Gong stores every sales call, transcript, and deal signal your European team produces on servers in the United States. It has no EU data residency option. The ISO 27001 certification it displayed on its Trust page was set to expire in October 2025. The Data Privacy Framework it relies on for transatlantic data transfers faces an active legal challenge with an appeal filed in March 2026. And the US CLOUD Act means any of that data can be compelled by US authorities regardless of which contractual safeguards are in place. If you are a RevOps leader, procurement team, or sales director at a European company, these are not theoretical risks — they are precisely the conditions that led to the Dutch AP's €290 million fine against Uber in August 2024. This breakdown covers each issue in detail and explains what EU sales teams are choosing instead.
Where Gong stores your data — and why that matters in 2026
Gong stores all customer data in the United States. This applies regardless of where your company is headquartered, where your sales reps are located, or where your customers are. There is no EU data residency option available on any Gong plan. Every transcript of a call with a Dutch prospect, every recorded conversation with a German enterprise buyer, every AI-analyzed deal signal from a French customer — all of it lands and stays on US servers.
This matters in 2026 because the EU's enforcement posture toward cross-border data transfers has fundamentally shifted. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined Uber €290 million in August 2024 specifically for transferring European driver data to US servers without a valid transfer agreement in place during the lapse between Schrems II and the DPF. The principle established is clear: transferring personal data out of the EEA to the US requires a continuously valid legal basis, thorough documentation, and active management. Gaps create liability.
The Dutch AP's publicly stated 2025 enforcement priorities go further. They explicitly name remote-work productivity tools that generate behavioral and productivity logs about employees. Sales intelligence platforms that record, transcribe, and analyze sales calls — Gong being the category leader — fall squarely in that scope. Dutch, French, and German DPAs have all increased their investigation activity around US-based SaaS vendors. Gong GDPR compliance is no longer a matter of having a DPA on file; it requires a complete, maintained compliance posture that most EU companies using Gong do not have.
According to Gartner's 2026 survey, 34% of AI projects in Europe are paused or cancelled due to compliance concerns. The data sovereignty gap is the most commonly cited reason. Gong EU data residency does not exist, which means EU teams using Gong are managing a structural compliance problem, not a configuration one.
The DPF gamble: why standard contractual clauses are not enough
Gong holds EU-US Data Privacy Framework certification and offers Standard Contractual Clauses for EEA, UK, and Switzerland data transfers. These are genuine legal mechanisms — they are not fraudulent or absent. But they do not solve the data sovereignty problem, and understanding why requires being precise about what they actually do.
Standard Contractual Clauses (SCCs) are pre-approved contractual terms issued by the European Commission under Article 46 GDPR that create a legal basis for transferring personal data from the EEA to third countries that lack an adequacy decision. SCCs bind the data exporter (your company) and data importer (your vendor) to GDPR-equivalent obligations. They do not restrict where data is physically stored, do not prevent US government access, and do not substitute for EU data residency. They create a contractual obligation to protect data — they do not create a technical barrier to US authority access.
The European Court of Justice made this distinction explicit in the Schrems II judgment (C-311/18). SCCs are a valid transfer mechanism only when — after a Transfer Impact Assessment — you can conclude that US surveillance law does not undermine the protections the SCCs provide. For a company like Gong that stores all data in the US under the jurisdiction of US intelligence law, that assessment is not straightforward. The FISA Section 702 access problem that invalidated Privacy Shield has not been resolved by the DPF; it has been politically managed. The DPF survived an initial legal challenge in the Court of Justice of the EU in 2025, but an appeal was filed in March 2026. That appeal creates ongoing legal uncertainty around the very mechanism Gong relies on.
The practical consequence: EU companies using Gong must complete and document a Transfer Impact Assessment covering Gong's US storage, US processing, US employee access, and US legal exposure. That TIA must conclude affirmatively that the SCCs are effective. If the DPF is later invalidated — as Privacy Shield was before it — any data transferred during the period of reliance on the DPF becomes retroactively problematic. EU companies that rely on "Gong has DPF certification" as their complete compliance answer are not compliant; they have documented their intention to be compliant while leaving the substantive analysis undone.
A fully EU-owned cloud provider with no US parent entity eliminates this entire analysis. There is no transfer to document, no TIA to complete, no DPF dependence to manage. That is the structural difference between a US vendor with EU certifications and a genuinely EU-native alternative.
