Security at Loomly is important as we value our users' data. You’ll find below an high-level overview of the security practices put in place to achieve that objective.
PCI-compliance
Payment transactions are outsourced to Stripe which is certified as a PCI Level 1 Service Provider.
Data Processing
As stated in our Privacy Policy, Loomly.com acts as the data processor (under GDPR) or service provider (under CCPA) with respect to the personal data processed by us in connection with your use of the Services.
Additionally, our DPA supplements our Terms of Service and Privacy Policy insofar as they relate to our processing of data subject to the GDPR and the CCPA.
Data Storage
Your credentials are encrypted through hashing, and all information uploaded to or transiting through our platform is encrypted through SSL Certificates ("https"). In addition, on top of the built-in security layer of our application, our engineering team performs constant software updates, protecting your information from bugs and vulnerabilities.
We do not store any credentials for social media accounts. Loomly allows you to connect social accounts to your calendars through an industry-standard process called OAuth, which was designed to avoid sharing credentials and limit access scope.
Those who have access to the social accounts can log in to Loomly where they are able to connect the social accounts to Loomly without ever providing Loomly (or anyone else) with the social account credentials.
Instead, what happens is Loomly redirects the user to the social network, where they can log in to their account and grant Loomly the necessary permissions before being redirected back to Loomly.
If the social account owner is not you, then the safest way to proceed is to invite that person to the calendar (for instance with a role of Editor). Once a member of the calendar, they can connect their social accounts to the calendar - this way, they will not need to share their credentials with you.
Retention policy
Loomly stores all your created content (media & posts created within Loomly) for as long as you need it, regardless of your plan and how long you've used Loomly.
However, for data such as analytics and interactions, Loomly will comply with the retention periods listed in the record retention schedule below.
1. Active calendars: a calendar is considered active if the owner has an active subscription or trial.
Interactions: Data will be stored for up to 182 days and we will actively delete Interactions data that is older than 182 days.
Analytics: Data will be stored for up to 24 months and we will actively delete Analytics data that is older than 24 months.
2. Inactive calendars: a calendar is considered inactive after the owner’s subscription or trial ends.
Interactions: Data will be stored for up to 182 days after the churn or expiration date. We will actively delete data that is older than 182 days.
Analytics: Data will be stored for up to 30 days after the churn or expiration date. We will actively delete data that is older than 30 days.
Penetration testing
Loomly’s platform is subjected to annual penetration testing performed by an independent third party.
Authentication
As best practices, we highly recommend never to reuse passwords when updating them.
Additionally, Loomly users can set up two-factor authentication to add an extra layer of security to your account. Loomly supports apps like Google Authenticator and others that implement the Time-based One-time Password Algorithm (TOTP).
If your question has not been answered in this article, please contact us here.