Overveiw
To give salespeople and their managers 360° visibility into every conversation that makes a deal, Gong periodically scans and imports the mailboxes of users who are set for email import by the customer’s Gong admin. By applying a set of filtering rules and cross-referencing with the company’s CRM, Gong determines whether an email belongs to a deal and should be imported.
Table 1. Data flow diagram
|
|
How does Gong connect to users’ mailboxes?
Gong offers two ways of connecting to Office 365 mailboxes: User-by-user (OAuth) or company-wide (Azure app).
In user-by-user mode, the company’s Gong admin selects users to import emails for in the Team Members configuration page. Users will then receive an invitation over email to connect their mailbox using OAuth. Each user must approve Gong’s access to their mailbox for Gong to be able to import their emails.
In company-wide mode, the company’s Azure admin installs Gong’s Azure app, allowing it to access the mailboxes of all users in the company’s Azure AD, or a subset of them. Gong will then scan the mailboxes of users who are set to be imported, without the need for individual user approval.
What permission scopes does Gong request?
Gong requests the following permission scopes:
https://graph.microsoft.com/user.read
https://graph.microsoft.com/mail.read
profile
openid
email
offline_access
These scopes are used to identify the user (user.read, profile, openid, email), read their mailboxes (mail.read) and do so in the background without requiring the user to initiate each sync (offline_access).
How are authentication tokens kept?
As with all user data, Gong encrypts authentication tokens with keys managed by Amazon’s AWS Key Management System (KMS), using AES-256 encryption. Data is stored on the AWS N. Virginia data center.
You can read more about Gong’s security policy at https://www.gong.io/security/
Can users and admins revoke Gong’s access?
In user-by-user mode, users can revoke OAuth access at any time from their Office 365 account settings. Admins can revoke individual user access in the Azure admin portal, or block the app altogether in the API Permissions settings.
In company-wide mode, admins can uninstall Gong’s Azure app from the active directory, removing access to all users at once.
How does Gong decide which emails to import?
Gong periodically scans mailboxes of users who are set for email import by the company’s Gong admin, looking through the message meta-data to determine whether it should be imported.
The following rules are applied to make this decision:
Non-internal correspondence: Gong ignores all internal conversations by matching the participant list with all known company domains. If all participants are from the company domains, the message will be ignored.
Has no blacklisted addresses, domains, or phrases: Gong makes sure none of the participants were blacklist by an admin, and the message subject does not contain any phrases that were blacklisted. A message containing any blacklisted address, domains or phrases will be ignored.
Has CRM participants: Gong cross-references the participant list with domains assigned to accounts, contacts and leads in the company’s CRM. A message with no CRM-related participants will be ignored.
What email meta-data does Gong read when deciding whether to import a message?
From
Sender
To
Cc
Bcc
Subject
How can an admin blacklist email addresses, domains, or phrases?
In Gong’s Email Import settings page, an admin can manage the lists of blacklisted addresses, domains, and phrases. A message containing any of these will be ignored and not imported.
Adding new entries to the blacklist will delete from Gong’s database all previously imported matching messages.
Can imported messages be deleted from Gong?
Users and admins can delete imported messages in the email preview screen. Admins can delete all email messages, while standard users can only delete messages from accounts associated with them.
Admins can also add entries to the participant and phrases blacklists, which will delete all matching messages.
How does Gong assign messages to CRM objects?
After an integration with the customer’s CRM has been established, Gong uses the CRM API to match participants to CRM accounts, contacts and leads, by looking at their email addresses and domains.
If a participant’s email address matches that of a contact or lead, the message will be assigned to them. If a participant’s domain matches any of the domains assigned to an account or a lead, the message will be assigned to that account or lead.
Messages can be assigned to multiple accounts or leads. Messages without any matching participants will not be imported.
Does Gong store information about unmatched messages?
No. Gong does not store any information about messages that do not pass the previously described filters. Any meta-data collected for filtering purposes is never stored in Gong’s database or any other form of permanent storage, and is wiped when the filtering process terminates.
How are imported emails stored?
Gong stores imported email data in the AWS N. Virginia data center.
Data is encrypted both in-transit and at rest with keys managed by Amazon’s AWS Key Management System (KMS), using AES-256 encryption.
You can read more about Gong’s security policy at https://www.gong.io/security/
How is customer data used?
The customer owns the data, and Gong processes it to provide the service.
Read more about Gong’s Data Processing Addendum (DPA) at https://www.gong.io/data-processing-addendum/
What is Gong’s data retention policy?
Gong delete all user data and emails based on its data retention policy, which is set to 3 years by default.
Are emails deleted upon termination?
Yes. Customer data is deleted within 30 days of contract termination.