Gong's ISO 27001 status: what happened in October 2025
ISO 27001 is the international standard for information security management. It requires surveillance audits annually and a full recertification audit every three years. Certifications have a defined validity period and expire when the recertification audit is not completed in time.
Gong's ISO 27001 certification was set to expire in October 2025. As of mid-2026, Gong has not published a renewed certificate on its publicly accessible Trust page. This matters for EU procurement in two specific ways.
First, many EU enterprise procurement processes require vendors to maintain current ISO 27001 certification as a contractual condition of supply. If a vendor's certificate has lapsed, the contractual condition is breached — and procurement teams that approved the vendor on the basis of ISO 27001 may be unknowingly out of compliance with their own vendor risk policy. If you approved Gong on your approved vendor list citing ISO 27001, and that certification has lapsed, the approval may no longer be valid.
Second, ISO 27001 certification serves as third-party assurance that the vendor's information security management system is independently audited and operating effectively. Without a current certificate, you are relying entirely on Gong's self-reported security practices. For a platform that processes recordings of every deal conversation your sales team has, that is a significant assurance gap. Verify directly with Gong before signing or renewing: request their current ISO 27001 certificate with the issuing body name, certificate number, and validity dates. If they cannot produce a certificate valid through your contract term, treat it as a risk event requiring escalation.
The compliance liability shift: what Gong's DPA actually says about your obligations
Gong's Data Processing Agreement shifts a substantial portion of GDPR compliance responsibility onto the customer organization. This is not unusual for US SaaS vendors, but it is important to understand precisely what you are accepting when you sign it.
Under Gong's DPA, the customer organization — not Gong — is responsible for determining and documenting the lawful basis for processing personal data. Gong acts as your data processor; you remain the data controller. As data controller, you are responsible for Article 6 lawful basis (which legal ground justifies recording, transcribing, and AI-analyzing conversations), Article 9 if any special category data appears in calls, obtaining any required consents or delivering required disclosures to call participants, responding to data subject access, erasure, and portability requests within statutory timeframes, and maintaining your own Record of Processing Activities documenting the Gong deployment.
Gong also operates a multi-tenant environment with logical separation between customer data. Logical separation means your data is isolated by software controls, not physical separation. In the event of a security incident affecting Gong's shared infrastructure, the blast radius extends to all customers on that infrastructure. This is standard practice for cloud SaaS, but it is a material difference from dedicated EU infrastructure where your data physically does not coexist with other organizations' data on the same hardware.
The GDPR fine range for data controller violations is up to €20 million or 4% of global annual revenue, whichever is higher. Actual 2024 enforcement actions for AI and chatbot-related violations ranged from €35,000 to €1.5 million per incident. The key point: when a DPA fines a company for a Gong-related GDPR violation, they fine the customer — the data controller — not Gong. Gong's DPA makes this allocation explicit. Your compliance posture is your liability.
What Gong's DPA covers: a section-by-section breakdown
Gong's Data Processing Agreement is a standard Article 28 GDPR compliance document that establishes the legal relationship between your organization (the data controller) and Gong (the data processor). Understanding what it commits Gong to — and what responsibilities it explicitly returns to your organization — is the essential starting point for any compliant EU deployment. Many procurement teams treat a signed Gong DPA as evidence of GDPR compliance. It is not. It is evidence that a compliant arrangement is legally possible if your organization fulfils the rest of the requirements.
Data Processing Agreement (DPA) — under Article 28 GDPR, any controller that uses a processor must have a written contract specifying the subject-matter, duration, nature, and purpose of the processing; the type of personal data; categories of data subjects; and the controller's obligations and rights. The DPA does not determine whether processing is lawful. Lawful basis is established under Article 6 and Article 9 by the controller — your organization — independently of anything the DPA says.
What Gong's DPA commits Gong to
Gong's DPA contains the Article 28 baseline: process personal data only on the customer's documented instructions; bind authorized personnel to confidentiality; implement appropriate technical and organizational security measures; assist the customer with data subject rights obligations (access, erasure, rectification, portability, restriction, objection); notify the customer of security incidents within 72 hours of becoming aware; provide audit rights and compliance documentation on request; delete or return all personal data at contract termination; maintain records of processing activities carried out on the customer's behalf.
