Summary of security features
  • 6 minute read
  • Contributors

    Summary of security features

      Article summary




      Learn more

      Security Validations

      ISO 27701 Certificate

      ISO 27701 is a globally recognized, privacy-based certification that builds upon security requirements outlined in ISO 27001 with emphasis on an organization’s Privacy Information Management System (PIMS).

      Download our ISO certificate

      Trust Center.

      ISO 27001 Certificate

      ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS).

      Download our ISO certificate

      from our Trust Center.

      ISO 27017 Certificate

      This standard provides guidelines on how we implement information security controls for the provision and use of cloud services.

      Download our ISO certificate

      from our Trust Center.

      ISO 27018 Certificate

      This standard protects personally identifiable information (PII) in public clouds that act as PII processors. This further extends our ability to safeguard the personal and customer data we collect, process, and manage on your behalf.

      Download our ISO certificate

      from our Trust Center.

      DPF Certification

      Gong is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

      Our public DPF profile is available here

      CSA’s STAR Registry

      We documented our cloud security controls at Gong for the CSA’s STAR Registry.

      STAR registry

      Download our completed CAIQ questionnaire from our Trust Center

      SOC 2 Type II Report

      Gong maintains our own SOC 2 Type II report with scope that spans Gong operations. The independent assessment affirms our commitment to customer data security, availability, confidentiality, and privacy. Gong’s report also includes a mapping to Health Insurance Portability and Accountability Act (HIPAA) security requirements.

      Download our SOC 2

      report from our Trust Center.

      PCI-DSS Report

      Gong has created the mechanisms that ingest and process calls from external telephony systems in a way that is PCI-DSS compliant. Gong maintains a specific scope for PCI DSS that analyzes the calls, identifies the PCI-related data, and redacts digits set forth by customer business rules. The SAQ refers to these components and attests to the needed measures that have been taken to ensure it is compliant with PCI-DSS.

      Download our SAQ-D

      from our Trust Center.

      Penetration Test Executive Summary

      Gong obtains independent validation security with independent penetration testing.

      Download our pen test summary

      from our Trust Center.

      Data Security

      Data Encryption

      Customer data is encrypted in transit using TLS 1.2 and at rest using AES-256.


      Key Management

      Gong uses AWS Key Management Services (KMS) for key management. Customers can encrypt their own data using bring your own key (BYOK).

      Learn more

      Data Segregation

      Data is logically separated within Gong’s multi-tenant environment. Gong segregates our customer data separately through this approach, which is commonly utilized in SaaS architectures.


      Data Retention

      Data retention is determined by the customer and can be configured at any time.

      Learn more

      Data Redaction

      An optional feature is the ability to redact sequences of digits to minimize the risk of personal numbers appearing within plain text of transcripts. Redaction is available in English calls only.

      We can redact numbers equal to and above the minimum number of digits Customers select. These numbers are replaced with (REDACTED) in the call's transcript.

      Learn more

      Data Deletion

      Gong provides multiple ways of deleting data from the tenant environment and provides tools for the customer to meet DSAR requests.

      Learn more

      Identity Management and Access Controls

      Automatic and Manual Provisioning

      Gong supports a system for single or cross-domain Identity Management (SCIM) provisioning systems.

      Learn more

      Single Sign On - Federated Identity

      Gong supports authentication through common Identity Providers, such as Google, Microsoft (Azure Active Directory and Office 365), and Salesforce. 

      Gong also supports SAML 2.0-based SSO, OAuth 2.0 authorization, and OpenID Connect, including Okta, OneLogin, Rippling, and custom providers.

      Learn more

      Password Policy

      Our preference is for our customers to use their Single Sign On (SSO) to inherit the rules associated with their password policy. For non-SSO users, Gong supports authentication, which enforces the following password requirements:

      • Minimum of eight characters

      • At least one number

      • At least one special character

      • Cannot contain part of the username

      • Cannot reuse the last four passwords

      Learn more

      Session Management

      Gong supports session management for inactivity. This is set by your Identity Management provider. Most providers have a default of 30 minutes that can be configured.


