// Trust & Security Report

    Bending Spoons S.p.A. logo

    Bending Spoons S.p.A.

    Loomly is an AI-powered social media management platform for content planning, creation, scheduling, collaboration, and analytics across 30+ social channels (Facebook, Instagram, LinkedIn, TikTok, YouTube, Pinterest, etc.).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance
    HELD

    This Privacy Policy applies in accordance with Regulation (EU) 2016/679 – General Data Protection Regulation ('GDPR'). The DPA explicitly incorporates GDPR requirements and uses Standard Contractual Clauses for international transfers.

    Verify on loomly.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence. Loomly's security page references AWS infrastructure certifications but does not claim independent SOC 2 audit. Nudge Security lists this unverified.

    source: loomly.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. AWS data centers hold ISO 27001, but Loomly itself does not claim this certification. Nudge Security lists this unverified.

    source: loomly.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Loomly is a social media management tool (not a healthcare product); HIPAA compliance is out of scope. Nudge Security lists this unverified.

    source: loomly.com
    PCI DSS
    NOT CONFIRMED

    Stripe (PCI DSS Level 1) handles payment processing, but this is the payment processor's certification, not Loomly's. Loomly does not hold independent PCI DSS certification.

    source: loomly.com
    FedRamp
    NOT CONFIRMED

    No public evidence. Not mentioned on Loomly or Bending Spoons sites. Nudge Security lists this unverified.

    source: loomly.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not mentioned on Loomly or Bending Spoons sites. Nudge Security lists this unverified.

    source: loomly.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Not specified. International transfers use EU Adequacy Decisions or Standard Contractual Clauses per DPA. No data residency options documented.

    Loomly explicitly states: 'Your data is used temporarily to generate outputs and is not used to train or improve AI models.' No shared datasets are created across users. 'Initial Content Analysis' is performed when users connect accounts to tailor AI outputs, but this is not used for training or sold.

    // Security controls

    Encryption in Transit

    HTTPS/TLS enforced for all services

    loomly.com

    Encryption at Rest

    Industry-standard encryption algorithms (AES)

    loomly.com

    Social Credential Handling

    OAuth protocol used; credentials never stored by Loomly

    loomly.com

    Authentication

    Two-factor authentication (2FA) support; Google SSO integration; 2FA required for production systems

    loomly.com

    Penetration Testing

    Annual third-party penetration testing; continuous vulnerability scanning

    loomly.com

    Threat Detection

    AWS threat detection services; DDoS mitigation and edge protection

    loomly.com

    Access Control

    Least privilege principle enforced; personnel receive security training; multi-availability zone deployment

    loomly.com

    Development/Production Segregation

    Environment segregation enforced; no customer data in development

    loomly.com

    Infrastructure Provider

    AWS with ISO 27001, SOC 1/2/3, PCI DSS Level 1 certifications (provider certs, not Loomly's own)

    loomly.com

    Payment Processing

    Stripe (PCI DSS Level 1 compliant) - processor certification, not Loomly's

    loomly.com

    // Products & data scope

    Loomly Social Media Management PlatformSocial Media Management / AI Content Creation

    data: Social media content, scheduling data, analytics, user account information, connected social media credentials (via OAuth, not stored)

    Includes AI assistant for post generation, social listening, engagement management, collaboration workflows, and performance analytics. Available via web and mobile apps. Not a healthcare product; HIPAA out of scope.

    // What to watch

    • Identity verification: Loomly is owned by Bending Spoons S.p.A. (Milan, Italy) as of January 2025 acquisition. Previously owned by Traject (acquired 2021). Originally founded 2016.
    • Infrastructure vs. Vendor Certs: Security page references AWS certifications (ISO 27001, SOC 1/2/3, PCI DSS) - these are AWS infrastructure provider certs, NOT Loomly's own certifications.
    • Unverified claims on Nudge Security: Nudge Security lists Loomly as SOC 2, ISO 27001, HIPAA, FedRamp, CSA STAR Level 1 compliant - but these claims have empty source links and are NOT documented on Loomly or Bending Spoons official sites.
    • No public trust center: Unlike enterprise-grade vendors, Loomly/Bending Spoons do not maintain a published trust center or security audit portal.
    • DPA accessibility: Privacy Policy and DPA both initially returned 404 errors but are accessible via search; consider improving discoverability.
    • Data residency: No residency options offered; may be a concern for enterprises requiring specific data localization (e.g., GDPR right to localization is not explicitly addressed).
    • HIPAA: Not applicable. Loomly is a social media management tool, not a healthcare product. Nudge Security listing is irrelevant.
    • New ownership (Jan 2025): Recent acquisition by Bending Spoons may affect certification roadmap and compliance posture; recommend re-verification in 12 months.

    // At a glance

    Pricing model

    Freemium with paid tiers (free trial available; specific pricing tiers not documented in assessment)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Bending Spoons S.p.A.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    loomly.com

    > Browse all vendor trust reports