These are legal minimums, not differentiating features. The European Commission's standard processor clauses require all of them from every GDPR-compliant processor. The compliance value of a Gong DPA is not in what it commits Gong to — it is in understanding what it does not do.
What Gong's DPA does not do
The DPA does not create EU data residency. Every recording, transcript, and analytics payload your sales team generates is stored on US servers regardless of what the DPA says. It does not restrict US government access. The DPA contains standard language permitting Gong to comply with applicable law — and the CLOUD Act is applicable US law. It does not complete your Transfer Impact Assessment. The SCC annexes in the DPA give you the contractual mechanism; the TIA analysis that determines whether SCCs provide effective protection is entirely your organization's work. And it does not establish lawful basis for recording. Whether your company has a valid Article 6 ground to record, transcribe, and AI-analyse customer and prospect conversations is a determination your legal team must make — the DPA is silent on it.
SCCs and DPF within Gong's DPA
Gong's DPA incorporates Standard Contractual Clauses under Commission Implementing Decision (EU) 2021/914, Module 2 (controller to processor), for EEA-to-US data transfers. It references Gong's EU-US Data Privacy Framework certification as a supplemental legal basis. Module 2 SCCs explicitly require the data controller to assess whether the legal system of the destination country prevents the data importer from fulfilling its obligations under the SCCs — this is the Transfer Impact Assessment. Signing the DPA triggers your obligation to do the TIA; it does not substitute for it.
The DPF reference creates ongoing monitoring risk. The DPF survived an initial CJEU legal challenge in 2025, but an appeal was filed in March 2026. If the DPF is invalidated while your Gong contract is active — as Privacy Shield was under Schrems I, and as the Privacy Shield DPF successor was under Schrems II — you must switch to SCCs-only reliance immediately, update your TIA, and re-document lawful transfer basis. This monitoring obligation runs for the life of any Gong contract.
The CLOUD Act carve-out in Gong's DPA
Gong's DPA, like all US SaaS vendor agreements, contains language requiring Gong to comply with applicable US law, including government orders compelling data disclosure. The CLOUD Act is applicable law for Gong as a US company. This means the DPA's confidentiality provisions are subordinate to CLOUD Act compulsion. If a US authority issues a CLOUD Act order for data in your Gong deployment, Gong must comply, and the DPA does not prevent it. Gong commits to notifying customers of such orders where legally permitted, but CLOUD Act orders frequently include non-disclosure provisions that prohibit notification entirely. You may never know your data was accessed.
Transfer Impact Assessment checklist for Gong deployments
Any EU organization that has signed or is evaluating a Gong DPA must complete a Transfer Impact Assessment before the SCCs are considered legally effective. The following checklist covers the minimum required elements under the EDPB's Recommendations 01/2020 on supplementary measures for transfers to third countries.
- Step 1 — Map the transfers. Document every category of personal data flowing from your EEA organization to Gong's US servers: call recordings, AI-generated transcripts, participant metadata (names, email addresses, job titles, company affiliation), deal and pipeline data, behavioral analytics derived from call content. Include data about both your employees and third parties on calls (prospects, customers, partners).
- Step 2 — Identify the transfer mechanism. Verify Gong's current DPF registration at the US Department of Commerce and confirm your DPA includes executed Module 2 SCCs in their current Commission-approved form. Both mechanisms must be valid at the time of each transfer — DPF certification is annual, and SCCs can be superseded by new Commission decisions.
- Step 3 — Assess the US legal framework. Evaluate whether US surveillance law — specifically FISA Section 702, Executive Order 12333, and the CLOUD Act — allows access to transferred data in a way that undermines the SCC protections. For Gong: data is stored in the US; Gong is a US-incorporated company; CLOUD Act applies to Gong directly. The EDPB has not identified technical supplementary measures that effectively neutralize these laws for a vendor in Gong's position (key holder for encrypted data, US company, US-hosted).
- Step 4 — Identify supplementary measures. Determine whether any technical, contractual, or organizational measures reduce the exposure from Step 3. Contractual additions (enhanced notification obligations, audit rights) are organizational measures but do not prevent CLOUD Act compulsion. Encryption does not protect data from a vendor who holds the encryption keys, as Gong does. Document any measures you adopt and their assessed effectiveness honestly.
