Data Processing Addendum

Last updated: May 21, 2019.

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Terms of Service“) between Inc. and its Affiliates (“Gong”) and the Customer whose details are indicated in the order form (“Customer”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data and supersedes any conflicting terms under the Terms of Service. All capitalized terms not defined herein will have the meaning set forth in the Terms of Service.

This DPA is supplemental to the Terms of Service and sets out the terms that apply when Personal Data (defined below) is Processed (defined below) by Gong under the Terms of Service. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable laws, including Data Protection Laws and Regulations (defined below), and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.


In the course of providing Gong’s Service to Customer pursuant to the Terms of Service, Gong may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions with respect to Personal Data Processed by Gong as part of the Service for Customer.


1.1. “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Terms of Service.

1.2. “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.3. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.4. “Personal Data” means any information relating to a Data Subject.

1.5. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.6. “Personnel” means persons authorized by Gong to Process Customer’s Personal Data.

1.7. “Privacy Shield” means the EU-US Privacy Shield Framework, as administered by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.

1.8. “Privacy Shield Principles” mean the Privacy Shield Principles, as supplemented by the Supplemental Principles and contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016, as may be amended, superseded or replaced.

1.9. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.


2.1. Scope and Roles. This DPA applies when Personal Data is Processed by Gong as part of’s provision of the Service. In this context and for the purposes of the GDPR, Customer is the data controller and is the data processor.

2.2. Subject Matter, Duration, Nature and Purpose of Processing. processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the Terms of Service.

2.3. Type of Personal Data and Categories of Data Subjects. Customer and users authorized by Customer determine the identity of the persons which are part of the conversations analyzed by the Service. has no control over the identity of the data subjects whose Personal Data is processed on behalf of Customer and over the types of Personal Data Processed.

2.4. Instructions for Gong’s Processing of Personal Data. will only Process Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs to Process Personal Data for the following purposes: (i) Processing related to the Service in accordance with the Terms of Service; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the Terms of Service. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data and shall indemnify, defend and hold harmless any claim, damages or fine against Gong arising from any failure to acquire or use the Personal Data with legal consent or legitimate business purpose or in violation of any data protection legal requirement. Gong will inform Customer, if in Gong’s opinion an instruction infringes any provision under the GDPR and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. Customer will provide all necessary notices to relevant Data Subjects, including a description of the Service and secure all necessary permissions and consents, or other applicable lawful grounds for Processing Personal Data pursuant to this DPA.


3.1. Taking into account the nature of the Processing, Gong will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subjects’ rights under the GDPR. Gong will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Gong’s Processing of Personal Data under this DPA. Except for negligible costs, Customer will promptly reimburse Gong with costs and expenses incurred by Gong in connection with the provision of assistance Customer under this DPA.


4.1. Limitation of Access. Gong will ensure that Gong’s access to Personal Data is limited to those personnel who require such access to perform the Terms of Service.

4.2. Confidentiality. Gong will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Gong will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Gong will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.


5.1. Gong may engage third-party service providers to process Personal Data on behalf of Customer (“Other Processors“). Customer hereby provides Gong with a general authorization to engage the Other Processors listed in Schedule A. All Other Processors have entered into written agreements with Gong that bind them by the substantially same data protection obligations under this DPA. Where an Other Processor fails to fulfil its data protection obligations in connection with the Processing of Personal Data under this DPA, Gong will remain fully liable to Customer for the performance of that Other Processor’s obligations.

5.2. Gong may engage with a new Other Processor (“New Processor“) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer’s Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Gong’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Gong a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Gong will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer’s Personal Data.


6.1. Gong Ltd., Gong’s parent company, is established in Israel. Transfer of Personal Data related to EU Individuals to Israel is made in accordance the EU Commission decision 2011/61/EU of January 31, 2011, on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data. Gong self-certifies to the Privacy Shield and will maintain its self-certification to and compliance with the Privacy Shield throughout the term of Terms of Service.

6.2. All Gong third-party service providers to whom Gong transfers Personal Data to provide the Service – (i) are certified to the Privacy Shield, or (ii) undertook to provide at least the same level of protection for the Personal Data as is required by the Privacy Shield Principles, or (iii) have executed or undertook to comply with such other binding instruments, certifications or self-certifications for the lawful transfer of Customer’s Personal Data related to Data Subjects within the EU to other territories, as required and available under the GDPR, or (iv) The EU Commission acknowledged the state where the service provider is established as providing adequate protection to Personal Data.

