Atlassian acts as the data controller for account and usage data but acts as a data processor for content that enterprise customers upload or generate, meaning your employer (not Atlassian) may be the party legally responsible for certain decisions about your data.
This analysis describes what Loom's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
In enterprise Loom deployments, your employer controls key data decisions, which means your individual rights requests may need to go to your employer first rather than directly to Atlassian.
Interpretive note: The controller/processor distinction language could not be directly extracted from the truncated HTML; this provision is inferred from Atlassian's known enterprise privacy and DPA framework as applicable to Loom.
If you use Loom through your employer, your organization may be the data controller for your video recordings and workspace data, affecting where and how you can exercise deletion or access rights; individual employees should contact their IT or legal team to understand how Loom data is governed within their organization.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
Docusign may be a 'data controller' or a 'data processor' (or both) depending on the type of personal information and the context in which it is processed. When Docusign determines the purpose and means of processing personal information, we act as a data controller. When Docusign processes personal...
Monitoring
Loom has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
1) REGULATORY LANDSCAPE: The controller/processor distinction is foundational to GDPR compliance under Articles 4, 24, and 28. Where Atlassian acts as processor, the enterprise customer bears Article 24 controller responsibilities including ensuring a lawful basis for processing, honoring data subject rights, and maintaining records of processing activities. UK GDPR mirrors these obligations for UK-based organizations. 2) GOVERNANCE EXPOSURE: High. The dual-role structure creates compliance complexity for enterprise customers who may not have fully mapped their Loom deployment as a data processing activity under their own records of processing activities (Article 30). Organizations that deploy Loom for customer-facing recordings face particular exposure as the controller responsible for obtaining consent from third parties who appear in recordings. 3) JURISDICTION FLAGS: EU/EEA enterprise customers must have a valid DPA with Atlassian under GDPR Article 28 before using Loom for personal data processing. UK organizations require an equivalent arrangement under UK GDPR. California enterprise customers should confirm CCPA service provider agreement terms are in place to prevent Atlassian from using customer data outside the service scope. 4) CONTRACT AND VENDOR IMPLICATIONS: The DPA is the key contractual instrument governing the processor relationship. Enterprise teams should confirm the DPA explicitly covers Loom as a covered service, specifies data retention and deletion obligations, addresses AI feature data use, and includes provisions for data subject rights assistance. The DPA should also address sub-processor change notification timelines. 5) COMPLIANCE CONSIDERATIONS: Enterprise compliance teams should update their data processing inventories to reflect Loom as a processing activity, document the lawful basis for any employee monitoring or recording use cases, and ensure their privacy notices to employees and customers adequately describe Loom data collection. Organizations in regulated sectors should assess whether the processor arrangement satisfies sector-specific requirements (e.g., financial services record-keeping, healthcare confidentiality).
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
In enterprise Loom deployments, your employer controls key data decisions, which means your individual rights requests may need to go to your employer first rather than directly to Atlassian.
If you use Loom through your employer, your organization may be the data controller for your video recordings and workspace data, affecting where and how you can exercise deletion or access rights; individual employees should contact their IT or legal team to understand how Loom data is governed within their organization.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Loom.