[gfragin]

all - thank you for submitting your comments. couple of points 1. as per our privacy policy which I will make sure is live asap - - we do not share data with any third party and we do all the processing in house 2. the google privacy requirements are quite rigorous and we just went through a re-approval process under their new guidelines 3. thank you for identifying the typos...thought that was fixed 4. regarding formalizing the request process, our experience is that its difficult to mandate that a third party only use a certain channel and even if you do things slip through the cracks

I would be delighted to continue this conversation with any and all. thanks for your input.

[miker64]

on the third party front, it's _you_ who is the third party. My security team would have kittens if I were to link slack/email/anything to ya'll. I think that's what's at issue, not whether you then pass data outward (which, to be clear, would also be unacceptable)

[gfragin]

thanks miker64 our experience has actually not been that - and once security teams have had a chance to review there has been terrific acceptance. we are only interacting with information that is already on a cloud platform and our protections, policies and structure look to build on that security not subvert it. the common fear is that we would aggregate information and sell to third parties and that is dealt with in our privacy policies https://loophq.com/privacypolicy

[yfiapo]

I'm sure that will be the case for certain companies. For companies who routinely deal with PII, PCI, or other regulated data the security teams are likely to be much more worried about the potential for sensitive data to be inadvertently shared outside of the company. Even if it is communiques about only business sensitive matters (e.g., iPhone 12 XXL release) that is not something very security conscious companies will be happy having in the hands of a third-party without an appropriate security review.

Having run a security program at such a company, at the minimum I would expect a SOC 2 or ISO 27001 audit of your company before I would allow my company to utilize your services as it is tightly integrated to our internal communication platforms.

This isn't to say you need that now but you should understand there are segments of the potential customer base that will not work with you without being able to pass that level of scrutiny.

[gfragin]

absolutely right. that is already on our radar given the types of customers we are currently talking to. we are also seeing increased scrutiny from the API providers who are insisting on their own security audits to allow API access.