Privacy Hub

If you're an organization based in the United Kingdom or the European Economic Area (EU Member States + Norway, Iceland & Liechtenstein), we thought that you may be interested to know the steps We take to comply with data protection laws in the UK and the EEA and how We help you to comply with those, here you go!

1. Controller & Processor

Loop Works as your processor.   We are a SaaS technology company, so most of the time We'll be acting as your processor and you (or your customer, where you resell Our products & services) will be the controller of personal data you share with Us.
As you would expect, We have a standard data processor agreement which is aligned with Article 28, GDPR and which sets out Our obligations as your processor including:

ObligationsGDPR RequirementDPA Clause
Sub-processors are used with the controller's consent (general authorisation) – see our list of sub-processors in section #[8] below.Art.28(2)TBC
Processing of personal data only on the controller's documented instructionsArt.28(3)(a)TBC
Our staff who process your personal data are subject to a duty of confidentialityArt.28(3)(b)TBC
We will implement appropriate technical & organisational measures to ensure an appropriate level of securityArt.28(3)(c)TBC
Will engage sub-processors with your general authorisation & impose the same processor terms on sub-processorsArt.28(3)(d)TBC
Assist you in dealing with rights/requests of data subjectsArt.28(3)(e)TBC
Assist you in complying with your obligations to maintain appropriate technical & organisational measures; breach notifications; data protection impact assessments & associated consultations with supervisory authorities.Art.28(3)(f)TBC
Delete or return your personal data after the end of our provision of services to youArt.28(3)(g)TBC
Make available to you information necessary and contribute to audits to demonstrate compliance with Art.28 GDPRArt.28(3)(h)TBC
We will inform you if we believe an instruction breaches GDPR or other EU laws.Art28(3)(h)TBC
We will flow-down the same terms to our sub-processors and we are liable for breaches by our sub-processorsArt.28(4)TBC

A copy of our DPA can be requested via email to

Loop Works as controller.   We do collect some personal data for our own purposes, and when we do this, we act as the controller of that personal data and you can read more about this in our privacy notice.

2. Processing Personal Data Outside the EEA

We are global.   Loop Works is a global company with staff and operations in the [United Kingdom] and the USA. Personal data will be processed by staff and systems in the USA [+ other non-EEA countries including the United Kingdom by the Loop Works group of companies and Our Authorised Sub-Processors.]

Our customers are global.   For customers who are controllers of personal data in the UK and EEA, when we process personal data outside the UK and EEA our processing is subject to European Commission approved Standard Contractual Clauses in line with Article 44 & 46, GDPR.

SCCs.   We know that the current Standard Contractual Clauses are being overhauled and are due to be replaced in 2021 – once the new Standard Contractual Clauses are approved by the European Commission, rest assured that we will be introducing the new Standard Contractual Clauses for non-EEA processing.

EU/US Privacy Shield.   We also remain an active participant in the EU/US Privacy Shield programme operated by the US Department of Commerce. We know about Schrems2 (more on that later!) and we know that the EU/US Privacy Shield programme is no longer a valid mechanism for non-EEA processing of personal data…..but the comfort and assurance that the EU/US Privacy Shield programme provides to our UK and EEA customers remains in place for your peace of mind.

3. Security

We maintain the following technical and organisation measures in respect of personal data which we process:

  • ISO27001
  • All Our staff receive data protection training + confidentiality which is refreshed on an annual basis
  • All Our staff agree to an express duty of confidentiality
  • All customer data is backed-up in cloud infrastructure across multiple locations
  • We have a series of internal policies in place which Our staff are required to comply with including data protection, confidentiality, security, incident management etc.
  • We carry out extensive due diligence and ongoing audits on our sub-processors.
4. How Our Products Help Support Your Data Protection Compliance

Our SaaS platform provides:

  • State-of-the-art security
  • Highly resilient hosting platforms and disaster recovery and back-up solutions
  • A 24/7/365 self-service platform which puts you in control of your data – if you need to view personal data, provide portable copies of personal data or erase personal data to comply with data subject requests under GDPR, our online self-service SaaS platform helps support your compliance
5. Data Protection Officer

[Note: please confirm if you have a data protection officer – see Article 37, GDPR]]

6. EU Appointed Representative

[Note: please confirm if you have a Rep – see Article 27, GDPR (if you're not established in the UK e.g. through a subsidiary or branch, but you provide services to UK/EU customers and process a lot of personal data about UK/EU data subjects, you may trigger the requirement to appoint a UK/EU Rep)]]

7. Authorised Sub Processors

When you use our SaaS services, we will use the following service providers to process your personal data as our sub-processors:

NameProcessingProcessing Locations
Microsoft AzureProvides the cloud infrastructure which hosts and processes all customer information/personal data[US]
Members of the Loop Works Group of Companies including Loop Works LLC & mResource LLCTBC e.g. support services/helpddeskTBC

In line with our DPA, we may change our sub-processors and when we do this, we will update the information in the table above.

8. Schrems2

We are aware of the decision of the European Court of Justice in the Schrems2 case. Like many SaaS vendors, we use Standard Contractual Clauses for non-EEA processing of personal data and we note that whilst the ECJ judgment in Schrems2 invalidated the EU/US Privacy Shield programme for non-EEA processing, it upheld the use of Standard Contractual Clauses for non-EEA processing.

Loop Works maintains a range of supplemental measures relating to its processing of personal data including:

  • encryption of personal data in transit and at rest;
  • a policy to manage requests for access to personal data from law enforcement and government agencies
9. Brexit

The UK is no longer an EU Member State, but UK data protection law remains based on the EU GDPR and the UK ICO has approved the use of Standard Contractual Clauses for non-UK/EEA processing of personal data. We will keep a watching brief on the development of UK data protection law post-Brexit, but if you're a UK customer, we're confident that we have appropriate measures in place for you to share personal data with us.

10. Cookies & Online Tracking Technology

We know that UK and EEA privacy laws don't start and end with the General Data Protection Regulation 2016/679 or the UK Data Protection 2018.

Our website uses cookies and you can find more information on the cookies we use in our [cookie notice], in line with the requirements of the ePrivacy Directive.

11. Any Questions?

If you have any questions that aren't answered in our Privacy Hub or if there are other things that you would like to see covered in our Privacy Hub, please get in touch and let us know! You can contact us