Atlassian acts as the data controller for account and usage data but acts as a data processor for content that enterprise customers upload or generate, meaning your employer (not Atlassian) may be the party legally responsible for certain decisions about your data.
This analysis describes what Loom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
In enterprise Loom deployments, your employer controls key data decisions, which means your individual rights requests may need to go to your employer first rather than directly to Atlassian.
Interpretive note: The controller/processor distinction language could not be directly extracted from the truncated HTML; this provision is inferred from Atlassian's known enterprise privacy and DPA framework as applicable to Loom.
If you use Loom through your employer, your organization may be the data controller for your video recordings and workspace data, affecting where and how you can exercise deletion or access rights; individual employees should contact their IT or legal team to understand how Loom data is governed within their organization.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Loom has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
1) REGULATORY LANDSCAPE: The controller/processor distinction is foundational to GDPR compliance under Articles 4, 24, and 28. Where Atlassian acts as processor, the enterprise customer bears Article 24 controller responsibilities including ensuring a lawful basis for processing, honoring data subject rights, and maintaining records of processing activities. UK GDPR mirrors these obligations for UK-based organizations. 2) GOVERNANCE EXPOSURE: High. The dual-role structure creates compliance complexity for enterprise customers who may not have fully mapped their Loom deployment as a data processing activity under their own records of processing activities (Article 30). Organizations that deploy Loom for customer-facing recordings face particular exposure as the controller responsible for obtaining consent from third parties who appear in recordings. 3) JURISDICTION FLAGS: EU/EEA enterprise customers must have a valid DPA with Atlassian under GDPR Article 28 before using Loom for personal data processing. UK organizations require an equivalent arrangement under UK GDPR. California enterprise customers should confirm CCPA service provider agreement terms are in place to prevent Atlassian from using customer data outside the service scope. 4) CONTRACT AND VENDOR IMPLICATIONS: The DPA is the key contractual instrument governing the processor relationship. Enterprise teams should confirm the DPA explicitly covers Loom as a covered service, specifies data retention and deletion obligations, addresses AI feature data use, and includes provisions for data subject rights assistance. The DPA should also address sub-processor change notification timelines. 5) COMPLIANCE CONSIDERATIONS: Enterprise compliance teams should update their data processing inventories to reflect Loom as a processing activity, document the lawful basis for any employee monitoring or recording use cases, and ensure their privacy notices to employees and customers adequately describe Loom data collection. Organizations in regulated sectors should assess whether the processor arrangement satisfies sector-specific requirements (e.g., financial services record-keeping, healthcare confidentiality).
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
In enterprise Loom deployments, your employer controls key data decisions, which means your individual rights requests may need to go to your employer first rather than directly to Atlassian.
If you use Loom through your employer, your organization may be the data controller for your video recordings and workspace data, affecting where and how you can exercise deletion or access rights; individual employees should contact their IT or legal team to understand how Loom data is governed within their organization.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Loom.