// Trust & Security Report

    Atlassian Corporation Plc (acquired Loom, Inc.) logo

    Atlassian Corporation Plc (acquired Loom, Inc.)

    Loom is a video messaging and asynchronous communication platform offering screen recording, video hosting, AI-powered transcription, and analytics. Key features include screen/camera recording, video editing, sharing/embedding, transcription in 50+ languages, and enterprise features like SSO, SCIM, custom data retention, and AI workflows (Jira integration, SOP generation).

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC2 Type II for Loom dated March 31, 2024. Available for download from Atlassian's trust portal.

    Verify on atlassian.com
    SOC 2 Type I
    HELD

    Loom achieved SOC 2 Type I compliance (announced January 7, 2021, completed December 2020). Loom underwent an independent third-party audit and successfully implemented controls across infrastructure, HR operations, device management, incident response, vulnerability management, and third-party risk.

    Verify on atlassian.com
    ISO 27001:2022
    HELD

    Loom is covered under Atlassian's ISO/IEC 27001:2022 certification. All Atlassian products listed including Loom operate under the Atlassian Trust Management System (ATMS), which defines how Atlassian manages security in accordance with ISO/IEC 27001:2022 standards.

    Verify on atlassian.com
    GDPR
    HELD

    Loom is GDPR-compliant for all users. Atlassian complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.

    Verify on support.atlassian.com
    CCPA/CPRA
    HELD

    Atlassian (parent company) complies with CCPA and CPRA commitments in the Data Processing Addendum, which applies to Loom. Atlassian does not sell or share personal information processed as a service provider. California residents have rights including data access, deletion, and opt-out requests.

    Verify on atlassian.com
    > Show 8 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Loom currently is not able to sign Business Associate Agreements in support of customers' compliance with the Health Insurance Portability and Accountability Act (HIPAA). Do not send protected health information to Loom if doing so would breach HIPAA obligations.

    source: support.atlassian.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on vendor domain.

    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification found on vendor domain.

    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on vendor domain.

    ISO 27018 (PII Protection)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on vendor domain.

    ISO 27701 (Privacy Management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on vendor domain.

    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on vendor domain.

    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on vendor domain.

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS (primarily US/EU depending on account)

    Atlassian may use de-identified and aggregated customer data to improve products, but commits to keeping such data in de-identified form and will not attempt to re-identify. OpenAI integration: OpenAI does not train on Loom transcripts; they retain transcripts for a maximum of 30 days. No evidence that Loom trains AI models on customer videos or personal data.

    // Security controls

    Encryption in Transit

    All data uploaded over SSL-encrypted websocket. Videos are encrypted in transit.

    support.loom.com

    Encryption at Rest

    Text-based data including names, notifications, passwords, linked accounts, video names, comments, and transcripts stored on encrypted database at rest in AWS.

    support.loom.com

    Infrastructure

    Servers sit behind secure firewall. Encryption on all company-owned devices. Multiple security measures implemented.

    loom.com

    Access Controls & Authentication

    SSO and SCIM support for enterprise deployments. Video privacy controls, custom privacy settings available.

    loom.com

    Penetration Testing

    Annual penetration testing on Cloud and Software Products. Proactive bug bounty programs for vulnerability detection and mitigation.

    support.loom.com

    Data Segregation

    Customer data logically segregated from other customers' data. Multi-tenant architecture with isolation controls.

    atlassian.com

    Incident Response

    Comprehensive incident response program implemented. Security incident investigation and resolution processes in place.

    atlassian.com

    Data Retention

    Custom data retention policies available for enterprise. Enterprise customers can set custom retention. Following termination, Atlassian deletes customer personal data per legal/backup requirements.

    loom.com

    // Products & data scope

    Loom FreeVideo Messaging - Consumer

    data: Personal use, basic features, 10 free videos per month

    Basic screen recording, sharing, comments. Full GDPR compliance. No custom data retention.

    Loom BusinessVideo Messaging - SMB

    data: Team use, advanced features, unlimited videos

    Includes AI transcription, video library, custom branding, integrations (Slack, Google Workspace, Microsoft Teams). GDPR compliant. SOC 2 Type II, ISO 27001.

    Loom EnterpriseVideo Messaging - Enterprise

    data: Organization-wide, governance features, custom integrations

    SSO, SCIM, custom data retention policies, Loom HQ (video hosting), advanced security controls, dedicated support. SOC 2 Type II, ISO 27001. GDPR compliant. Not HIPAA compliant.

    Loom APIVideo Messaging - Embedded

    data: Programmatic video access via API

    REST API for integrations. Subject to same security and compliance standards as main product.

    // What to watch

    • Loom is now acquired by Atlassian Corporation Plc (2023). Some certifications and compliance postures are shared with parent company; verify that you need Loom-specific compliance, not just Atlassian-wide.
    • Loom.com domain redirects (308/302) to Atlassian.com for security, privacy, and DPA pages. All security/compliance pages are hosted on Atlassian domain.
    • No standalone Loom trust center; Atlassian's trust center at https://customertrust.atlassian.com/ covers all products including Loom.
    • HIPAA not supported: Loom cannot sign BAAs and should not be used for PHI. Explicitly communicated to customers.
    • SOC 2 Type II report is dated March 31, 2024 — relatively current. Type I superseded by Type II.
    • AI training posture: Atlassian uses only de-identified/aggregated data for product improvement. Customer videos and personal data are not used for model training.
    • OpenAI integration for transcription: OpenAI does not train on Loom transcripts (30-day retention max).

    // At a glance

    Pricing model

    Freemium (free tier with 10 videos/month) + subscription tiers: Business ($12-15/user/month), Enterprise (custom pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Atlassian Corporation Plc (acquired Loom, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    atlassian.com

    > Browse all vendor trust reports