Data Security

At Loops, ensuring the security of your data is a top priority. We adhere to security best practices throughout every phase of product development and implementation, all while maintaining SOC 2 compliance.

Encryption

At rest, all data is encrypted using AES-256. Internal communication in the system is encrypted with SSL/TLS.

Communication encryption between the client's data warehouse and Loops’ cloud depends on the client's data warehouse (e.g. with BigQuery we force TLS 1.3, and with Snowflake it depends on the client’s cluster configuration).

Authentication

All access to sensitive data is restricted via authentication. Loops currently supports two authentication methods, using either a local user or Google account (preferred).

Local passwords must contain 10 letters with a mix of letters, numbers and special characters. Two-factor authentication is enforced for all users.

Production systems

All Loops servers run on a managed Kubernetes cluster on Google Cloud Platform (GCP).

Loops audits all changes to our Kubernetes cluster and keeps an extensive log. All internal communication is TLS-encrypted, and we do not permit direct access to any of our machines or services except through a GCP load balancer for our web interface. Deployment to production is limited to automated CI/CD processes and is monitored closely.

Data collection

Loops does not collect or store any data from the client side. We connect to the data warehouse of the client, run Loops analyses in-memory, and save only aggregated results (no raw or user-level data). In addition, Loops does not access any Personal Identifiable Information (PII) to run analyses. For more details, see our Privacy Policy.

To better understand how our product is being used and make improvements, Loops collects behavioral data about users when they are using the Loops platform. We do not collect data about our clients’ users.

Secure coding (SDLC)

We implement an agile Software Development Lifecycle (SDLC), and all code goes through a security review by a cybersecurity expert before being released. We also use Snyk to ensure all dependencies are up to date and without known vulnerabilities. We routinely update all dependencies and images. Our system regularly goes through penetration testing conducted by a third party, and no critical findings have been detected.

Every new R&D engineer undergoes secure coding training. The principle of least privilege is used throughout our services and in the permissions given to employees. Administrator privileges are kept to a minimum and are monitored. A process is in place to remove permissions when employees leave Loops.

Disaster recovery plan

A DRP is in place and can be shared upon request.

Information Security Policy

As part of Loops’ information security policy, we developed the following policies in order to monitor, identify and eradicate all suspected security issues:

  • Risk Assessment Policy
  • Encryption Policy
  • Remote Access Policy
  • Data Center Security Policy
  • Software Development Lifecycle Policy
  • Security Incident Response Policy
  • Disaster Recovery Policy
  • Availability Policy

Policies and procedures are in place and can be shared upon request.

Loops is SOC 2 Type II compliant, with auditing performed by Ernst & Young. The certification report, as well as our annual penetration testing report, can be shared upon request.

Have any questions? We’ll be happy to answer them. Send an email to support@getloops.ai.

Still need help? Contact Us Contact Us