Security overview

Keeping customer data safe and secure is a huge responsibility and a top priority for us. Here’s how we make it happen.

Practices we have at Loomio

  • We never have and never will sell customer data.
  • We don’t run ads for other services in our products.
  • We limit the data we collect: if we don’t need it, we don’t ask for it.
  • We put a lot of security measures into place including in-transit encryption and encryption at-rest.
  • We do not access customer data unless granted permission by customer to support resolution of a problem, or if necessary to maintain the service.

Trustworthy staff

Employee and contractor agreements for people working at Loomio include confidentiality clauses to protect Loomio and customer confidential information. We treat all customer information and data as confidential, except for situations where a customer has explicitly made the information publicly accessible.

Loomio Limited is a for-profit social enterprise owned by worker-owned Loomio Cooperative. Loomio staff are either cooperative members or on a path to cooperative membership, and share the values and responsibilities of Loomio as business co-owners. You can read about us here.

Access to data is tightly controlled and protected internally within Loomio.

We protect your data

All data are written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.

Loomio is open source software

This means the code is open to view, but your data is not. There are many benefits including that many people have read our code and review changes as they go in. We've got nothing to hide - there are no backdoors in Loomio. We do not hold your data to ransom, you can export your data at any time and run your own Loomio server.

Loomio software is licensed under the GNU Affero General Public License v3.0

Hosted Services

Loomio Limited operate services using Loomio software goverened by our Terms of Service.

LOOMIO.ORG

loomio.org is our most widely used service and available globally. Loomio.org is hosted on servers based in the USA operated by Heroku.

Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout the world. Heroku’s platform provides infrastructure management, scaling, security, monitoring and backups.

Heroku applies security best practices and manages platform security, protecting customers from threats. Heroku applies security controls at every layer from physical to application, isolating applications and data, and rapidly deploys security updates without customer interaction or service interruption.

More information can be found at Heroku’s security policy.

Heroku utilises ISO 27001 and FISMA certified data centres managed by Amazon. You can read about security at Amazon data centres at AWS Cloud Security.

Backup data and Recovery

Loomio.org backup and data recovery is managed by Heroku. The software and data is automatically backed up as part of the deployment process on secure, access controlled, and redundant storage. Heroku use these backups to deploy Loomio software and data across the platform and automatically bring the application back online in the event of an outage.

More information can be found at Heroku’s security policy.

Regional Services

LOOMIO.NZ

loomio.nz is a service running on Amazon Web Services (AWS) datacenters in Sydney, Australia.

This service is available only on request and approved for use for New Zealand Government data processing.

The service holds a Tier 3 security status. For more information read New Zealand Government cloud services Security Risk and Assurance.

LOOMIO.EU

Contact us to request further information.

Private host and Self-host Services

Loomio operates private hosted services for organizations around the world. A private database (non-shared) that is set up on a server and location of customer choice, configured to customer brand, logo and color palette, under customer domain name.

Loomio offers direct support for customers self-hosting Loomio. Contact us for more information.

Private and Self-host services ensure the highest level of security, configuration and flexibility for your organization.

Over 9 years in business.

We’ve been operating loomio.org since 2013. Security isn’t just about technology, it’s about trust. We’ve worked hard to earn the trust of hundreds of thousands of people world wide in tens of thousands Loomio groups. We’ll continue to work hard every day to maintain that trust. Longevity and stability is core to our mission at Loomio.