Information Security & Data Protection Addendum

Last Updated: December 2023

This Information Security and Data Protection Addendum (this “Addendum”) is governed by and is incorporated by reference into the existing Master Services Agreement, as the case may be (the “Agreement”) between Customer and Loopio Inc. (“Loopio”). In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of any inconsistency.

1. Loopio shall maintain and implement the following specific security measures in dealing with Customer data in order to protect against unauthorised or accidental access, loss, alteration, disclosure, or destruction of such data and against all other unlawful forms of processing:
   1. Security Policies and Procedures: Loopio shall maintain a documented approach to information security, referred to as an Information Security Management System (ISMS). The ISMS consists of policies, standards, procedures, training and other controls that operationalize the safeguards necessary to protect Customer’s Confidential Information and Personal Information in accordance with Applicable Laws.
   2. Segregation of Duties: Loopio shall ensure that conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of Customer’s Confidential Information and Personal Information. Whenever it is not possible to segregate, other mitigating controls such as monitoring of activities, audit trails and management supervision shall be implemented.
   3. Background Checks: Loopio shall conduct background checks on all of its employees assigned to Customer under this Agreement as permitted by applicable law. Background checks are comprised of a criminal background investigation, including a search for an indication of the existence of criminal convictions, for which a pardon has not been granted and education verification.
   4. Acceptable Use of Assets: Loopio shall maintain policies for the acceptable use of assets storing Customer’s Confidential Information and Personal Information including associated information processing facilities.
   5. Security Breach: Loopio shall provide Customer notice within 48 hours of any Security Breach relating to the Loopio Solution which impacts Customer’s Confidential Information or Personal Information. Customer acknowledges that Loopio may have separate notification duties under Applicable Law. A Security Breach shall mean any incident of unauthorized or accidental disclosure of or access to any Personal Information by any of its staff, sub-processors, or any other identified or unidentified third party.
   6. Intrusion Prevention: Loopio shall ensure that its security infrastructure is consistent with industry standards for malware protection, firewalls, and intrusion prevention technologies to prevent any unauthorized access or compromise of Loopio’s network, systems, servers, and applications from unauthorized access.
   7. Security Awareness Training: Loopio shall implement and maintain appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function, regarding the handling and securing of Confidential Information and Customer’s Personal Information consistent with Applicable Law.
   8. Physical Access Controls: With respect to its general office premises, Loopio shall establish limits on physical access to information systems and facilities using physical controls that provide reasonable assurance that access is limited to authorized individuals.
   9. Logical Access Controls: Loopio shall restrict and track access to Customer’s Confidential Information and Personal Information to only those personnel whose access is necessary to performing the services under the Agreement in accordance with the principles of ‘Need to Know’ and ‘Least Privilege’. Loopio shall implement and maintain logging and monitoring technology to help detect and prevent unauthorized access attempts to networks and production systems. Loopio shall conduct periodic reviews of changes affecting systems handling authentication, authorization, and auditing; and privileged access to production systems. Loopio shall ensure that upon termination of any personnel, the terminated individual’s access to any of Customer’s Confidential Information and Personal Information on Loopio’s systems will be immediately revoked.
   10. Vulnerability Management: Penetration testing of the Loopio Solution is performed at least annually. The tests are performed externally by a reputable external organization. Automated vulnerability scans the Loopio Solution are performed periodically to identify, mitigate and remediate any vulnerabilities.
   11. Information Backup: Loopio shall backup Customer’s Confidential Information and Personal Information in a periodic and timely manner.
   12. Encryption: Loopio shall use strong encryption measures to encrypt Customer’s Confidential Information and Personal Information while at-rest within Loopio data processing facilities and while in-transit across public networks.
   13. Business Continuity and Disaster Recovery: Loopio shall maintain a business continuity plan (BCP) and disaster recovery plan (DRP) in accordance with industry standards, and shall test each plan at least once per year.
   14. Audit Standards. Loopio shall periodically assess the administrative, technical and physical information safeguards for Confidential Information and Personal Information at least once per year during the term of the Agreement under the standards for Reporting on Controls at a Service Organization (SOC 2) published by the American Institute of CPAs (AICPA). A copy of Loopio’s most recent SOC 2 report will be made available to Customer upon written request.
2. We may update this Addendum by posting a revised copy at https://loopio.com/legal/infosec-addendum/. The revised version will become binding and effective on the next business day after it is posted. Loopio will provide Customer with notice of the revision by email or in-app notification. Customer’s continued use of or access to the products, services or features governed by this Addendum after the date the updated Addendum becomes binding and effective will constitute Customer’s acceptance of those terms. If Customer objects to the revisions, notice must be provided to Loopio at legal@loopio.com within thirty (30) days after the revised Addendum becomes binding and effective. If Customer provides such notice, then Customer’s subscription will continue to be governed by the Addendum in place prior to modification until Customer’s next renewal date, after which the revised version shall govern.

Go back to top.