// Trust & Security Report

    Gather Presence Inc. logo

    Gather Presence Inc.

    Virtual workspace platform for remote and hybrid teams (video-based virtual office + AI meeting notes)

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Compliance SOC 2 Resources View all 2025 - Gather Presence, Inc. SOC 2 Type 2 Report.pdf

    Verify on trust.gather.town
    GDPR (as data processor)
    HELD

    Gather enters into a data processing agreement and agrees to comply with certain terms required by the GDPR (e.g., notifying the customer in the event of a data breach)

    Verify on support.gather.town
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence found on any gather.town domain page. Third-party profile (Nudge Security) lists it, but no vendor-domain confirmation exists.

    source: gather.town
    HIPAA
    NOT CONFIRMED

    No public evidence found on any gather.town domain page. Third-party profile lists it, but no vendor-domain confirmation exists.

    source: gather.town
    PCI DSS
    NOT CONFIRMED

    No public evidence found on any gather.town domain page.

    source: gather.town
    FedRAMP
    NOT CONFIRMED

    No public evidence found on any gather.town domain page. Third-party profile lists it, but no vendor-domain confirmation exists.

    source: gather.town
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any gather.town domain page. Third-party profile lists CSA Star Level 1, but no vendor-domain confirmation exists.

    source: trust.gather.town
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence found on any gather.town domain page.

    source: trust.gather.town
    ISO 27018 (Cloud Privacy)
    NOT CONFIRMED

    No public evidence found on any gather.town domain page.

    source: trust.gather.town

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (NYC, San Francisco, Northern Virginia, Northern California), Brazil (Sao Paulo), Japan (Tokyo), Germany (Frankfurt), Singapore, India (Mumbai). No EU-only data residency option; Frankfurt is available but not guaranteed.

    The AI Transcriptions and Summaries (Beta) support article explicitly states: 'the text will not be used to train AI models.' Users can opt out per-user (Settings > User > AI Features > Meeting Transcriptions and Summaries) or workspace admins can disable it organization-wide. The older privacy policy (help.gather.app) does not specifically address AI training restrictions, but the current AI feature documentation is unambiguous.

    // Security controls

    Encryption in transit

    Yes - confirmed; audio and video are encrypted in transit and not stored by Gather

    gather.town

    Encryption at rest

    Yes - confirmed; 'we encrypt data in transit and at rest and have implemented certain data access controls'

    gather.town

    Penetration testing

    Yes - conducted by Doyensec (Q1 2024 and Q4 2025 confirmed); summary reports available in trust center

    trust.gather.town

    Vulnerability and system monitoring

    Yes - listed as a trust center control: 'Vulnerability and system monitoring procedures established'

    trust.gather.town

    Business continuity and DR

    Yes - BC/DR plan documented and tested; listed as a trust center resource and control

    trust.gather.town

    Access control

    Yes - 'Unique production database authentication enforced', 'Unique account authentication enforced', 'Access control procedures established'

    trust.gather.town

    SSO (Single Sign-On)

    Not currently available for Gather 2.0; in development

    support.gather.town

    Data Processing Agreement (DPA)

    Available; incorporates Standard Contractual Clauses approved by the European Commission. Also references EU-US Data Privacy Framework and UK-US Data Bridge.

    support.gather.town

    Incident response

    Yes - Incident Response Plan listed as a trust center document

    trust.gather.town

    Data retention

    Personal data retained for as long as user account is open; not more than 12 months after account closure

    help.gather.app

    // Products & data scope

    Gather 2.0Virtual workspace / team collaboration

    data: User identity, audio/video streams (encrypted, not stored), meeting transcripts and summaries (if AI feature enabled), chat messages, workspace configuration. Audio/video is not stored by Gather.

    Current platform rebuilt from scratch. Includes AI meeting notes (transcription and summary) feature in beta. Explicitly does not train AI models on customer meeting data. SSO not yet available.

    Gather 1.0 / ClassicVirtual events and remote office spaces

    data: Same data types as 2.0 for user identity and audio/video. Users can continue to use existing 1.0 spaces.

    Legacy platform still accessible. New 1.0 event spaces can be created. Migration to Gather 2.0 supported. Same SOC 2 Type 2 certification and security posture applies.

    // What to watch

    • SOC 2 Type 2 is the only certification confirmed on Gather's own domain. A third-party security profiler (Nudge Security) lists ISO 27001, HIPAA, PCI, FedRAMP, and CSA STAR Level 1, but none of these are substantiated on any gather.town, support.gather.town, or trust.gather.town page. Treat those third-party listings as unverified until Gather publishes evidence on their own domain.
    • AI training posture: The AI Transcriptions and Summaries beta article explicitly denies using customer conversation data to train AI models. However, the older/legacy privacy policy on help.gather.app does not contain an equivalent explicit prohibition. The current AI feature documentation should be considered the authoritative statement for the AI feature specifically.
    • No SSO available for Gather 2.0 at time of assessment. This is a gap for enterprise buyers with SSO requirements.
    • The trust center (trust.gather.town) is powered by Vanta. The SOC 2 report listed is for 2025, indicating it is current.
    • Data may be processed in the US (a non-EEA country). Gather relies on SCCs and the EU-US Data Privacy Framework for EU/UK transfers. No EU-only data residency commitment found.
    • Gather positions itself as US-focused: 'our services are intended for corporate users and are not actively targeted at clients in the UK or EU.' EU/UK customers should negotiate DPA explicitly.
    • Guest users (non-members) cannot access or appear in AI transcriptions/summaries, which is a positive privacy design choice.

    // At a glance

    Pricing model

    Free 30-day trial (up to 50 users, all features); paid subscription per seat after trial. Event spaces available as one-time reservation or subscription.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Gather Presence Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.gather.town

    > Browse all vendor trust reports