Loom Terms & Policies
Legal & Privacy FAQ
Last updated: October 14, 2022
This page contains an overview of Loom’s customer terms and privacy practices to address frequently asked questions and provide more information about our service and use of customer data. This document is (a) for informational purposes only; (b) represents Loom’s current product offerings and practices, which are subject to change and (c) does not create any commitments or assurances from Loom or its suppliers or licensors. This document is not part of, nor does it modify, any agreement between Loom and its customers.
Loom is a video messaging tool that helps its customers communicate through instantly shareable videos. Our service is available through our web, mobile, and desktop apps, browser extensions, and SDKs. We have dedicated Support and Customer Success teams to help our customers adopt and use Loom within their organization.
As a SaaS business, we do not:
- Provide tangible items, such as computer hardware.
- Provide on-premise software or hosting.
- Provide professional or consulting services, work product, or customized software.
- Access our customer’s computer systems or physical premises.
Loom’s online Terms of Service located at loom.com/terms serves as the contract between our Starter and Business customers and Loom. We also have an offline Services Agreement that serves as the contract between our Enterprise customers and Loom and overrides our online Terms of Service.
Customers may sign an order form in connection with their Loom purchase. The Order Form references both our Terms of Service and our Services Agreement and notes that if a customer has signed a Services Agreement with Loom, that agreement will govern instead of the Terms of Service. Below we’ll refer to both of these contracts as our “Services Agreement.”
Additional legal information and documentation is available at loom.com/legal.
Services Agreement FAQ
Will Loom sign a customer’s vendor agreement?
Generally, no. Our Services Agreement is tailored for the type of service we provide. Customer vendor contracts tend to be one-size-fits-all agreements that are written broadly in order to cover a wide range of vendors and they probably do not have the right terms for our us and our service. For that reason, the negotiation process for customer agreements will take much longer on customer paper, and our redlines to the agreement will be significant. It will save everyone time (and therefore money!) to use Loom’s Services Agreement.
Will Loom negotiate its Services Agreement?
Loom will only negotiate its Services Agreement for purchases that exceed a certain amount in annual recurring revenue (ARR). Loom has a very small legal team and we are only able to allocate legal resources to negotiate customer Services Agreements over a certain amount of ARR. Please check with your Loom representative to see if your purchase qualifies.
Does Loom have a Data Processing Addendum (DPA)?
Yes, our DPA is incorporated by reference into our Services Agreement. It is also available online at loom.com/dpa.
Does Loom have a Security Exhibit?
Yes, our Security Measures at loom.com/security-measures are incorporated by reference into our Services Agreement.
Will Loom agree to a customer’s security requirements and policies?
Our Security Measures at loom.com/security-measures are incorporated into our Services Agreement automatically and provide a comprehensive overview of our security practices. Please review that page as well as our SOC 2, Type 2 report (available at trust.loom.com) to see if they meet your needs. If there are missing or additional security requirements not covered by those resources, we can review requested modifications to our security terms for customers that meet our ARR threshold for negotiation (see above). We cannot agree to comply with customer policies generally because these can be changed at any time, and we do not have the resources to continuously monitor customer policies to ensure compliance.
Does Loom have a Service Level Agreement (SLA)?
Yes, but we only provide our SLA to certain Enterprise customers. Please ask your Loom representative if you qualify.
Will Loom accept changes to its SLA?
Our SLA contains our commitment to availability for our service and your remedies in the unlikely event that we do not meet our commitment. The SLA is drafted to reflect our team’s methodology for calculating availability for all SLA customers across the board. For these reasons, we are unable to negotiate our SLA.
Does Loom have Standard Contractual Clauses (SCCs) for data transfers out of Europe, Switzerland, and the United Kingdom?
Yes, our Standard Contractual Clauses (SCCs) (sometimes called Model Contractual Clauses or MCCs) are incorporated into our DPA at loom.com/dpa. Loom’s DPA contains Controller-to-Processor SCCs for customers that operate as controllers and Processor-to-Processor SCCs for customers that operate as processors. These are the latest SCCs from the European Commission, dated June 4, 2021.
Does Loom have a UK Addendum data transfers out of the United Kingdom?
Yes, our UK Addendum incorporated into our DPA at loom.com/dpa. This is the UK Addendum from the Information Commissioner’s Office, in force as of March 21, 2022.
Can Customer affiliates sign up for Loom’s Service under the same agreement?
