Login
    Contents x
    Summary of security features
    • 6 minute read
    • Contributors
    • Dark
      Light
    Contents

    Summary of security features

    • 6 minute read
    • Contributors
    • Dark
      Light
    Article summary

    Category

    Capability

    Description

    Learn more

    Security Validations

    ISO 27701 Certificate

    ISO 27701 is a globally recognized, privacy-based certification that builds upon security requirements outlined in ISO 27001 with emphasis on an organization’s Privacy Information Management System (PIMS).

    Download our ISO certificate

    Trust Center.

    ISO 27001 Certificate

    ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS).

    Download our ISO certificate

    from our Trust Center.

    ISO 27017 Certificate

    This standard provides guidelines on how we implement information security controls for the provision and use of cloud services.

    Download our ISO certificate

    from our Trust Center.

    ISO 27018 Certificate

    This standard protects personally identifiable information (PII) in public clouds that act as PII processors. This further extends our ability to safeguard the personal and customer data we collect, process, and manage on your behalf.

    Download our ISO certificate

    from our Trust Center.

    DPF Certification

    Gong is certified with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

    Our public DPF profile is available here

    CSA’s STAR Registry

    We documented our cloud security controls at Gong for the CSA’s STAR Registry.

    STAR registry

    Download our completed CAIQ questionnaire from our Trust Center

    SOC 2 Type II Report

    Gong maintains our own SOC 2 Type II report with scope that spans Gong operations. The independent assessment affirms our commitment to customer data security, availability, confidentiality, and privacy. Gong’s report also includes a mapping to Health Insurance Portability and Accountability Act (HIPAA) security requirements.

    Download our SOC 2

    report from our Trust Center.

    PCI-DSS Report

    Gong has created the mechanisms that ingest and process calls from external telephony systems in a way that is PCI-DSS compliant. Gong maintains a specific scope for PCI DSS that analyzes the calls, identifies the PCI-related data, and redacts digits set forth by customer business rules. The SAQ refers to these components and attests to the needed measures that have been taken to ensure it is compliant with PCI-DSS.

    Download our SAQ-D

    from our Trust Center.

    Penetration Test Executive Summary

    Gong obtains independent validation security with independent penetration testing.

    Download our pen test summary

    from our Trust Center.

    Data Security

    Data Encryption

    Customer data is encrypted in transit using TLS 1.2 and at rest using AES-256.

     

    Key Management

    Gong uses AWS Key Management Services (KMS) for key management. Customers can encrypt their own data using bring your own key (BYOK).

    Learn more

    Data Segregation

    Data is logically separated within Gong’s multi-tenant environment. Gong segregates our customer data separately through this approach, which is commonly utilized in SaaS architectures.

     

    Data Retention

    Data retention is determined by the customer and can be configured at any time.

    Learn more

    Data Redaction

    An optional feature is the ability to redact sequences of digits to minimize the risk of personal numbers appearing within plain text of transcripts. Redaction is available in English calls only.

    We can redact numbers equal to and above the minimum number of digits Customers select. These numbers are replaced with (REDACTED) in the call's transcript.

    Learn more

    Data Deletion

    Gong provides multiple ways of deleting data from the tenant environment and provides tools for the customer to meet DSAR requests.

    Learn more

    Identity Management and Access Controls

    Automatic and Manual Provisioning

    Gong supports a system for single or cross-domain Identity Management (SCIM) provisioning systems.

    Learn more

    Single Sign On - Federated Identity

    Gong supports authentication through common Identity Providers, such as Google, Microsoft (Azure Active Directory and Office 365), and Salesforce. 

    Gong also supports SAML 2.0-based SSO, OAuth 2.0 authorization, and OpenID Connect, including Okta, OneLogin, Rippling, and custom providers.

    Learn more

    Password Policy

    Our preference is for our customers to use their Single Sign On (SSO) to inherit the rules associated with their password policy. For non-SSO users, Gong supports authentication, which enforces the following password requirements:

    • Minimum of eight characters

    • At least one number

    • At least one special character

    • Cannot contain part of the username

    • Cannot reuse the last four passwords

    Learn more

    Session Management

    Gong supports session management for inactivity. This is set by your Identity Management provider. Most providers have a default of 30 minutes that can be configured.

