// Trust & Security Report
Atlassian Corporation Plc (acquired Loom, Inc.)
Loom is a video messaging and asynchronous communication platform offering screen recording, video hosting, AI-powered transcription, and analytics. Key features include screen/camera recording, video editing, sharing/embedding, transcription in 50+ languages, and enterprise features like SSO, SCIM, custom data retention, and AI workflows (Jira integration, SOP generation).
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on atlassian.com“SOC2 Type II for Loom dated March 31, 2024. Available for download from Atlassian's trust portal.”
Verify on atlassian.com“Loom achieved SOC 2 Type I compliance (announced January 7, 2021, completed December 2020). Loom underwent an independent third-party audit and successfully implemented controls across infrastructure, HR operations, device management, incident response, vulnerability management, and third-party risk.”
Verify on atlassian.com“Loom is covered under Atlassian's ISO/IEC 27001:2022 certification. All Atlassian products listed including Loom operate under the Atlassian Trust Management System (ATMS), which defines how Atlassian manages security in accordance with ISO/IEC 27001:2022 standards.”
Verify on support.atlassian.com“Loom is GDPR-compliant for all users. Atlassian complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.”
Verify on atlassian.com“Atlassian (parent company) complies with CCPA and CPRA commitments in the Data Processing Addendum, which applies to Loom. Atlassian does not sell or share personal information processed as a service provider. California residents have rights including data access, deletion, and opt-out requests.”
> Show 8 unconfirmed / not-held certifications
source: support.atlassian.comLoom currently is not able to sign Business Associate Agreements in support of customers' compliance with the Health Insurance Portability and Accountability Act (HIPAA). Do not send protected health information to Loom if doing so would breach HIPAA obligations.
No public evidence of PCI DSS certification found on vendor domain.
No public evidence of FedRAMP certification found on vendor domain.
No public evidence of ISO 27017 certification found on vendor domain.
No public evidence of ISO 27018 certification found on vendor domain.
No public evidence of ISO 27701 certification found on vendor domain.
No public evidence of ISO 42001 certification found on vendor domain.
No public evidence of CSA STAR certification found on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS (primarily US/EU depending on account)
Atlassian may use de-identified and aggregated customer data to improve products, but commits to keeping such data in de-identified form and will not attempt to re-identify. OpenAI integration: OpenAI does not train on Loom transcripts; they retain transcripts for a maximum of 30 days. No evidence that Loom trains AI models on customer videos or personal data.
// Security controls
Encryption in Transit
All data uploaded over SSL-encrypted websocket. Videos are encrypted in transit.
support.loom.comEncryption at Rest
Text-based data including names, notifications, passwords, linked accounts, video names, comments, and transcripts stored on encrypted database at rest in AWS.
support.loom.comInfrastructure
Servers sit behind secure firewall. Encryption on all company-owned devices. Multiple security measures implemented.
loom.comAccess Controls & Authentication
SSO and SCIM support for enterprise deployments. Video privacy controls, custom privacy settings available.
loom.comPenetration Testing
Annual penetration testing on Cloud and Software Products. Proactive bug bounty programs for vulnerability detection and mitigation.
support.loom.comData Segregation
Customer data logically segregated from other customers' data. Multi-tenant architecture with isolation controls.
atlassian.comIncident Response
Comprehensive incident response program implemented. Security incident investigation and resolution processes in place.
atlassian.comData Retention
Custom data retention policies available for enterprise. Enterprise customers can set custom retention. Following termination, Atlassian deletes customer personal data per legal/backup requirements.
loom.com// Products & data scope
data: Personal use, basic features, 10 free videos per month
Basic screen recording, sharing, comments. Full GDPR compliance. No custom data retention.
data: Team use, advanced features, unlimited videos
Includes AI transcription, video library, custom branding, integrations (Slack, Google Workspace, Microsoft Teams). GDPR compliant. SOC 2 Type II, ISO 27001.
data: Organization-wide, governance features, custom integrations
SSO, SCIM, custom data retention policies, Loom HQ (video hosting), advanced security controls, dedicated support. SOC 2 Type II, ISO 27001. GDPR compliant. Not HIPAA compliant.
data: Programmatic video access via API
REST API for integrations. Subject to same security and compliance standards as main product.
// What to watch
- Loom is now acquired by Atlassian Corporation Plc (2023). Some certifications and compliance postures are shared with parent company; verify that you need Loom-specific compliance, not just Atlassian-wide.
- Loom.com domain redirects (308/302) to Atlassian.com for security, privacy, and DPA pages. All security/compliance pages are hosted on Atlassian domain.
- No standalone Loom trust center; Atlassian's trust center at https://customertrust.atlassian.com/ covers all products including Loom.
- HIPAA not supported: Loom cannot sign BAAs and should not be used for PHI. Explicitly communicated to customers.
- SOC 2 Type II report is dated March 31, 2024 — relatively current. Type I superseded by Type II.
- AI training posture: Atlassian uses only de-identified/aggregated data for product improvement. Customer videos and personal data are not used for model training.
- OpenAI integration for transcription: OpenAI does not train on Loom transcripts (30-day retention max).
// At a glance
Pricing model
Freemium (free tier with 10 videos/month) + subscription tiers: Business ($12-15/user/month), Enterprise (custom pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Atlassian Corporation Plc (acquired Loom, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
atlassian.com