Encryption and Key Management

Governance

Human Resources Security

Identity and Access Management

Incident Response

Mobile Device Security

Privacy Management

Product Security

Risk Management

Secure System Development

Security Culture

Vendor Management

Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.

Business Continuity

Organization has instrumented an infrustructure monitoring system, e.g. PagerDuty, and has designated responsible workforce members for incident response.

Infrastructure Monitoring & Dedicated Response Team

Encryption keys for at-rest data are rotated frequently

Rotates At-rest Encryption Keys

Organization performs routine access control reviews for information systems. 

Perfoms Access Control Reviews

Organization routinely applies latest security patches to information systems. 

Performs Regular Security Updates

Organization monitors systems and networks for malicious activity or policy violations.

Host and/or Network Intrusion Detection

Encrypts Data At-rest

Organization requires all workforce members execute a confidentiality agreement prior to accessing organizational information systems.

Requires Confidentiality Agreement With Workforce Members

Organization prohibits workforce members from accessing organizational information or information systems from personal devices.

Prohibits Bring Your Own Device

Organization routinely performs penetration testing

Performs Routine Penetration Testing

Organization prohibits use of insecure encryption protocols such as SSL and TSL 1.0.

Strong TLS Protocols Required

Organization reviews the Business Continuity Plan and performs technical or tabletop testing exercises on a routine basis.

Conducts Business Continuity Training & Testing

Organization deploys information systems across multiple physical locations (e.g. Availability Zones on AWS)

Distrubution of Systems

Employee workstations used to store or access non-public information have full disk encryption enabled

Full Disk Encryption of Employee Workstations

Organization requires all workforce members complete Anti-phishing Training on a routine basis.

Anti-phishing Simulation and Training

Organization has created an Incident Response Plan designed to reduce the negative impacts resulting from a security or privacy incident.

Incident Response Plan

Organization has completed an audit or certification process for one or more of the following audit frameworks: ISO 27001:2013, HITRUST, SOC 2 TYPE II, FedRAMP, NIST 800-171)

Holds Audit Report or Certification from Major Audit Framework

Organization reviews common vulnerability databases and mailing lists on a routine basis.

Subscribes to Vulnerability Mailing Lists

Organization prohibits workfroce members from creating local copies of production data.

Forbids Local Download of Production Customer Data

Organization publicly shares software release notes for major product updates.

Publicly Available Release Notes

Organization publicly discloses data collection and processing methods to data subjects.

Public Privacy Policy

Organization performs routine backups of databases and other data stores. 

Automated, Distributed Backups

Organization requires access and access controls to abide by the principles of Deny-by-default, Need-to-know, and Least Privilege. 

Requires Strong, Role-Based Access Control Principles

Organization has implemented a risk management program in order to identify risks and treatment opportunities.

Risk Assessment and Treatment Program

Organization requires all non-trivial code changes be reviewed and approved prior to merge.

Requires Code Review Before Merge

Organization implements DDos avoidance/protection techniques such as network isolation, DNS Amplification or application load balancers on AWS.

DDos Avoidance and Protection

Workforce members are required to use a password manager such as 1Password for managing account credentials.

Requires Password Manager for Workforce Members

Organization audits security configuration of all workforce phones and tables used to access organizational information or information systems.

Enforces Strong Mobile Device Security Configuration MDM

Organization encourages responsible disclosure of suspected vulnerabilities and awards researchers a cash bonus for reporting vulnerabilities.

Responsible Disclosure/Bug Bounty Program

Organization publicly discloses Government Request activity.

Government Requests Transparency

Organization has commited to service uptime greater than 99%.

99+% Uptime Service Level Agreement

Organization prohibits use of shared accounts for systems that maintain sensitive data.

Restricts Shared Accounts

Organization''s sytem development procedures ensure strong password and authentication requirements. 

Requires Strong Password and Authentication Requirements

Organization requires all non-trivial code changes to be unit and/or acceptance tested. 

Automated Testing

Organization routinely performs internal audits in order to ensure effective operation of their compliance and security pgoram.  

Routine Internal Audits

Organization only uses encryption technologies based on standard algorithms approved in FIPS 140-2.  

Requires Strong Encryption Algorithms

Organization utilizes strong encryption methods for transfer of any non-public information outside of the organizations'' network.

Encrypts Data In Transit

Organization reviews the Incident Response Plan and performs functional or tabletop testing exercises on a routine basis.

Conducts Incident Response Training & Testing

Organization routinely performs host and/or network vulnerability scans.

Performs Automated Host/Network Vulnerability Scans

Services deployed by organization support Multifactor Authentication (MFA), a security system that requires more than one method of authentication.

Supports MFA

Organization publicly shares system status updates & availability incidents. 

Publicly Available Status Page

Organization performs professional-reference and criminal background screens on all prospective employees and contractors that require access to non-public data. 