      Gong API Authentication

      There are two ways to retrieve credentials to the Gong Public API: 

      1. Basic Authorization, which requires manually obtaining an Access Key and Access Key Secret 

      2. OAuth, which generates a Bearer Token

      Learn more

      Creating Workspaces

      You can set up workspaces in Gong to segment your Gong instance to match your business needs. This feature helps enforce principles of least privilege within your business users. 

      This is useful if you have separate business units or geographic regions (such offices in the United States and in EMEA), where you may want to apply different business settings, permissioning, or retention policies. Creating separate workspaces allows you to easily manage different settings between distinct business groups.

      Learn more

      Least Privilege - User and Group Roles

      Gong provides four out-of-the-box user roles that can be configured for granular permissioning:

      1. Collaborator

      2. Standard user

      3. Business administrator

      4. Technical administrator

      Learn more

      Role Based Access Control (RBAC) / Granular Permission Profiles

      In addition to standard user roles, Gong supports granular permission profiles.

      Create granular permission profiles to restrict access and actions related to: 

      • Calls, emails

      • call libraries

      • deals

      • coaching and stats pages

      • forecast

      • CRM

      • exporting

      Access can be restricted on an individual, team, or custom basis.

      Note: This is separate from consent profiles.

      Learn more

      Managing Access to Calls

      Gong provides multiple options to manage access to calls.

      Through granular permission profiles, a technical admin can restrict access to calls, such as:

      • Determining whether users can download call media

      • Restricting whether calls can be shared with customers

      • Allowing users to set calls as private

      • Letting users delete calls

      • Restrict whether users can export reports on calls

      Learn more

      Access to Customer Data

      Gong restricts and limits access to customer data to authorized personnel on a need-to-know basis. Access of customer data by Gong personnel through the Gong platform can be audited in the Audit API. Please see the Auditing section under Logging and Monitoring for more details.


      Logging and Monitoring


      All Gong customers may audit both the use of the platform by their personnel as well as access of the platform by Gong personnel for troubleshooting or customer support. The Gong Audit API can be used to generate this data in standard JSON format, which can be used to feed your existing security monitoring tools.

      Learn more

      Data Backup and Recovery Policy

      Cloud Hosting

      Gong is a SaaS application that is hosted on AWS.


      Data Center

      Physical access to Gong data centers, where customer data is hosted, is limited to authorized personnel only. Physical security measures for Gong’s data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.

      Please see the AWS documentation for additional information on their security controls.



      Gong conducts regular daily backups of customer data. The backups are applied to keep the Gong environment resilient to outages or cases where we needed to recover customer data.


      Privacy and Compliance

      Data Processing Addendum (DPA)

      Gong’s DPA sets out the terms that apply with regard to the Processing of Personal Data by Gong on behalf of Customers, in the course of providing the Gong Service to Customers under the Agreement.

      Learn more

      Privacy Policy

      You can find our privacy policy at

      Learn more

      List of Sub-Processors

      You can find our list of sub-processors at We recommend subscribing to stay up to date on any changes that may occur.

      Learn more

      Right to be forgotten, Deleting Subject Access Requests

      Gong is compliant with GDPR and CCPA’s  “right to be forgotten” requirement and provides the mechanism to delete personal data upon request.

      Learn more

      Consent Profiles

      You can create different consent profiles for different teams. Consent profiles are separate from permission profiles, and enable you to enforce multiple streams of consent based on different geographic or state privacy regulations.

      Learn more

      Managing Voice Identification

      Voice identification can be enabled to identify licensed Gong users in mono telephony calls. This function is disabled by default. 

      Technical administrators can enable this function for licensed Gong users, who must also consent to the function.

      Learn more

      Vulnerability Management

      Vulnerability Remediation and Patch Management

      Gong has a robust vulnerability management program that is validated as part of our SOC 2 and ISO certifications.


      Application Security

      Bug Bounty Program

      Gong runs an ongoing bug bounty program, as well as a Vulnerability Disclosure Program. You can submit vulnerabilities through

      Learn more


      Security FAQs

      Frequently asked questions are available in our Security FAQ section.

      Learn more

      Was this article helpful?


      Eddy AI, a genAI helper, will scrub our help center to give you an answer that summarizes our content. Ask a question in plain language and let me do the rest.