Loop takes the security and privacy of your data very seriously, with robust policies, controls, and systems in place to keep your information safe and secure.
Loop offers multiple integration options for organizations, including Loop's cloud platform (hosted on Amazon Web Services in the United States) and, where required, dedicated deployments. The security and privacy white paper below describes an integration with Loop's cloud platform.
Loop HQ Inc. maintains an independent SOC 2 Type II attestation (AICPA Trust Services Criteria for Security). A summary of Loop's current assurance status appears under Compliance and Certifications below.
All Loop employees are required to understand and follow strict internal security policies and standards. Employees are trained on security topics including device security, malware and phishing prevention, physical security, data privacy, account management, and incident reporting. Access to systems and data follows the principle of least privilege and is granted based on role and business need.
The Loop development team follows secure development best practices. All code is version controlled and goes through peer review and continuous integration testing to screen for potential security issues. The application is built and deployed as containerized workloads through an automated CI/CD pipeline, so each release produces a fresh, versioned image rather than patching long-running servers in place. Changes to the production environment are logged and the team is notified of every release. A web application firewall, security groups, and a load balancer sit in front of all application traffic, and production systems are not directly exposed to the public internet.
Loop users connect third-party applications (e.g. Google Workspace, Microsoft 365, Slack, WhatsApp) using OAuth 2.0, an industry standard for authorizing secure access to external apps. Loop does not receive or store user passwords at any time. Single sign-on (SSO) with Google Workspace and Microsoft 365 is supported, and authorization is enforced at the application layer through role-based access controls that the customer manages. Users may revoke Loop's access at any time and may request that their data be deleted.
Access to production infrastructure is governed by AWS IAM under a least-privilege model with role-based access control. Permissions are segmented across administrators, developers, and automated service accounts, and elevated access is granted only on a business-need basis subject to auditing and review. Multi-factor authentication (MFA) is required for all human accounts with production access, and IAM password policies require strong, non-reused credentials. Administrative access is permitted only from approved networks and IP ranges via VPN or corporate-controlled infrastructure — never from arbitrary or public networks — and, where possible, is further restricted to managed, trusted devices. All administrative actions are logged and monitored.
All data in transit between users, Loop, and third-party services is encrypted using TLS 1.3. Inbound events from connected providers are delivered as signed webhooks that are verified before processing. No data is transmitted over unencrypted or legacy protocols. These protocols are reviewed as new threats and vulnerabilities are identified.
Loop divides its systems into separate, logically isolated networks within AWS using virtual private clouds (VPCs). Systems supporting testing and development are hosted separately from systems supporting Loop's production services. Customer data exists only within Loop's production network. Network access to the production environment is restricted; only protocols essential to delivering the service are open at the perimeter, and access between production hosts is restricted by security groups to authorized services only.
A managed AWS Web Application Firewall (WAF) operates in enforcement (blocking) mode, actively blocking malicious requests using managed rule sets that cover known malicious IPs and botnets, malformed requests and common exploit patterns, and operating-system-level attack patterns. Additional edge protections include DDoS mitigation, rate limiting, and a global content delivery network.