FAQs for Security, Privacy and Compliance

Here’s where you can find our:

• Privacy policy

• Data processing addendum (DPA)

• List of sub processors

• Terms and conditions

This depends on your use case, what you connect with, and what you determine that Gong should ingest. At a high level, we collect video calls, phone conversations, email correspondence, meetings and calendar events, CRM data, and digital interaction data.

Gong may process personal data to provide services to customers. The types of personal data typically processed may include:

• The name and business contact details of users and participants

• Gong usage data and other technical data concerning the user’s usage, device and connectivity to Gong

• Recorded communications which primarily concern the purchase or use of the company’s services

• The analyses and insights generated based on such communications.

We satisfy GDPR/CCPA compliance through updated SCCs in our Data Processing Addendum. Gong takes a holistic approach to compliance and privacy in order to help customers comply with GDPR/CCPA. It's possible to record sales conversations in compliance with the right workflows.

Gong offers three features designed to help businesses comply with privacy regulations, including the Gong consent page, API and application tools to enforce the right to be forgotten, and permission profiles. These tools are also used internally by Gong to ensure we adhere to privacy regulations and our internal privacy program. Internally, Gong maintains a privacy program to ensure compliance with privacy regulations, and we are ISO 27701 and ISO 27018 certified.

Your organization owns the data ("controller" in GDPR parlance), and Gong processes it ("processor" in GDPR parlance) to provide the service.

Data is stored in the United States.

Gong holds offices in the United States, Israel, and Ireland, where data may be processed. In addition, Gong engages with sub-processors located in the United States, the UK, and EMEA.

Gong is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality, privacy, and HIPAA compliance (Mapping of HIPAA Security Requirements). Gong has a certification for compliance with ISO 27001, ISO 27017, ISO 27018, and ISO 27701. Gong is included in the Cloud Security Alliance’s (CSA’s) Security, Trust, Assurance, and Risk (STAR) Registry.

Gong’s compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization. Our security program is in accordance with industry-leading best practices.

For more information on Gong’s security practices, please visit the Summary of security features section of Gong’s Help Center.

Yes. Customer data is deleted within 30 days of contract termination or expiration.

Yes, Gong is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Our public DPF profile is available here.