We recognize that your data is very sensitive. We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer data is
Gong conducts a variety of audits to ensure continuous compliance with industry standard best practices:
- Gong is SOC2 Type II certified for security, availability and confidentiality. Documentation available upon request.
- Gong complies with the EU/Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries/Switzerland.
Data Center and Network Security
- Gong hosts all its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 13, and ISO 27001. See Amazon’s compliance and security documents for more detailed information.
- All of Gong servers are located within Gong’s own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers.
- Gong conducts network vulnerability scans at least annually.
- All connections to Gong are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. We maintain an A+ grade for Qualys/SSL Labs.
- All customer data (including call recordings and transcripts) is encrypted at rest and in transit.
- System passwords are encrypted using AWS KMS with restricted access to specific production systems.
- We use industry-standard PostgreSQL, Elastic Search and Mongo DB data storage systems hosted at AWS and/or by the respective vendors.
- Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the AWS production system is restricted to authorized personnel, and is carried out using VPN with Active Directory authentication.
- Gong Customers may configure a data retention duration, and Customer data is purged from Gong systems subsequent to contract termination.
- Web application architecture and implementation follow OWASP guidelines and built in Java with the Spring Security framework.
- In addition to Gong’s extensive testing program, Gong conducts application penetration testing by a third-party at least annually.
- Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Gong instance. Login using Gong can be disabled, and Gong supports SSO using Okta (SAML), Google Apps, Office 365, and Salesforce.
- Gong login requires strong passwords. User passwords are salted, irreversibly hashed, and stored in Gong’s database. Audit logging lets administrators see when users last logged in and when passwords were last changed.
Application Monitoring and Incident Management
- All access to Gong applications is logged and audited. Logs are kept for at least one year.
- Gong maintains a formal incident response plan for major events.
Security Policies and Secure Development Life Cycle (SDLC)
- Gong maintains security policies that are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities. Gong policies are audited annually as part of its SOC2 certification.
- Code development is done through a documented SDLC process. Design of all new product functionality is reviewed by its security team. Gong conducts mandatory code reviews for code changes and periodic in-depth security review of architecture and sensitive code. Gong development and testing environments are separate from its production environment.
- Employee hiring process includes background screening.
- At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Gong security controls.
- Access to the information is through a password-protected web application with full SSL security. Only authorized members of the customers’ organization have access to their data.
- Gong maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.