- DarkLight
Category | Capability | Description | Learn more |
---|---|---|---|
Security Validations | ISO 27701 Certificate | ISO 27701 is a globally recognized, privacy-based certification that builds upon security requirements outlined in ISO 27001 with emphasis on an organization’s Privacy Information Management System (PIMS). | Download our ISO certificate |
ISO 27001 Certificate | ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS). | Download our ISO certificate from our Trust Center. | |
ISO 27017 Certificate | This standard provides guidelines on how we implement information security controls for the provision and use of cloud services. | Download our ISO certificate from our Trust Center. | |
ISO 27018 Certificate | This standard protects personally identifiable information (PII) in public clouds that act as PII processors. This further extends our ability to safeguard the personal and customer data we collect, process, and manage on your behalf. | Download our ISO certificate from our Trust Center. | |
DPF Certification | Gong is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). | Our public DPF profile is available here. | |
CSA’s STAR Registry | We documented our cloud security controls at Gong for the CSA’s STAR Registry. | Download our completed CAIQ questionnaire from our Trust Center. | |
SOC 2 Type II Report | Gong maintains our own SOC 2 Type II report with scope that spans Gong operations. The independent assessment affirms our commitment to customer data security, availability, confidentiality, and privacy. Gong’s report also includes a mapping to Health Insurance Portability and Accountability Act (HIPAA) security requirements. | Download our SOC 2 report from our Trust Center. | |
PCI-DSS Report | Gong has created the mechanisms that ingest and process calls from external telephony systems in a way that is PCI-DSS compliant. Gong maintains a specific scope for PCI DSS that analyzes the calls, identifies the PCI-related data, and redacts digits set forth by customer business rules. The SAQ refers to these components and attests to the needed measures that have been taken to ensure it is compliant with PCI-DSS. | Download our SAQ-D from our Trust Center. | |
Penetration Test Executive Summary | Gong obtains independent validation security with independent penetration testing. | Download our pen test summary from our Trust Center. | |
Data Security | Data Encryption | Customer data is encrypted in transit using TLS 1.2 and at rest using AES-256. |
|
Key Management | Gong uses AWS Key Management Services (KMS) for key management. Customers can encrypt their own data using bring your own key (BYOK). | ||
Data Segregation | Data is logically separated within Gong’s multi-tenant environment. Gong segregates our customer data separately through this approach, which is commonly utilized in SaaS architectures. |
| |
Data Retention | Data retention is determined by the customer and can be configured at any time. | ||
Data Redaction | An optional feature is the ability to redact sequences of digits to minimize the risk of personal numbers appearing within plain text of transcripts. Redaction is available in English calls only. We can redact numbers equal to and above the minimum number of digits Customers select. These numbers are replaced with (REDACTED) in the call's transcript. | ||
Data Deletion | Gong provides multiple ways of deleting data from the tenant environment and provides tools for the customer to meet DSAR requests. | ||
Identity Management and Access Controls | Automatic and Manual Provisioning | Gong supports a system for single or cross-domain Identity Management (SCIM) provisioning systems. | |
Single Sign On - Federated Identity | Gong supports authentication through common Identity Providers, such as Google, Microsoft (Azure Active Directory and Office 365), and Salesforce. Gong also supports SAML 2.0-based SSO, OAuth 2.0 authorization, and OpenID Connect, including Okta, OneLogin, Rippling, and custom providers. | ||
Password Policy | Our preference is for our customers to use their Single Sign On (SSO) to inherit the rules associated with their password policy. For non-SSO users, Gong supports authentication, which enforces the following password requirements:
| ||
Session Management | Gong supports session management for inactivity. This is set by your Identity Management provider. Most providers have a default of 30 minutes that can be configured. |
| |
Gong API Authentication | There are two ways to retrieve credentials to the Gong Public API:
| ||
Creating Workspaces | You can set up workspaces in Gong to segment your Gong instance to match your business needs. This feature helps enforce principles of least privilege within your business users. This is useful if you have separate business units or geographic regions (such offices in the United States and in EMEA), where you may want to apply different business settings, permissioning, or retention policies. Creating separate workspaces allows you to easily manage different settings between distinct business groups. | ||
Least Privilege - User and Group Roles | Gong provides four out-of-the-box user roles that can be configured for granular permissioning:
| ||
Role Based Access Control (RBAC) / Granular Permission Profiles | In addition to standard user roles, Gong supports granular permission profiles. Create granular permission profiles to restrict access and actions related to:
Access can be restricted on an individual, team, or custom basis. Note: This is separate from consent profiles. | ||
Managing Access to Calls | Gong provides multiple options to manage access to calls. Through granular permission profiles, a technical admin can restrict access to calls, such as:
| ||
Access to Customer Data | Gong restricts and limits access to customer data to authorized personnel on a need-to-know basis. Access of customer data by Gong personnel through the Gong platform can be audited in the Audit API. Please see the Auditing section under Logging and Monitoring for more details. |
| |
Logging and Monitoring | Auditing | All Gong customers may audit both the use of the platform by their personnel as well as access of the platform by Gong personnel for troubleshooting or customer support. The Gong Audit API can be used to generate this data in standard JSON format, which can be used to feed your existing security monitoring tools. | |
Data Backup and Recovery Policy | Cloud Hosting | Gong is a SaaS application that is hosted on AWS. |
|
Data Center | Physical access to Gong data centers, where customer data is hosted, is limited to authorized personnel only. Physical security measures for Gong’s data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures. Please see the AWS documentation for additional information on their security controls. |
| |
Backups | Gong conducts regular daily backups of customer data. The backups are applied to keep the Gong environment resilient to outages or cases where we needed to recover customer data. |
| |
Privacy and Compliance | Data Processing Addendum (DPA) | Gong’s DPA sets out the terms that apply with regard to the Processing of Personal Data by Gong on behalf of Customers, in the course of providing the Gong Service to Customers under the Agreement. | |
Privacy Policy | You can find our privacy policy at gong.io/privacy-policy. | ||
List of Sub-Processors | You can find our list of sub-processors at gong.io/sub-processors. We recommend subscribing to stay up to date on any changes that may occur. | ||
Right to be forgotten, Deleting Subject Access Requests | Gong is compliant with GDPR and CCPA’s “right to be forgotten” requirement and provides the mechanism to delete personal data upon request. | ||
Consent Profiles | You can create different consent profiles for different teams. Consent profiles are separate from permission profiles, and enable you to enforce multiple streams of consent based on different geographic or state privacy regulations. | ||
Managing Voice Identification | Voice identification can be enabled to identify licensed Gong users in mono telephony calls. This function is disabled by default. Technical administrators can enable this function for licensed Gong users, who must also consent to the function. | ||
Vulnerability Management | Vulnerability Remediation and Patch Management | Gong has a robust vulnerability management program that is validated as part of our SOC 2 and ISO certifications. |
|
Application Security | Bug Bounty Program | Gong runs an ongoing bug bounty program, as well as a Vulnerability Disclosure Program. You can submit vulnerabilities through https://vdp.gong.io/p/Welcome. | |
FAQ | Security FAQs | Frequently asked questions are available in our Security FAQ section. |