Performs Due Diligence in Hiring Workforce Members

Organization prohibits attempts to interfere with reporting of security or policy incidents

Prohibits Retaliation Against Whistleblowers

Organization routinely performs web application vulnerability scans.

Performs Automated Application Vulnerability Scans

Services deployed by organization support Single Sign-On (SSO) from providers such as Okta or OneLogin.

Supports SSO

Organization has created a Business Continuity Plan designed to reduce disruptions in uptime as a result of an incident. 

Business Continuity Plan

Organization requires all workforce members complete Privacy and Security Awareness Training on a routine basis.

Security & Privacy Training

Organization audits security configuration of all laptops and workstations used to access organizational information or information systems. 

Enforces Strong Workstation Security Configuration by MDM

Organization maintains host-level and application-level event logs.

Host and Application Audit Logging

Organization is not the subject of any Privacy violation investigations. 

Investigations for Privacy Violations

FedRAMP simplifies security for the digital age by providing a standardized approach to security for the cloud.

FedRAMP

SOC 2 Type 1

ISO 27001

SOC 1 Type 2

GDPR

HITRUST

HIPAA

SOC 3

SOC 2 Type 2

FISMA

SOC 1 Type 1

EU-US Privacy Shield

Swiss-US Privacy Shield

Cloud Security Alliance

CCPA

Generate more revenue by having better sales conversations with the #1 conversation intelligence platform for sales

Gong.io

====
EU-US AND SWISS-US PRIVACY SHIELD
====

We comply with the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from European Union and Switzerland to the United States.

We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

If there is any conflict between this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles will govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/ . The Federal Trade Commission (FTC) has jurisdiction over our compliance with the Privacy Shield Framework.

====
SECURITY 
CERTIFICATIONS
====

Gong conducts a variety of audits to ensure continuous
compliance with industry standard best practices:
 * Gong is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality and privacy, as well as HIPAA compliance.
 * Gong has a certification for compliance with ISO/IEC 27001:2013. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate. Gong’s compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that our security program is in accordance with industry leading best practices.
 * Gong complies with the EU/Swiss-U.S. Privacy Shield
 Framework as set forth by the U.S. Department of Commerce
 regarding the collection, use, and retention of personal
 information from European Union member countries/Switzerland.
 * Gong has implemented a GDPR (General Data Protection Regulation) readiness program that has been assessed by a Big Four accounting firm. This includes appointing a Data Protection Officer (DPO), putting measures in place to identify and delete private data, ensuring all subcontractors are compliant, and updating Terms and Conditions , Privacy Policy , and Data Processing Addendum (DPA) .

What problems does Gong address? 

WHAT PROBLEMS DOES GONG ADDRESS?
 * Most deals that enter the pipeline fail to become closed revenue due to being blind to the sales calls happening throughout
 * Unscalable, inefficient call coaching
 * Slow onboarding ramp time for new sales hires
 * Difficulty in closing the delta between top and average performers
 * Poor sales conversations happening across the team
 * Inconsistency: 10 reps handling 10 calls 10 different ways
 * Not knowing why “blockage points” are happening at key stages in your sales funnel, and not knowing how to fix them
 * Difficulty in knowing what’s working and what’s not, which reduces your playbook to an act of guesswork
 * Lack of sales training adoption: reps reverting back to old habits
 * Guesswork in where the team needs sales training and coaching

What kind of company makes a good customer for Gong? 

WHAT KIND OF COMPANY MAKES A GOOD CUSTOMER FOR GONG?

Professional B2B sales teams who sell by phone or conference call who need to capture and get visibility into their sales calls.
What do I need to use Gong? 

WHAT DO I NEED TO USE GONG?
 * 8+ inside sales reps
 * Making calls by phone or conference call
 * Using G Suite or Outlook 365 for their calendar
 * Using one of our supported integrations 

How does it work if you already record calls? 

HOW DOES IT WORK IF YOU ALREADY RECORD CALLS?

If you’re already recording your calls via your phone system, dialer, or some other method, you’ll connect Gong to that platform. All call recordings from that point on will automatically be imported into the Gong platform where they will be transcribed, analyzed, and housed.
What's the general pricing/packaging for Gong? 

WHAT'S THE GENERAL PRICING/PACKAGING FOR GONG?

We charge based on how many recorded reps you have. The beauty is that anyone in your company who isn’t recording themselves but wants to listen to/analyze calls is completely free. The specific price is going to depend on your situation, number of reps, and a few other variables.

 Talk to sales to learn more 
Won't my reps think this is "big brother"? 

WON'T MY REPS THINK THIS IS "BIG BROTHER"?

We’ve actually found that individual reps are our most enthusiastic users. It helps them make every one of their calls better than their last one, and learn from their peers so they can figure out how to close more deals. Reps often refer to Gong as “game film for salespeople.”

