Data Security
At Loops, ensuring the security of your data is a top priority. We adhere to security best practices throughout every phase of product development and implementation, all while maintaining SOC 2 compliance.
Encryption
At rest, all data is encrypted using AES-256. Internal communication in the system is encrypted with SSL/TLS.
Communication encryption between the client's data warehouse and Loops’ cloud depends on the client's data warehouse (e.g. with BigQuery we force TLS 1.3, and with Snowflake it depends on the client’s cluster configuration).
Authentication
All access to sensitive data is restricted via authentication. Loops currently supports authenticating using either a local user, OAuth2 Google Gsuite / Azure Entra account or full SSO support.
Local passwords must contain 10 letters with a mix of letters, numbers and special characters. Two-factor authentication is enforced for all users.
Production systems
All Loops servers run on a managed Kubernetes cluster on Google Cloud Platform (GCP).
Loops audits all changes to our Kubernetes cluster and keeps an extensive log. All internal communication is TLS-encrypted, and we do not permit direct access to any of our machines or services except through a GCP load balancer for our web interface. Deployment to production is limited to automated CI/CD processes and is monitored closely.
Data collection
Loops does not collect or store any data from the client side. We connect to the data warehouse of the client, run Loops analyses in-memory, and save only aggregated results (no raw or user-level data). In addition, Loops does not access any Personal Identifiable Information (PII) to run analyses. For more details, see our Privacy Policy.
To better understand how our product is being used and make improvements, Loops collects behavioral data about users when they are using the Loops platform. We do not collect data about our clients’ users.
Secure coding (SDLC)
We implement an agile Software Development Lifecycle (SDLC), and all code goes through a security review by a cybersecurity expert before being released. We also use Snyk to ensure all dependencies are up to date and without known vulnerabilities. We routinely update all dependencies and images. Our system regularly goes through penetration testing conducted by a third party, and no critical findings have been detected.
Every new R&D engineer undergoes secure coding training. The principle of least privilege is used throughout our services and in the permissions given to employees. Administrator privileges are kept to a minimum and are monitored. A process is in place to remove permissions when employees leave Loops.
Disaster recovery plan
A DRP is in place and can be shared upon request.
Loops Assistance
Loops Assistance is a conversational interface for interacting with Loops. It allows you to ask questions about the Loops product, view graphs and results from analyses run in Loops (including insights), and receive recommendations on which analyses to run to answer your product-related questions.
Loops use a third-party language model (via the OpenAI API) to interpret requests and determine the best response. OpenAI decides which actions to take, such as generating charts, retrieving results from previous analyses, or searching the Loops Help Center to construct an answer.
Loops send the conversation history between you and Loops Assistance to the OpenAI API.
OpenAI does not train its models on your data and does not have access to it.
You can opt out of Loops Assistance at any time by contacting support.
Information Security Policy
As part of Loops’ information security policy, we developed the following policies in order to monitor, identify and eradicate all suspected security issues:
- Risk Assessment Policy
- Encryption Policy
- Remote Access Policy
- Data Center Security Policy
- Software Development Lifecycle Policy
- Security Incident Response Policy
- Disaster Recovery Policy
- Availability Policy
Policies and procedures are in place and can be shared upon request.
Loops is SOC 2 Type II compliant, with auditing performed by Ernst & Young. The certification report, as well as our annual penetration testing report, can be shared upon request.
Have any questions? We’ll be happy to answer them. Send an email to support@getloops.ai.