- DarkLight
Gong's privacy documents can be found on their website. Personal data processed by Gong includes video calls, phone conversations, emails, CRM data, and more. Gong upholds GDPR and CCPA compliance through updated SCCs. Data is stored and processed in the US, Israel, and Ireland. Gong is SOC2 Type II compliant, ISO certified, and follows industry best practices for security. Customer data is deleted within 30 days of contract termination. Gong is DPF certified and committed to information security at all levels. Gong offers features to help businesses comply with privacy regulations.
Where can I find your privacy-related documents?
Here’s where you can find our:
What type of personal data does Gong process?
This depends on your use case, what you connect with, and what you determine that Gong should ingest. At a high level, we collect video calls, phone conversations, email correspondence, meetings and calendar events, CRM data, and digital interaction data.
Gong may process personal data to provide services to customers. The types of personal data typically processed may include:
The name and business contact details of users and participants
Gong usage data and other technical data concerning the user’s usage, device and connectivity to Gong
Recorded communications which primarily concern the purchase or use of the company’s services
The analyses and insights generated based on such communications.
How does Gong uphold GDPR, CCPA, and other data protection regulations?
We satisfy GDPR/CCPA compliance through updated SCCs in our Data Processing Addendum. Gong takes a holistic approach to compliance and privacy in order to help customers comply with GDPR/CCPA. It's possible to record sales conversations in compliance with the right workflows.
Gong offers three features designed to help businesses comply with privacy regulations, including the Gong consent page, API and application tools to enforce the right to be forgotten, and permission profiles. These tools are also used internally by Gong to ensure we adhere to privacy regulations and our internal privacy program. Internally, Gong maintains a privacy program to ensure compliance with privacy regulations, and we are ISO 27701 and ISO 27018 certified.
How is data used in Gong?
Your organization owns the data ("controller" in GDPR parlance), and Gong processes it ("processor" in GDPR parlance) to provide the service.
Where is our data stored?
Data is stored in the United States.
Where is our data processed?
Gong holds offices in the United States, Israel, and Ireland, where data may be processed. In addition, Gong engages with sub-processors located in the United States, the UK, and EMEA.
How is our data protected?
Gong is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality, privacy, and HIPAA compliance (Mapping of HIPAA Security Requirements). Gong has a certification for compliance with ISO 27001, ISO 27017, ISO 27018, and ISO 27701. Gong is included in the Cloud Security Alliance’s (CSA’s) Security, Trust, Assurance, and Risk (STAR) Registry.
Gong’s compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization. Our security program is in accordance with industry-leading best practices.
For more information on Gong’s security practices, please visit the Summary of security features section of Gong’s Help Center.
Is our data deleted upon contract termination?
Yes. Customer data is deleted within 30 days of contract termination or expiration.
Are you DPF certified?
Yes, Gong is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Our public DPF profile is available here.