Gong Security

We recognize that your data is very sensitive. We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure customer data is protected.



Gong conducts a variety of audits to ensure continuous
compliance with industry standard best practices:

  • Gong is SOC2 Type II certified for security, availability
    and confidentiality. Documentation available upon request.
  • Gong complies with the EU/Swiss-U.S. Privacy Shield
    as set forth by the U.S. Department of Commerce
    regarding the collection, use, and retention of personal
    information from European Union member countries/Switzerland.
  • Gong has implemented a GDPR (General Data Protection
    Regulation) readiness program and has been audited by E&Y to
    ensure adherence. This includes appointing a Data Protection
    Officer (DPO), putting measures in place to identify and delete
    private data, ensuring all subcontractors are compliant, and updating Terms and Conditions, Privacy Policy, and
    Data Processing Addendum (DPA).

Data Center and
Network Security

  • Gong hosts all its software in Amazon Web Services (AWS)
    facilities in the USA. Amazon provides an extensive list of
    compliance and regulatory assurances, including SOC 13, and
    ISO 27001. See Amazon's compliance and security documents
    for more detailed information.
  • All of Gong servers are located within Gong's own virtual
    private cloud (VPC), protected by restricted security groups
    allowing only the minimal required communication to and
    between the servers.
  • Gong conducts third-party network vulnerability scans at least annually.

Data Security

  • All connections to Gong are encrypted using SSL, and any
    attempt to connect over HTTP is redirected to HTTPS. We
    maintain an A+ grade for Qualys/SSL Labs.
  • All customer data (including call recordings and transcripts) is
    encrypted at rest and in transit.
  • System passwords are encrypted using AWS KMS with restricted
    access to specific production systems.
  • We use industry-standard PostgreSQL, Elastic Search
    and Mongo DB data storage systems hosted at AWS and/or by the
    respective vendors.
  • Data access and authorizations are provided on a need-to-know
    basis, and based on the principle of least privilege. Access
    to the AWS production system is restricted to authorized
    personnel, and is carried out using VPN with Active Directory
  • Gong Customers may configure a data retention duration, and Customer data is purged from Gong systems subsequent to contract termination.


  • Web application architecture and implementation follow
    OWASP guidelines and built in Java with the Spring Security
  • In addition to Gong's extensive testing program, Gong
    conducts application penetration testing by a third-party at
    least annually.
  • Single sign-on (SSO) allows you to authenticate users in your
    own systems without requiring them to enter additional login
    credentials for your Gong instance. Login using Gong can be
    disabled, and Gong supports SSO using Okta (SAML), Google
    Apps, Office 365, and Salesforce.
  • Gong login requires strong passwords. User passwords
    are salted, irreversibly hashed, and stored in Gong's database.
    Audit logging lets administrators see when users last logged
    in and when passwords were last changed.


  • All access to Gong applications is logged and audited.
    Logs are kept for at least one year.
  • Gong maintains a formal incident response plan for major events.


  • Gong maintains a publicly available system-status
    which includes system availability details,
    scheduled maintenance, service incident history, and
    relevant security events.

Security Policies
and Secure
Development Life
Cycle (SDLC)

  • Gong maintains security policies that are maintained,
    communicated, and approved by management to ensure
    everyone clearly knows their security responsibilities.
    Gong policies are audited annually as part of its SOC2
  • Code development is done through a documented SDLC
    process. Design of all new product functionality is
    reviewed by its security team. Gong conducts mandatory
    code reviews for code changes and periodic in-depth
    security review of architecture and sensitive code. Gong
    development and testing environments are separate from
    its production environment.
  • Employee hiring process includes background screening.
  • At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Gong security controls.


  • Gong maintains a publicly available system-status
    which includes system availability details,
    scheduled maintenance, service incident history, and
    relevant security events.