 See reps talk about Gong on G2 Crowd 
How accurate is the transcript? 

HOW ACCURATE IS THE TRANSCRIPT?

Gong has an optimized speech-to-text model, achieving state-of-the-art accuracy of 85%-90% (compared with off-the-shelf models that achieve 75%-80% accuracy). Gong technology is built to use machine learning to identify topics that are being discussed on the call, independent of specific keywords. That makes Gong resilient to transcription errors.
Do my reps have to notify customers that the call is being recorded? 

DO MY REPS HAVE TO NOTIFY CUSTOMERS THAT THE CALL IS BEING RECORDED?

As a best practice, we recommend it. We’ve found that it’s incredibly comfortable to pull off on scheduled sales calls like demos or discovery calls. If the rep says something like “Do you mind if I record this call so I’m not scrambling to take notes?” the prospect will agree 95% of the time
How secure are my recordings and data? 

HOW SECURE ARE MY RECORDINGS AND DATA?

Gong offers the highest level of security to all customers. Gong is compliant with SOC2 Type II, EU Privacy Shield, and with the upcoming GDPR (General Data Protection Regulation). Recordings and all other data (such as transcript data) are stored in Amazon data centers, and are encrypted at rest and in transit.
How does set up work? 

HOW DOES SET UP WORK?

It’ll take around 5 minutes.
 1. Join
 First, you’ll create an account.
 
 2. Invite
 You’ll invite your team within the platform. They will receive an email to login.
 
 3. Connect
 Your team will complete a 3-click calendar integration
 
 4. Use
 Gong will then start recording, transcribing, and analyzing their scheduled sales calls

====
SECURITY 
CERTIFICATIONS
====

Gong conducts a variety of audits to ensure continuous
compliance with industry standard best practices:
 * Gong is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality and privacy, as well as HIPAA compliance.
 * Gong has a certification for compliance with ISO/IEC 27001:2013. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate. Gong’s compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that our security program is in accordance with industry leading best practices.
 * Gong complies with the EU/Swiss-U.S. Privacy Shield
 Framework as set forth by the U.S. Department of Commerce
 regarding the collection, use, and retention of personal
 information from European Union member countries/Switzerland.
 * Gong has implemented a GDPR (General Data Protection Regulation) readiness program that has been assessed by a Big Four accounting firm. This includes appointing a Data Protection Officer (DPO), putting measures in place to identify and delete private data, ensuring all subcontractors are compliant, and updating Terms and Conditions , Privacy Policy , and Data Processing Addendum (DPA) .

====
SECURITY 
CERTIFICATIONS
====

Gong conducts a variety of audits to ensure continuous
compliance with industry standard best practices:
 * Gong is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality and privacy, as well as HIPAA compliance.
 * Gong has a certification for compliance with ISO/IEC 27001:2013. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate. Gong’s compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that our security program is in accordance with industry leading best practices.
 * Gong complies with the EU/Swiss-U.S. Privacy Shield
 Framework as set forth by the U.S. Department of Commerce
 regarding the collection, use, and retention of personal
 information from European Union member countries/Switzerland.
 * Gong has implemented a GDPR (General Data Protection Regulation) readiness program that has been assessed by a Big Four accounting firm. This includes appointing a Data Protection Officer (DPO), putting measures in place to identify and delete private data, ensuring all subcontractors are compliant, and updating Terms and Conditions , Privacy Policy , and Data Processing Addendum (DPA) .

====
SECURITY 
CERTIFICATIONS
====

Gong conducts a variety of audits to ensure continuous
compliance with industry standard best practices:
 * Gong is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality and privacy, as well as HIPAA compliance.
 * Gong has a certification for compliance with ISO/IEC 27001:2013. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate. Gong’s compliance with this internationally-recognized standard and code of practice is evidence of our commitment to information security at every level of our organization, and that our security program is in accordance with industry leading best practices.
 * Gong complies with the EU/Swiss-U.S. Privacy Shield
 Framework as set forth by the U.S. Department of Commerce
 regarding the collection, use, and retention of personal
 information from European Union member countries/Switzerland.
 * Gong has implemented a GDPR (General Data Protection Regulation) readiness program that has been assessed by a Big Four accounting firm. This includes appointing a Data Protection Officer (DPO), putting measures in place to identify and delete private data, ensuring all subcontractors are compliant, and updating Terms and Conditions , Privacy Policy , and Data Processing Addendum (DPA) .

website

tags

Last Updated

Gong.io

Summary

EU-US Privacy Shield

ISO 27001

GDPR

HIPAA

SOC 2 Type 2

Swiss-US Privacy Shield

EU-US Privacy Shield

EU-US Privacy Shield

ISO 27001

ISO 27001

HIPAA

HIPAA

SOC 2 Type 2

SOC 2 Type 2

Swiss-US Privacy Shield

Swiss-US Privacy Shield