6.3. If the Privacy Shield is invalidated, or if Gong or any of its third-party service providers are no longer able to continue complying with the Privacy Shield, or provide the same level of protection as under the Privacy Shield Principles, then Gong will take such measures as required under the GDPR to continue facilitating the lawful Processing in the US of Customer’s Personal Data related to Data Subjects within the EU by Gong and its Other Processors.


7.1. Controls. Gong will implement and maintain administrative, physical and technical safeguards designed for the protection of the security, confidentiality and integrity of Customer’s Personal Data, pursuant to the Gong Information Security Policy. Gong regularly monitors compliance with these safeguards. Gong will not materially decrease the overall security of the Service during the term of the Terms of Service.

7.2. Policies, Certifications and Audit Reports. Gong uses external auditors to verify the adequacy of its security measures. The internal controls of the Service are subject to periodic testing by such auditors and are based on the Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organisation Control (SOC2) report. Upon Customer’s written request at reasonable intervals and subject to confidentiality limitations, Gong will make available to Customer that is not a Gong competitor (or to a third party auditor on Customer’s behalf, that is not a Gong competitor and subject to the auditor’s execution of Gong’s non-disclosure agreement), the then most recent version of the Gong Information Security Policy summaries of third-party audit or certification reports commonly made available to Gong Customers.


8.1. Gong will maintain security incident management policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer’s Personal Data which Gong, or any of Gong’s Other Processors, Process. Gong’s notice will at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) communicate the name and contact details of the Gong’s data protection team, which will be available to provide any additional available information about the Personal Data Breach; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by Gong to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

8.2. Gong will work diligently, pursuant to its incident management policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will inform Customer accordingly.

8.3. Gong’s liability for a Personal Data Breach toward Customer and any third party is subject to the following limitations: (a) the Personal Data Breach is a result of a breach of Gong’s information security obligations under this DPA; and (b) the Personal Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer (collectively “Customer Representatives“); (ii) Customer Representatives’ instructions to Gong; (iii) a willful, deliberate or malicious conduct by a third party; or (iv) acts of God or force major, including, without limitation, acts of war, terror, state-supported attacks, acts of state or governmental action prohibiting or impeding Gong from performing its information security obligations and natural and man-made disasters.


9.1. Gong will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Gong and its Other Processors.

9.2. Gong will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Gong’s obligations under this DPA. Gong may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (i) the audit will be pre-scheduled in writing with Gong, at least forty-five (45) days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach); (ii) the auditor will execute a non-disclosure and non-competition undertaking toward Gong; (iii) the auditor will not have access to non-Customer data (iv) Customer will make sure that the audit will not interfere with or damage Gong’s business activities and information and network systems; (v) Customer will bear all costs and assume responsibility and liability for the audit; and (vi) Customer will receive only the auditor’s report, without any Gong ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; (vii) at the request of Gong, Customer will provide it with a copy of the auditor’s report; and (viii) As soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.


10.1. At the choice of Customer, Gong will delete or return all Customer’s Personal Data to Customer after the end of the provision of Services relating to Processing of Customer’s Personal Data, and delete existing copies unless a law of the European Union or an EU member state requires the storage of the Personal Data.


11.1. may process data based on extracts of Personal Data on an aggregated and non-identifiable forms, for Gong’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Gong’s discretion.


12.1. The GDPR is a recently enacted legislation and the parties envisage that they may have different views about the proper manner to implement relevant provisions thereof. Therefore, the parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commencing legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving party will submit to the other party a written response. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.

Schedule A
Other processors

Entity NamePurposeLocation LtdProviding the Gong serviceIsrael
Amazon Web Services, Inc.Cloud data storageUSA
MongoDB, Inc.Data storage and queryingUSA
Logz.ioLog storage and queryingUSA, Israel
Mailgun Technologies, Inc.Transactional emailUSA
Mandrill (by The Rocket Science Group LLC)Backup transactional emailUSA
ElasticCloud (ElasticSearch Global BV)Data storage and queryingUSA
Cloud ElementsIntegrating data with HubSpot on behalf of joint customers with HubSpotUSA

Last updated: May 21, 2019.