3 seats free. No card. Upgrade per seat as you grow.
Free forever for teams up to 3 seats.
Your newest hires learned from YouTube, not textbooks. Here's why your training is failing them.
Free download. No credit card required.
This page is for the conversation your champion has with their IT and procurement team after they like the demo. Plain English. No legal-ese, no security-marketing fog. The formal posture lives on the trust page; the legal text is the privacy policy. This is the narrative that gets HeyLoopy through procurement without surprises in week six.
Every byte of customer training content and end-user response data lives in AWS us-east-1. We do not have a Europe region, a Mumbai region, or a Tokyo region. We have no plans to add one in the near term. If your IT or procurement policy requires data residency in your home jurisdiction, we are not the right vendor for you today, and we would rather tell you that on page one than on call six.
For most non-US mid-market buyers this is workable. The data we process is training content (SOPs, policies, procedures) and drill-answer records (employee names, role, mastery scores). It is not financial transaction data, not PHI, not biometric. Cross-border transfer with Standard Contractual Clauses is the same legal mechanism most of your existing SaaS stack uses (Slack, Notion, HubSpot, GitHub). The path is known. We will name it explicitly when we have the formal DPA template (see § 04 below).
The full policy lives in our privacy policy § 6 (Artificial intelligence). The legal text governs; this page exists to give your champion the plain-English version to forward to IT.
The careful distinction here matters. The infrastructure HeyLoopy runs on — AWS RDS, S3, ElastiCache, ALB, ACM — is SOC 2 Type II-certified by AWS. The controls we operate against those services (encryption, network segmentation, IAM, backups, monitoring) are SOC 2-aligned. HeyLoopy as an organization is not currently SOC 2 certified. We do not pretend otherwise. The certification workstream is real and tracked; it lands later in 2026.
AES-256 at rest across all customer data stores. Primary database uses SSE-KMS with a dedicated customer-managed AWS KMS key. Object storage protected by AWS-managed SSE-S3. TLS for all customer-facing traffic, with auto-renewing ACM certificates and HTTP-to-HTTPS redirects.
Production and staging run in separate AWS accounts with independent IAM, KMS, and state. Application services deploy across multiple availability zones within us-east-1. Administrative access is key-based and gated by a bastion host. Least-privilege IAM roles per service.
HeyLoopy is out of PCI DSS scope by design. Card numbers are collected and held by Stripe (PCI DSS Level 1 service provider). We never store, transmit, or process payment card data.
HeyLoopy processes SOPs and procedural training content, not Protected Health Information. A Business Associate Agreement is not offered. Clinical customers use HeyLoopy for procedural recall (the sepsis bundle, the protocol, the WHO Five Moments); patient data stays in your EHR.
Full posture, including backup retention, logging surfaces, and disaster recovery roadmap, on the trust page. Security review under NDA available on request to support@heyloopy.com.
If any of these are hard-blocking requirements for your procurement, we are the wrong vendor for you today. The list is short and named on purpose.
The audit workstream is underway. We expect the Type I report in late 2026 and the Type II window to begin shortly after. Until then, we operate against SOC 2-aligned controls on SOC 2 Type II-certified AWS, and we complete SIG Lite / CAIQ / custom security questionnaires on request, typically within five business days.
A standardized Data Processing Addendum incorporating EU Standard Contractual Clauses will be put in place before we begin selling in the EU or UK. We do not yet have customers in those markets, and we would rather build the DPA against a real first deal than ship a template that has never been negotiated. Existing customers who need data-processing terms today: contact us directly and we will write the agreement against your actual data shape.
The EU-US Data Privacy Framework certification is a cheap, EU-procurement-friendly adequacy signal. We pursue it alongside the DPA build, on the same timeline (gated on first EU pipeline). Annual renewal once active; recourse mechanism: EU Data Protection Authorities (free option, slower complaint resolution, standard for B2B SaaS at our scale).
Fixed at AWS us-east-1 for the foreseeable future. If India residency, EU residency, or any other in-region requirement is non-negotiable for your IT policy, we are not the right fit today and we would rather you know now. The infrastructure constraint is not a near-term roadmap item.
HeyLoopy processes procedural training content, not Protected Health Information. We do not offer a Business Associate Agreement. Clinical customers use HeyLoopy for SOPs (the bundle, the protocol, the procedure) and keep PHI in their EHR. If your use case requires PHI processing, the architecture is not designed for it.
Standard vendor security questionnaires. Returned in five business days. Custom questionnaires same timeline if format is parseable.
For evaluating customers: a more detailed security overview describing the AWS architecture, control map, and operational practices. Under NDA, by request.
Customer-data subprocessors are listed in the privacy policy. Internal-operations vendors (transactional email, internal team comms, error routing) are kept in a separate inventory, available on request.
Affected customers notified without undue delay, and where feasible within 72 hours of becoming aware of a personal-data breach. Standard contractual commitment.
Customer data deleted from active systems within 30 days of account termination, with backup-aged-out windows documented in the privacy policy § 7.
For procurement questions that need a human conversation: support@heyloopy.com. The founder reads and answers, in writing, in any language. Real-time calls in English only for now.
Your regulator — FFIEC, OSHA, the Joint Commission, FinCEN, the FCA, the ICO, BIS, CNBV, BaFin, whichever — has its own evidence requirements. We do not pretend to be experts in all of them. What we do is generate evidence in a generic, exportable shape (per person, per skill, per source-document version, per drill answer) that maps to most regulator expectations. You verify the fit for yours.
For the regulated-industry walkthroughs see compliance, regulated audit, financial compliance, and clinical training. For the export specifics see audit evidence export.
That's what it's for. For anything this page doesn't cover, or the questions that need a real conversation, the founder reads and answers — same day, in writing, in any language.