Yes. Customer affiliates can be bound by the main Services Agreement. Affiliates may either independently sign their own order forms, or be provisioned licenses by a customer signing up for Loom under the customer’s order form.
Does Loom allow termination for convenience?
No. As a subscription business, termination for convenience clauses cause revenue recognition and accounting issues for us, so we do not allow these types of clauses.
Will Loom delete customer data upon termination?
Our customers have the ability to delete their data from our service at any time, including on termination. After a customer deletes data, Loom permanently deletes that data from its systems within 30 days. If a customer does not delete its data or account upon termination, the customer’s account will turn into a free account and Loom’s online Terms of Service and Data Processing Addendum will apply. Loom will not proactively delete customer data upon termination.
Can Loom agree to store data only in the EU or U.S.?
We currently only store data, including personal data and videos recorded with Loom, at rest in the U.S. and we do not plan to store data anywhere outside of the U.S. We cannot promise that this will always be the case, but if we decide to move customer data outside of the U.S., we will provide prior written notice.
What kind of indemnification does Loom provide?
Loom will indemnify our customers for third-party claims that our customer’s use of our service has infringed on a valid U.S. intellectual property right.
Will Loom accept unlimited liability for things like indemnity, data breach, or breaches of confidentiality?
No. Loom does not accept unlimited liability. Under our contracts, both our and our customers’ liability is limited to 12 months’ fees paid. As a customer’s spend scales with Loom, our liability will increase proportionately.
Can Loom notify a customer of a data breach within a specific time frame?
Loom will notify customers "without undue delay" (as is required by GDPR), but we generally can't commit to a specific timeframe. In the event of a security incident, Loom will prioritize fixing the issue first and notifying affected customers. Data breaches usually affect multiple customers, so we have one breach analysis and notification process that we apply to all customers so we can notify all affected customers as soon as possible. For these reasons, we cannot commit to a specific timeframe for notifying any one customer.
Can Loom send notices to a specific address and/or email alias?
Loom can send legal notices to a specific address and/or email alias. However, all product and security related notices, including security incident notifications, must be sent to the email of the administrator of the customer’s account.
What types of personal data does Loom process?
- Name, email address, and other account data;
- Video, audio, transcript data, and comments containing personal data;
- Transaction logs for transactions conducted by users using the Loom service;
- Information about the hardware and software used to access the Loom service;
- Information and analytics about use of the Loom service;
- Employee authentication information, such as user ID and department information; and
- Other personal data voluntarily uploaded or submitted by our customers to Loom.
Is Loom a controller or processor under GDPR?
Loom is a processor of personal data under GDPR and a service provider under CCPA for the videos and content uploaded to Loom by customers. Loom offers a Data Processing Addendum, which is incorporated by reference into our Services Agreement and is available online at http://www.loom.com/dpa to allow us to process personal data on behalf of customers.
Where is data hosted and stored?
All data is hosted and stored at rest within an AWS US region.
Does Loom have backdoor data sharing with government entities?
No. Loom does not provide backdoor data sharing with government entities. As a U.S. company, Loom must comply with U.S. laws and respond to law enforcement requests when legally required to do so. However, Loom only responds to valid legal process (i.e., court order, warrant or subpoena). We scrutinize all government requests for consistency with applicable law and challenge any deficiencies.
How does Loom use aggregated data?
We use aggregated and anonymized data to debug issues, and to provide, protect, promote, and improve our service for our customers.
How long does Loom keep or retain data once a user deletes it?
When you sign up for an account with Loom, we’ll retain data you store on our service for as long as your account exists or as long as we need it to provide you our service. If you delete your account, we will delete your data, including your videos, within 30 days, except we may retain some information as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
Does Loom use the actual content of videos for advertising?
No. Loom does not use video content for advertising purposes. We store encrypted video files in our own AWS instance. Where can I find a list of Loom's subprocessors?
Our subprocessors are listed on our Privacy for Humans page at loom.com/privacy.
Will Loom notify me of updates to its subprocessor list?
Loom provides a RSS feed URL at loom.com/privacy for customers to be notified of updates made to that page, which contains our list of subprocessors. When we update our list of subprocessors, customers can receive notice of the update through the RSS feed.
For information about our security practices and compliance certifications, please see our Trust Center at trust.loom.com. There you can request a copy of our SOC 2 report, penetration testing report, security whitepaper, and other security materials.