     

    Gong API Authentication

    There are two ways to retrieve credentials to the Gong Public API: 

    1. Basic Authorization, which requires manually obtaining an Access Key and Access Key Secret 

    2. OAuth, which generates a Bearer Token

    Learn more

    Creating Workspaces

    You can set up workspaces in Gong to segment your Gong instance to match your business needs. This feature helps enforce principles of least privilege within your business users. 

    This is useful if you have separate business units or geographic regions (such offices in the United States and in EMEA), where you may want to apply different business settings, permissioning, or retention policies. Creating separate workspaces allows you to easily manage different settings between distinct business groups.

    Learn more

    Least Privilege - User and Group Roles

    Gong provides four out-of-the-box user roles that can be configured for granular permissioning:

    1. Collaborator

    2. Standard user

    3. Business administrator

    4. Technical administrator

    Learn more

    Role Based Access Control (RBAC) / Granular Permission Profiles

    In addition to standard user roles, Gong supports granular permission profiles.

    Create granular permission profiles to restrict access and actions related to: 

    • Calls, emails

    • call libraries

    • deals

    • coaching and stats pages

    • forecast

    • CRM

    • exporting

    Access can be restricted on an individual, team, or custom basis.

    Note: This is separate from consent profiles.

    Learn more

    Managing Access to Calls

    Gong provides multiple options to manage access to calls.

    Through granular permission profiles, a technical admin can restrict access to calls, such as:

    • Determining whether users can download call media

    • Restricting whether calls can be shared with customers

    • Allowing users to set calls as private

    • Letting users delete calls

    • Restrict whether users can export reports on calls

    Learn more

    Access to Customer Data

    Gong restricts and limits access to customer data to authorized personnel on a need-to-know basis. Access of customer data by Gong personnel through the Gong platform can be audited in the Audit API. Please see the Auditing section under Logging and Monitoring for more details.

     

    Logging and Monitoring

    Auditing

    All Gong customers may audit both the use of the platform by their personnel as well as access of the platform by Gong personnel for troubleshooting or customer support. The Gong Audit API can be used to generate this data in standard JSON format, which can be used to feed your existing security monitoring tools.

    Learn more

    Data Backup and Recovery Policy

    Cloud Hosting

    Gong is a SaaS application that is hosted on AWS.

     

    Data Center

    Physical access to Gong data centers, where customer data is hosted, is limited to authorized personnel only. Physical security measures for Gong’s data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.

    Please see the AWS documentation for additional information on their security controls.

     

    Backups

    Gong conducts regular daily backups of customer data. The backups are applied to keep the Gong environment resilient to outages or cases where we needed to recover customer data.

     

    Privacy and Compliance

    Data Processing Addendum (DPA)

    Gong’s DPA sets out the terms that apply with regard to the Processing of Personal Data by Gong on behalf of Customers, in the course of providing the Gong Service to Customers under the Agreement.

    Learn more

    Privacy Policy

    You can find our privacy policy at gong.io/privacy-policy.

    Learn more

    List of Sub-Processors

    You can find our list of sub-processors at gong.io/sub-processors. We recommend subscribing to stay up to date on any changes that may occur.

    Learn more

    Right to be forgotten, Deleting Subject Access Requests

    Gong is compliant with GDPR and CCPA’s  “right to be forgotten” requirement and provides the mechanism to delete personal data upon request.

    Learn more

    Consent Profiles

    You can create different consent profiles for different teams. Consent profiles are separate from permission profiles, and enable you to enforce multiple streams of consent based on different geographic or state privacy regulations.

    Learn more

    Managing Voice Identification

    Voice identification can be enabled to identify licensed Gong users in mono telephony calls. This function is disabled by default. 

    Technical administrators can enable this function for licensed Gong users, who must also consent to the function.

    Learn more

    Vulnerability Management

    Vulnerability Remediation and Patch Management

    Gong has a robust vulnerability management program that is validated as part of our SOC 2 and ISO certifications.

     

    Application Security

    Bug Bounty Program

    Gong runs an ongoing bug bounty program, as well as a Vulnerability Disclosure Program. You can submit vulnerabilities through https://vdp.gong.io/p/Welcome.

    Learn more

    FAQ

    Security FAQs

    Frequently asked questions are available in our Security FAQ section.

    Learn more

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy AI, a genAI helper, will scrub our help center to give you an answer that summarizes our content. Ask a question in plain language and let me do the rest.