// Trust & Security Report
Bending Spoons S.p.A.
Loomly is an AI-powered social media management platform for content planning, creation, scheduling, collaboration, and analytics across 30+ social channels (Facebook, Instagram, LinkedIn, TikTok, YouTube, Pinterest, etc.).
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on loomly.com“This Privacy Policy applies in accordance with Regulation (EU) 2016/679 – General Data Protection Regulation ('GDPR'). The DPA explicitly incorporates GDPR requirements and uses Standard Contractual Clauses for international transfers.”
> Show 6 unconfirmed / not-held certifications
source: loomly.comNo public evidence. Loomly's security page references AWS infrastructure certifications but does not claim independent SOC 2 audit. Nudge Security lists this unverified.
source: loomly.comNo public evidence. AWS data centers hold ISO 27001, but Loomly itself does not claim this certification. Nudge Security lists this unverified.
source: loomly.comNo public evidence. Loomly is a social media management tool (not a healthcare product); HIPAA compliance is out of scope. Nudge Security lists this unverified.
source: loomly.comStripe (PCI DSS Level 1) handles payment processing, but this is the payment processor's certification, not Loomly's. Loomly does not hold independent PCI DSS certification.
source: loomly.comNo public evidence. Not mentioned on Loomly or Bending Spoons sites. Nudge Security lists this unverified.
source: loomly.comNo public evidence. Not mentioned on Loomly or Bending Spoons sites. Nudge Security lists this unverified.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Not specified. International transfers use EU Adequacy Decisions or Standard Contractual Clauses per DPA. No data residency options documented.
Loomly explicitly states: 'Your data is used temporarily to generate outputs and is not used to train or improve AI models.' No shared datasets are created across users. 'Initial Content Analysis' is performed when users connect accounts to tailor AI outputs, but this is not used for training or sold.
// Security controls
Authentication
Two-factor authentication (2FA) support; Google SSO integration; 2FA required for production systems
loomly.comPenetration Testing
Annual third-party penetration testing; continuous vulnerability scanning
loomly.comAccess Control
Least privilege principle enforced; personnel receive security training; multi-availability zone deployment
loomly.comDevelopment/Production Segregation
Environment segregation enforced; no customer data in development
loomly.comInfrastructure Provider
AWS with ISO 27001, SOC 1/2/3, PCI DSS Level 1 certifications (provider certs, not Loomly's own)
loomly.comPayment Processing
Stripe (PCI DSS Level 1 compliant) - processor certification, not Loomly's
loomly.com// Products & data scope
data: Social media content, scheduling data, analytics, user account information, connected social media credentials (via OAuth, not stored)
Includes AI assistant for post generation, social listening, engagement management, collaboration workflows, and performance analytics. Available via web and mobile apps. Not a healthcare product; HIPAA out of scope.
// What to watch
- Identity verification: Loomly is owned by Bending Spoons S.p.A. (Milan, Italy) as of January 2025 acquisition. Previously owned by Traject (acquired 2021). Originally founded 2016.
- Infrastructure vs. Vendor Certs: Security page references AWS certifications (ISO 27001, SOC 1/2/3, PCI DSS) - these are AWS infrastructure provider certs, NOT Loomly's own certifications.
- Unverified claims on Nudge Security: Nudge Security lists Loomly as SOC 2, ISO 27001, HIPAA, FedRamp, CSA STAR Level 1 compliant - but these claims have empty source links and are NOT documented on Loomly or Bending Spoons official sites.
- No public trust center: Unlike enterprise-grade vendors, Loomly/Bending Spoons do not maintain a published trust center or security audit portal.
- DPA accessibility: Privacy Policy and DPA both initially returned 404 errors but are accessible via search; consider improving discoverability.
- Data residency: No residency options offered; may be a concern for enterprises requiring specific data localization (e.g., GDPR right to localization is not explicitly addressed).
- HIPAA: Not applicable. Loomly is a social media management tool, not a healthcare product. Nudge Security listing is irrelevant.
- New ownership (Jan 2025): Recent acquisition by Bending Spoons may affect certification roadmap and compliance posture; recommend re-verification in 12 months.
// At a glance
Pricing model
Freemium with paid tiers (free trial available; specific pricing tiers not documented in assessment)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Bending Spoons S.p.A.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
loomly.com