Security is not a feature.
It's the architecture.

Loam was built for sensitive company data from day one. Every query passes through permission checks. Every byte is encrypted. Your data is never used to train AI models.

AES-256 Encryption
Tenant Isolation
Zero AI Training
GDPR Compliant
Audit Logging

Security principles

Built into every layer of the platform, not bolted on after the fact.

Encrypted Everywhere

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Credentials and secrets are stored in isolated vaults, never in application code.

Tenant Isolation

Each customer gets a fully isolated environment. Your data, memory, and AI context are never shared with other customers.

Zero Training on Your Data

We never use your company data to train AI models. Your data is used exclusively to serve your queries and is never shared with third parties.

Least-Privilege Access

Internal access follows strict least-privilege principles. Production data requires explicit approval with full audit logging.

Data Residency

Enterprise customers can choose where their data is stored. We support regional deployments to meet local data sovereignty requirements.

Audit Logging

Every data access, permission check, and AI query is logged. Full audit trails available for compliance reviews and security investigations.

AI that respects your boundaries

Unlike tools that give AI unrestricted access to everything, Loam's permission engine sits between the user and every piece of data. The AI literally cannot surface information the user isn't authorised to see.

  • Permissions checked before data is accessed, not after
  • Blocked queries never reach the knowledge base or LLM
  • Role-based, department-scoped, and manager-hierarchy rules
  • Compensation data restricted to self, HR, exec, and direct managers
  • Client financials restricted to account teams
  • Every permission decision is audit-logged

What the AI can and cannot do

Read knowledge basePermission-filtered
Generate reportsAllowed
Access user profilesRole-dependent
Send external messagesRequires approval
Raw shell / filesystemAlways blocked
Bypass permissionsArchitecturally impossible

Compliance & certifications

Meeting the standards your organisation requires.

SOC 2 Type II

In Progress

Independent audit of our security controls, availability, and confidentiality practices.

GDPR

Compliant

Full compliance with EU data protection regulations. DPA available on request.

Data Encryption

Active

AES-256 encryption at rest, TLS 1.3 in transit. No unencrypted data at any point.

SSO / SAML

Enterprise

Single sign-on via SAML 2.0 and OIDC for enterprise customers. Integrate with your identity provider.

SCIM Provisioning

Enterprise

Automated user provisioning and deprovisioning synced with your directory.

Zero Data Retention

Active

LLM providers receive no persistent copy of your data. Queries are processed and discarded.

Responsible AI

We believe powerful AI requires equally powerful guardrails.

Bounded Autonomy

The AI operates within admin-defined boundaries. Capabilities are curated, not unrestricted. The agent is powerful but controlled.

Grounded Responses

Every AI response is grounded in your company data, not hallucinated. Sources are traceable and answers are verifiable.

Human-in-the-Loop

Sensitive actions require human confirmation. The AI suggests, the human decides. No automated actions on external systems without approval.

Transparent Decision-Making

When the AI blocks a query or restricts access, it tells you why. Permission decisions are never opaque.

Questions about security?

We're happy to walk through our security architecture, share our DPA, or answer any compliance questions.

Contact Security Team Request DPA