Summary of security features
  • 6 minute read
  • Contributors
  • Dark
    Light

Summary of security features

  • Dark
    Light

Article summary

Category

Capability

Description

Learn more

Security Validations

ISO 27701 Certificate

ISO 27701 is a globally recognized, privacy-based certification that builds upon security requirements outlined in ISO 27001 with emphasis on an organization’s Privacy Information Management System (PIMS).

Download our ISO certificate

Trust Center.

ISO 27001 Certificate

ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS).

Download our ISO certificate

from our Trust Center.

ISO 27017 Certificate

This standard provides guidelines on how we implement information security controls for the provision and use of cloud services.

Download our ISO certificate

from our Trust Center.

ISO 27018 Certificate

This standard protects personally identifiable information (PII) in public clouds that act as PII processors. This further extends our ability to safeguard the personal and customer data we collect, process, and manage on your behalf.

Download our ISO certificate

from our Trust Center.

DPF Certification

Gong is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Our public DPF profile is available here

CSA’s STAR Registry

We documented our cloud security controls at Gong for the CSA’s STAR Registry.

STAR registry

Download our completed CAIQ questionnaire from our Trust Center

SOC 2 Type II Report

Gong maintains our own SOC 2 Type II report with scope that spans Gong operations. The independent assessment affirms our commitment to customer data security, availability, confidentiality, and privacy. Gong’s report also includes a mapping to Health Insurance Portability and Accountability Act (HIPAA) security requirements.

Download our SOC 2

report from our Trust Center.

PCI-DSS Report

Gong has created the mechanisms that ingest and process calls from external telephony systems in a way that is PCI-DSS compliant. Gong maintains a specific scope for PCI DSS that analyzes the calls, identifies the PCI-related data, and redacts digits set forth by customer business rules. The SAQ refers to these components and attests to the needed measures that have been taken to ensure it is compliant with PCI-DSS.

Download our SAQ-D

from our Trust Center.

Penetration Test Executive Summary

Gong obtains independent validation security with independent penetration testing.

Download our pen test summary

from our Trust Center.

Data Security

Data Encryption

Customer data is encrypted in transit using TLS 1.2 and at rest using AES-256.

 

Key Management

Gong uses AWS Key Management Services (KMS) for key management. Customers can encrypt their own data using bring your own key (BYOK).

Learn more

Data Segregation

Data is logically separated within Gong’s multi-tenant environment. Gong segregates our customer data separately through this approach, which is commonly utilized in SaaS architectures.

 

Data Retention

Data retention is determined by the customer and can be configured at any time.

Learn more

Data Redaction

An optional feature is the ability to redact sequences of digits to minimize the risk of personal numbers appearing within plain text of transcripts. Redaction is available in English calls only.

We can redact numbers equal to and above the minimum number of digits Customers select. These numbers are replaced with (REDACTED) in the call's transcript.

Learn more

Data Deletion

Gong provides multiple ways of deleting data from the tenant environment and provides tools for the customer to meet DSAR requests.

Learn more

Identity Management and Access Controls

Automatic and Manual Provisioning

Gong supports a system for single or cross-domain Identity Management (SCIM) provisioning systems.

Learn more

Single Sign On - Federated Identity

Gong supports authentication through common Identity Providers, such as Google, Microsoft (Azure Active Directory and Office 365), and Salesforce. 

Gong also supports SAML 2.0-based SSO, OAuth 2.0 authorization, and OpenID Connect, including Okta, OneLogin, Rippling, and custom providers.

Learn more

Password Policy

Our preference is for our customers to use their Single Sign On (SSO) to inherit the rules associated with their password policy. For non-SSO users, Gong supports authentication, which enforces the following password requirements:

  • Minimum of eight characters

  • At least one number

  • At least one special character

  • Cannot contain part of the username

  • Cannot reuse the last four passwords

Learn more

Session Management

Gong supports session management for inactivity. This is set by your Identity Management provider. Most providers have a default of 30 minutes that can be configured.

