monitoring to ensure compliance. 2FA is required for all production systems.

Encryption

In Transit

Loomly forces HTTPS for all services using TLS (SSL). Encryption is managed by AWS through our CDN.

At Rest

Loomly data is encrypted at rest with industry-standard encryption algorithms managed by AWS, like AES. Sensitive data like credentials is never stored in plain text inside our databases, as we store secure hashes only.

Availability & Continuity

Uptime

Loomly is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load.

Recovery

In the event of a major region outage, Loomly has the ability to deploy our application to a new hosting region. We have proper monitoring and dedicated engineers to spot downtime and promptly react to recover from any kind of disaster.

Application Security

Quality Assurance

Loomly’s Quality Assurance function reviews and tests changes to our code base. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training, and security resources are provided to Support QA.

Environment Segregation

Testing and production environments are logically separated from one another. No customer data is used in any development or test environment.

Authentication

For best practices, we recommend never reusing passwords when updating them.

Additionally, Loomly users can set up two-factor authentication to add an extra layer of security to their account. Loomly supports apps like Google Authenticator and others that support Time-based One-time Password Algorithm (TOTP). 

For enhanced convenience and security, Loomly also supports Google single sign-on (SSO). By using Google SSO,  users can seamlessly and securely log into their Loomly accounts with their existing Google credentials, eliminating the need to remember multiple passwords and reducing the risk of unauthorized access.

Credentials

We do not store any credentials for social media accounts. Loomly allows you to connect social accounts to your calendars through an industry-standard process called OAuth, which was designed to avoid sharing credentials and limit access scope.

Those who have access to the social accounts can log in to Loomly where they are able to connect the social accounts to Loomly without ever providing Loomly (or anyone else) with the social account credentials.

Personal Security

Security Awareness

Loomly delivers a robust Security Awareness Training program which is delivered within 30 days of new hires and annually for all employees. 

Information Security Program

Loomly has a set of information security policies covering a range of topics. These are delivered to all employees and contractors right after hiring.

Access Controls

Access to systems and network devices is based upon a well-defined request process. Logical access to platform servers and management systems requires two-factor authentication. Access is further restricted by system permissions using the least privilege methodology and all permissions require documented need. User access is revoked upon termination of employment or change of job role.

Third-party Security

Vendor Management

Loomly understands the risks associated with improper vendor management. We evaluate all of our vendors before the engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them.

PCI-DSS

As a card-not-present merchant, Loomly outsources our cardholder functions to Stripe, a PCI-DSS Level 1 service provider.

Subprocessors

Loomly uses subprocessors to provide core infrastructure and services that support the application. Before engaging any third party, Loomly evaluates a vendor’s security as described above.

Vendor	Location	Service Provided
Amazon Web Services, Inc.	US	Cloud hosting services
Google, LLC	US	Cloud hosting services
HubSpot, Inc.	US	Cloud hosting services
Intercom, Inc.	US	Customer Support platform
Bending Spoons S.p.A. and its affiliates	Italy	As the parent company of Loomly, Bending Spoons S.p.A., together with its affiliates, supports Loomly in providing the service

Responsible Disclosure

At Loomly, the security of our users and our platform comes first. Please visit our dedicated page for more information on vulnerability disclosures.