Information Security & Data Protection Addendum

Last Updated: March 2025

This Information Security and Data Protection Addendum (this “Addendum“) forms part of the applicable Master Services Agreement (the “Agreement“) between Customer and Loopio Inc. (“Loopio“) and outlines the terms and conditions regarding Loopio’s information security and data protection program in compliance with applicable data protection laws.

In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of any inconsistency. Capitalized terms used in this Addendum, and not otherwise defined herein, shall have the meaning set out in the Agreement.

1. Data Privacy. As set out in the Agreement, Loopio’s collection, use, storage, and sharing of Customer’s Personal Data will be treated in accordance with Loopio’s Privacy Policy, available at: https://loopio.com/privacy/ (as may be updated from time to time) or an applicable Data Processing Agreement (“DPA“).
2. Subprocessing. Loopio will ensure all subprocessors are a party to a DPA which complies with the same data protection obligations as set out in this Addendum. A list of Loopio’s approved subprocessors are available upon request from Loopio.
3. Security Measures. Loopio will implement and maintain the following technical and organizational security measures to protect all Customer’s Confidential Information, which includes Personal Data and Customer Content, against unauthorised access, loss, alteration, disclosure, or destruction.
   1. Security Policies & Procedures. Loopio will maintain a documented approach to information security, referred to as an Information Security Management System (“ISMS“). The ISMS includes a comprehensive set of policies, standards, procedures, training and other operational controls designed to implement and maintain the necessary safeguards required to protect Confidential Information in compliance with Applicable Law.
   2. Segregation of Duties. Loopio will ensure the segregation of conflicting duties and areas of responsibility to minimize the risk of any unauthorized or unintentional modification or misuse of Confidential Information. Where segregation is not feasible, alternative mitigating controls – such as monitoring of activities, audit trails and management supervision – will be implemented.
   3. Background Checks. Loopio will conduct background checks on all employees assigned to the Customer under the Agreement, as permitted by Applicable Law. These background checks will include (i) a criminal background investigation, including to identify any unpardoned criminal convictions, (ii) verification of educational credentials, and (iii) verification of employment background.
   4. Acceptable Use of Assets. Loopio will maintain policies governing the acceptable use of company assets that store Confidential Information.
   5. Security Breach. A “Security Breach” means a breach of security leading to the unauthorized, accidental, or unlawful processing Confidential Information including but not limited to any unauthorized access, acquisition, use, disclosure, loss or modification Confidential Information, or any other event that constitutes a “Breach” or “Personal Data Breach” or other similar terms as defined under applicable data protection law. Loopio will provide Customer notice within 48 hours of a Security Breach relating to the Services that impacts Confidential Information. The Customer acknowledges that Loopio may have separate notification obligations under Applicable Law or its contractual obligations.
   6. Intrusion Prevention. Loopio will ensure that its security infrastructure is consistent with industry standards for malware protection, firewalls, and intrusion prevention technologies to prevent any unauthorized access or compromise of Loopio’s network, systems, servers, and applications from unauthorized access.
   7. Security Awareness Training. Loopio will implement and maintain appropriate awareness education and training, including regular updates to organizational policies and procedures, as relevant for Loopio employees’ job function, regarding the handling and securing of Customer’s Confidential Information. Security awareness and training will be conducted pursuant to and in accordance with Applicable Laws, including but not limited to the recent the Digital Operational Resilience Act (DORA).
   8. Physical Access Controls. If applicable, Loopio will implement and maintain physical controls at its corporate offices to restrict access to information systems and facilities, ensuring that access is reasonably limited to authorized individuals.
   9. Logical Access Controls. Loopio will restrict and monitor access to Confidential Information, granting access only to personnel whose roles require it to perform the Services, in accordance with the principles of ‘Need to Know’ and ‘Least Privilege’. Loopio will implement and maintain logging and monitoring technologies to detect and prevent unauthorized access attempts to Loopio’s networks and production systems. Loopio will conduct periodic reviews to assess changes affecting authentication, authorization, auditing processes, and privileged access to production systems. Upon termination of any personnel, Loopio will immediately revoke the individual’s access to all Loopio systems, including but not limited to those which grant access to Confidential Information.
   10. Vulnerability Management. Loopio will perform annual penetration testing of the Loopio Services. The tests are performed externally by a reputable third-party organization. Automated vulnerability scans of the Loopio Services are performed periodically to identify, mitigate and remediate any vulnerabilities.
   11. Information Backup. Loopio will back up Confidential Information daily to a separate online data center. All data is encrypted using PGP keys (RSA 4096) and transmitted over HTTPS. Additionally, customer administrators can back up and export content from the Services. Administrators can set an automatic backup cycle for the library at a preferred frequency or perform manual backups at any time.
   12. Encryption: In accordance with its Encryption Management Policy, Loopio will use strong encryption measures to encrypt Confidential Information while at-rest within Loopio data processing facilities and while in-transit across public networks.
   13. Business Continuity & Disaster Recovery. Loopio will maintain a business continuity plan (BCP) and disaster recovery plan (DRP) in accordance with industry best standards. Each plan is tested at least annually. The adequacy of Loopio’s BCP and DRP documentation and procedures is reviewed and validated by independent third-party auditors as part of Loopio’s SOC 2 Audit and ISO 27001-9001 certifications.
   14. Audit Standards. Loopio will periodically evaluate its administrative, technical and physical safeguards for Confidential Information. At least annually, Loopio conducts comprehensive assessments to ensure compliance with (i) Standards for Reporting on Controls at a Service Organization (SOC 2) published by the American Institute of CPAs (AICPA), (ii) ISO 27001 and (iii) ISO 9001. A copy of Loopio’s most recent SOC 2 Report is available upon Customer’s request.
   15. Third-Party Vendor Management. All third-party vendors engaged by Loopio to handle Confidential Information undergo a comprehensive Vendor Request Assessment. Vendor assessments include but are not limited to (i) assessing the scope of vendor’s data processing activities, (ii) assessing vendor’s information security program and ensuring vendor is audited against applicable standards (e.g. SOC2, ISO 27001), and (iii) assessing the vendor’s terms and conditions ensuring compliance with all applicable data protection standards and legal requirements.
4. Loopio reserves the right to update this Addendum as necessary to reflect changes in our security practices, technology, and regulatory requirements. Any update by Loopio will not materially decrease the protections afforded to the Customer in the then-current version of the Addendum. The updated copy is available at https://loopio.com/legal/infosec-addendum/. The updated Addendum will become binding and effective on the next business day after it is posted. Customer’s continued use of or access to Loopio Services after the effective date of the updated Addendum constitutes acceptance of the updated terms. If the Customer objects to any revisions, written notice must be sent to Loopio’s Legal Team at legal@loopio.com within thirty (30) days of the effective date.
5. Governing Law. This Addendum shall be governed by and construed in accordance with the laws set out in the Agreement.
6. Questions. For questions or concerns regarding this Addendum, please contact Loopio’s Legal Team at legal@loopio.com.

Go back to top.