 

Gong API Authentication

There are two ways to retrieve credentials to the Gong Public API: 

  1. Basic Authorization, which requires manually obtaining an Access Key and Access Key Secret 

  2. OAuth, which generates a Bearer Token

Learn more

Creating Workspaces

You can set up workspaces in Gong to segment your Gong instance to match your business needs. This feature helps enforce principles of least privilege within your business users. 

This is useful if you have separate business units or geographic regions (such offices in the United States and in EMEA), where you may want to apply different business settings, permissioning, or retention policies. Creating separate workspaces allows you to easily manage different settings between distinct business groups.

Learn more

Least Privilege - User and Group Roles

Gong provides four out-of-the-box user roles that can be configured for granular permissioning:

  1. Collaborator

  2. Standard user

  3. Business administrator

  4. Technical administrator

Learn more

Role Based Access Control (RBAC) / Granular Permission Profiles

In addition to standard user roles, Gong supports granular permission profiles.

Create granular permission profiles to restrict access and actions related to: 

  • Calls, emails

  • call libraries

  • deals

  • coaching and stats pages

  • forecast

  • CRM

  • exporting

Access can be restricted on an individual, team, or custom basis.

Note: This is separate from consent profiles.

Learn more

Managing Access to Calls

Gong provides multiple options to manage access to calls.

Through granular permission profiles, a technical admin can restrict access to calls, such as:

  • Determining whether users can download call media

  • Restricting whether calls can be shared with customers

  • Allowing users to set calls as private

  • Letting users delete calls

  • Restrict whether users can export reports on calls

Learn more

Access to Customer Data

Gong restricts and limits access to customer data to authorized personnel on a need-to-know basis. Access of customer data by Gong personnel through the Gong platform can be audited in the Audit API. Please see the Auditing section under Logging and Monitoring for more details.

 

Logging and Monitoring

Auditing

All Gong customers may audit both the use of the platform by their personnel as well as access of the platform by Gong personnel for troubleshooting or customer support. The Gong Audit API can be used to generate this data in standard JSON format, which can be used to feed your existing security monitoring tools.

Learn more

Data Backup and Recovery Policy

Cloud Hosting

Gong is a SaaS application that is hosted on AWS.

 

Data Center

Physical access to Gong data centers, where customer data is hosted, is limited to authorized personnel only. Physical security measures for Gong’s data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.

Please see the AWS documentation for additional information on their security controls.

 

Backups

Gong conducts regular daily backups of customer data. The backups are applied to keep the Gong environment resilient to outages or cases where we needed to recover customer data.

 

Privacy and Compliance

Data Processing Addendum (DPA)

Gong’s DPA sets out the terms that apply with regard to the Processing of Personal Data by Gong on behalf of Customers, in the course of providing the Gong Service to Customers under the Agreement.

Learn more

Privacy Policy

You can find our privacy policy at gong.io/privacy-policy.

Learn more

List of Sub-Processors

You can find our list of sub-processors at gong.io/sub-processors. We recommend subscribing to stay up to date on any changes that may occur.

Learn more

Right to be forgotten, Deleting Subject Access Requests

Gong is compliant with GDPR and CCPA’s  “right to be forgotten” requirement and provides the mechanism to delete personal data upon request.

Learn more

Consent Profiles

You can create different consent profiles for different teams. Consent profiles are separate from permission profiles, and enable you to enforce multiple streams of consent based on different geographic or state privacy regulations.

Learn more

Managing Voice Identification

Voice identification can be enabled to identify licensed Gong users in mono telephony calls. This function is disabled by default. 

Technical administrators can enable this function for licensed Gong users, who must also consent to the function.

Learn more

Vulnerability Management

Vulnerability Remediation and Patch Management

Gong has a robust vulnerability management program that is validated as part of our SOC 2 and ISO certifications.

 

Application Security

Bug Bounty Program

Gong runs an ongoing bug bounty program, as well as a Vulnerability Disclosure Program. You can submit vulnerabilities through https://vdp.gong.io/p/Welcome.

Learn more

FAQ

Security FAQs

Frequently asked questions are available in our Security FAQ section.

Learn more


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, a genAI helper, will scrub our help center to give you an answer that summarizes our content. Ask a question in plain language and let me do the rest.