- Step 5 — Conclude and document. Record whether the SCCs, combined with any supplementary measures, provide essentially equivalent protection to GDPR standards. If you cannot reach an affirmative conclusion, the transfer must not proceed. Document the assessment with legal sign-off, apply a date, and schedule annual review or review triggered by changes in the transfer mechanism, Gong subprocessor list, or EDPB guidance.
- Step 6 — Monitor and maintain. The TIA is a living document. Mandatory review triggers: DPF legal status changes; Gong updates its subprocessor list; your data processing scope changes; EDPB issues updated guidance on US law transfers. Assign a named owner for TIA maintenance — if no one owns it, it will not be updated.
The CLOUD Act problem: US-owned means US-reachable
The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), passed in 2018, allows US law enforcement to compel US-based technology companies to produce data stored anywhere in the world, including on servers located outside the United States. Gong is a US company. All its data is already stored in the US, but even if it were not, the CLOUD Act would give US authorities a legal path to that data.
The CLOUD Act is structurally incompatible with GDPR's data protection standards. GDPR prohibits disclosing personal data to third-country authorities unless specific conditions are met — typically a mutual legal assistance treaty (MLAT) procedure. The CLOUD Act bypasses MLAT procedures by compelling the US company directly. The result is a legal conflict: GDPR says the data cannot be disclosed without MLAT; the CLOUD Act says it must be disclosed when compelled. As a US company, Gong must comply with CLOUD Act orders, regardless of what its DPA says about GDPR obligations.
The European Data Protection Board has issued guidance making clear that this exposure is real and relevant to transfer risk assessments. For EU companies in regulated sectors — financial services under DORA, essential services under NIS2, AI system operators under the EU AI Act — the CLOUD Act exposure is not a theoretical concern to be noted in a risk register. It is an active compliance condition that requires mitigation. The only structural mitigation is using a vendor with no US nexus: no US parent, no US employees with system access, no US-hosted infrastructure. A fully EU-owned provider eliminates CLOUD Act exposure entirely, because there is no US entity that can be compelled.
NIS2, DORA, and the EU AI Act all treat data sovereignty as a baseline requirement for operators in regulated sectors. If your organization falls under any of these frameworks, using Gong — a US-owned platform with US-stored data — for sales call intelligence creates a direct compliance gap that certifications and contractual clauses cannot close.
What EU sales teams are using instead
The five GDPR requirements for a compliant AI meeting and sales intelligence tool are well-established: EU data residency for both storage and processing, on-device or EU-based transcription (audio never crosses to US servers), an Article 28 DPA executed under EU SCCs, a completed Transfer Impact Assessment (or better, the absence of any transfer to assess), and a binding agreement that the vendor will not train AI models on your data. These requirements rule out Gong and most of the US-headquartered conversation intelligence platforms currently marketed to European teams.
The alternative landscape is maturing. EU sales teams evaluating Gong alternatives for data sovereignty are prioritizing vendors that meet all five requirements structurally — meaning the compliance posture is built into the architecture, not bolted on through contractual additions. The critical distinction is ownership: a vendor with an EU parent, EU infrastructure, and no US corporate entity eliminates the CLOUD Act problem, the Transfer Impact Assessment burden, and the DPF dependence in a single architectural decision.
Numi is built for exactly this requirement. All data is processed and stored within the EU. There is no US parent entity, no transatlantic data transfer, and no CLOUD Act exposure. The full Art. 28 DPA is available on signing. Transcription runs on EU infrastructure, and there is a binding no-training agreement as a contractual standard, not an add-on. EU sales teams get the same call intelligence capabilities — deal signal detection, rep performance scoring, pipeline analytics, buyer engagement tracking — without the data sovereignty liability that comes with Gong.
For a side-by-side compliance comparison of leading conversation intelligence platforms, see our GDPR-compliant AI meeting assistant comparison, which evaluates each vendor against the five requirements above with specific documentation requirements for each.
The practical switching calculus for EU sales teams in 2026 is straightforward: the compliance burden of maintaining Gong correctly — TIA documentation, DPF monitoring, data subject request workflows, ISO 27001 verification, CLOUD Act risk acceptance — is ongoing and material. That burden disappears when you move to a vendor for whom EU data sovereignty is an architectural fact rather than a compliance project.