Security best practices for the Gong Revenue AI OS

Customer data is your revenue team’s most valuable asset, but only if it’s protected.

There’s a common belief that you have to choose between moving fast and staying secure. With the Gong Revenue AI OS, you don’t have to compromise. We ensure that rigor and revenue growth go hand-in-hand, by complying with global security standards. That includes SOC 2 (Type 2), numerous ISO standards, as well as adhering to critical data privacy regulations, including GDPR and CCPA.

Gong goes beyond basic compliance adherence and certifications. We offer the configurability and transparency you need to maintain control of your data and manage your revenue team’s Gong experience.

Every business is different, so we provide granular controls to suit your needs. With the Gong Revenue AI OS, you can manage your own retention policies, authentication methods, and data collection practices. That makes it easy to scale your revenue engine without compromising your security.

So let’s talk about all the capabilities you can use today to secure the Gong experience and help your team succeed while using secure revenue AI technology.

We’ve organized our best practices into two categories: managing access to data and best practices for data protection.

Safeguard your data by using your company’s enterprise identity and access management system before users access the system. You can set up authentication through your existing identity providers like Google, Microsoft, Salesforce, or Okta. Once that’s enabled, we recommend disabling the option to log in with a standard email address and password.

Customize your access and configure Gong so your users have the right permissions and visibility to meet your internal controls. Determine who has access to specific calls and emails by creating and assigning custom profiles. You can define granular permission profiles by role, team, or geography, or create your own based on your organizational structure. When you build a new profile, you can determine which calls, emails, libraries, and pages in the system a user can access.

To maintain full transparency, the Gong Revenue AI OS also provides detailed audit logs. These allow admins to track profile changes and access history across the platform. You can also easily set controls for viewing insights stats, sharing calls, downloading call media, and deleting calls.

After creating permission profiles, assign users to these profiles.

Do this manually, or create assignments using sources like Okta, Salesforce, or Rippling. For example, if you assign teams by location in Salesforce, you can mirror those permissions in Gong.

You can also control whether Gong records and imports calls for users in these groups, even if they are only a meeting attendee (not the meeting host) or CC’d on an email.

The need for transparent data retention and "human-in-the-loop" governance has become a critical security benchmark. Protocols like the ones we’ve mentioned, as well as the 2024 NIST AI Risk Management Framework (AI RMF 1.0), can help you mitigate risks around data privacy and algorithmic bias.

One of the most effective ways to align with today’s standards is to ensure you are only capturing the data you truly need. You can achieve this by using the following controls:

Global businesses need to stay compliant with the legal requirements in their jurisdictions. That includes making sure call attendees understand and consent to call recordings. Gong recommends setting up a consent page to ensure you capture active consent before a participant joins a meeting.

The Gong Revenue AI OS supports customizable pre-call consent workflows, so you can send branded emails and consent pages in more than 70 languages. You can link these to your privacy policy or add text to the page.

If you enable the Gong recording consent page and allow users to opt out, the meeting will proceed as scheduled, but the meeting will not be recorded.

Take control of which information enters and stays in the Gong system.

The Gong Revenue AI OS uses AWS Key Management Services (KMS) for standard encryption. However, we also offer bring your own key (BYOK) capabilities. This allows you to encrypt your own data using keys you manage directly.

If you want to exclude calls, you can easily identify which calls you don’t want recorded, set custom retention policies, and adhere to customer recording preferences. You even have the option of setting up an automated rule to make calls private if a particular topic is mentioned. And given that internal meetings are rarely the focus of revenue growth, you can also exclude them from your repository. Within the admin center, you can create a list of internal domains to exclude from recording.

You can also turn off recording for specific external calls. Just enter a customer’s domain or email address, or search for words in the meeting title, like “401k” or “sensitive.” This is useful if your customers don’t want to be recorded or if you work in an industry that requires a high level of confidentiality. Additionally, we support PHI redaction, PCI DSS compliance, and custom redaction for organizations operating in regulated industries like healthcare and financial services.

Determine how long you want calls to be available for, both internally and externally.

It’s a best practice for reps to share call recordings with their client after a conversation ends, but you shouldn’t keep calls forever. You have the option to restrict the access period to a certain number of days or years (we recommend three years, plus).

That said, remember that Gong outputs are only as good as the inputs into the system, so it’s best to err on the side of caution when considering jettisoning data.

Gong provides customers with the ability to delete data individually or in bulk. Bulk deletion can be performed easily for Data Subjects upon request.

If you receive a request to delete an individual customer’s data from Gong, remember that the Gong Revenue AI OS is a downstream data processor, meaning that if the data exists at the source (CRM or web conference recording provider), it will continue to sync with Gong. While data can be deleted from Gong for Data Subject requests, it will need to be filtered out or removed from the source system to prevent future synchronization with Gong. You can do this in Gong using exclusion lists. Once that’s done, you can use an email address or telephone number to remove all calls, emails, and other personal data from the system.

Security is essential to maintaining customers’ trust and brand viability for any growing enterprise operating at scale. And because every business has unique needs, the Gong Revenue AI OS offers the flexible configurability required to protect your data throughout day-to-day operations. Our operating system equips you with the security options you need to safeguard your data, so you can focus on revenue generation.

If you’d like more information on implementing or adapting the security best practices in this post, visit the Gong Trust Center, or reach out to your CSM.