We recognize that your data is very sensitive. We combine enterprise-grade security features with comprehensive audits of our applications, systems, and networks to ensure customer data is protected.
Gong conducts a variety of audits to ensure continuous
compliance with industry standard best practices:
- Gong is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality and privacy, as well as HIPAA compliance.
- Gong has a certification for compliance with ISO/IEC 27001:2013. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate. Gong’s compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that our security program is in accordance with industry leading best practices.
- Gong complies with the EU/Swiss-U.S. Privacy Shield
Framework as set forth by the U.S. Department of Commerce
regarding the collection, use, and retention of personal
information from European Union member countries/Switzerland.
- We know that maintaining GDPR & privacy compliance is a top priority for your business. That’s why Gong takes a holistic and personalized approach to compliance, maintaining GDPR compliance ourselves, and enabling your business to set its own compliance preferences, as a controller.
- Gong employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of our policies, applications, systems, and networks. Our certifications include SOC 2 Type II, ISO 27001, and EU/Swiss-US Privacy Shield, to name a few.
Data Center and
- Gong hosts all its software in Amazon Web Services (AWS)
facilities in the USA. Amazon provides an extensive list of
compliance and regulatory assurances, including SOC 13, and
ISO 27001. See Amazon’s compliance and security documents
for more detailed information.
- All of Gong servers are located within Gong’s own virtual
private cloud (VPC), protected by restricted security groups
allowing only the minimal required communication to and
between the servers.
- Gong conducts third-party network vulnerability scans at least annually.
- Web application architecture and implementation follow
OWASP guidelines and built in Java with the Spring Security
- In addition to Gong’s extensive testing program, Gong
conducts application penetration testing by a third-party at
- Single sign-on (SSO) allows you to authenticate users without requiring them to enter login credentials for your Gong instance. Login using Gong can be disabled, and Gong supports SSO using SAML (Okta, OneLogin, Rippling), G-Suite, Office 365, and Salesforce.
- Gong login requires strong passwords. User passwords
are salted, irreversibly hashed, and stored in Gong’s database.
Audit logging lets administrators see when users last logged
in and when passwords were last changed.
- All connections to Gong are encrypted using SSL, and any
attempt to connect over HTTP is redirected to HTTPS. We
maintain an A+ grade for Qualys/SSL Labs.
- All customer data (including call recordings and transcripts) is
encrypted at rest and in transit.
- System passwords are encrypted using AWS KMS with restricted
access to specific production systems.
- We use industry-standard PostgreSQL, Elastic Search
and Mongo DB data storage systems hosted at AWS and/or by the
- Data access and authorizations are provided on a need-to-know
basis, and based on the principle of least privilege. Access
to the AWS production system is restricted to authorized
personnel, and is carried out using VPN with Active Directory
- Gong Customers may configure a data retention duration, and Customer data is purged from Gong systems subsequent to contract termination.
- Gong maintains security policies that are maintained,
communicated, and approved by management to ensure
everyone clearly knows their security responsibilities.
Gong policies are audited annually as part of its SOC2
- Code development is done through a documented SDLC
process. Design of all new product functionality is
reviewed by its security team. Gong conducts mandatory
code reviews for code changes and periodic in-depth
security review of architecture and sensitive code. Gong
development and testing environments are separate from
its production environment.
- Employee hiring process includes background screening.
- At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Gong security controls.
- Vulnerability Disclosure Process – Gong considers privacy and security to be core functions of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security or privacy issue that you believe we should know about, we would love to hear from you. Please reach out to us at firstname.lastname@example.org or at (917) 512-2629 and let us know.
- All access to Gong applications is logged and audited.
Logs are kept for at least one year.
- Gong maintains a formal incident response plan for major events.
- Gong maintains a publicly available system-status
webpage which includes system availability details,
scheduled maintenance, service incident history, and
relevant security events.