Loop is on a mission to revolutionize how companies use feedback from their customers to make smarter, faster business decisions. To do so, we need to make sure your data is secure; protecting it is one of our most important responsibilities. Loop takes its commitment to safeguard this data seriously, making is a top priority in product design, system architecture, and internal processes. We’re committed to being transparent about our security practices and helping our customers feel confident that their businesses and customers are safeguarded.
All Loop employees are required to understand and follow internal policies and standards. Security training is mandated as part of the onboarding process including device security, data privacy, account management, and incident reporting/escalation.
Standard best-practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Loop source code repositories requires strong credentials and two-factor authentication.
Members of the Loop team have substantial experience working with and building secure technology systems. We leverage industry best practices to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
Loop requires users to create strong passwords. We use secure one-way hashes and other best practices to prevent brute force attacks. We encrypt data in transit and at rest.
Data Center & Network Security
Loop leverages Google Cloud data centers for all production systems and customer data. Google Cloud data centers meet the highest standards for cloud security. Google data center facilities maintain redundant power supplies and strict physical security policy, permitting access only by authorized employees, under surveillance, with incident-specific approval for each physical access.
Loop divides its systems into separate networks using logically isolated Virtual Private Clouds in Google Cloud data centers. This setup protects sensitive data by providing isolation between machines in different trust zones. Systems supporting testing and development activities are hosted in a separate network from systems supporting Loop’s production website. Customer data only exists and is only permitted to exist in Loop’s production network, its most tightly controlled network. Network access to Loop’s production environment from open, public networks (the Internet) is significantly restricted. Only network protocols essential for making Loop’s service work are open at Loop’s perimeter. All network access between production hosts is restricted using security groups to only allow authorized services to interact in the production network. Our infrastructure and applications are monitored using standard health checks and log watchers. This helps detect systems that are malfunctioning as well as potential intrusions. Our on-call engineering team is responsible for investigating and addressing issues as they emerge.
Servers deployed to production are hardened by disabling unnecessary and potentially insecure services, removing default passwords, and applying Loop’s custom configuration settings before use.
All Production Network systems, networked devices, and circuits are constantly monitored by both Loop staff and automated incident detection systems. Infrastructure errors are monitored by Google and alert our engineering team.
To protect data in transit between Loop’s applications and our servers, Loop uses TLS during data transfer, creating a secure tunnel protected by 256-bit or higher Advanced Encryption Standard (AES) encryption. TLS is further used to encrypt the traffic between Loop servers and Loop databases within the same datacenter. In our web application, we flag all authentication cookies as Secure. All data at rest in Loop’s production network is encrypted using 256-bit Advanced Encryption Standard (AES).
Loop does not use conversational data for any purposes other than providing services to our customers. Users can further revoke access from Loop at any time and request all their data in Loop to be deleted.
No customer data persists on Loop employee laptops. We apply the principle of least privilege in all operations to ensure confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those employees with a specific business need. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, all actions taken by the authorized employee are logged. Upon termination of work at Loop, all access to Loop systems is immediately revoked.
Loop vets all third-party integration services and configures them to meet above our own security standards. We leverage standard partner APIs so you can securely integrate your feedback data into Loop in a few, simple steps. All Loop integrations use OAuth, or Open Authorization Standard 2.0, to securely retrieve your private data. OAuth is widely considered the standard for authorizing third parties to access data in an account (like Salesforce), because it allows signed-in users to securely grant access to a third party with control over the access level they would like to give them.
As a data processor, we aim to help our customers easily meet all requirements posed by their own regulatory and customer environments. For customers facing GDPR, CPCA, LGPD requests, we will promptly produce records of stored information and respond to requests for data deletion with minimum disruption to ongoing services.
Disaster Recovery and Business Continuity
Loop customer data is regularly backed up each day to guard against data loss scenarios. All backups are encrypted both in transit and at rest using strong industry encryption techniques. All backups are also geographically distributed to maintain redundancy in the event of a natural disaster or a location-specific failure. Loop uses third-party monitoring services to track availability, with engineers on call to address any outages.