// Trust & Security Report

    Gorgias Inc. logo

    Gorgias Inc.

    Ecommerce Customer Support Platform (Helpdesk + AI Agent)

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Gorgias has renewed SOC 2 Type II compliance for a 4th year! Granted on 11/30/2024, Gorgias retains security compliance and full-scale monitoring. [Report file: Gorgias SOC 2 Type II Report 12.31.2025.pdf]

    Verify on trust.gorgias.com
    HIPAA
    HELD

    HIPAA Compliance - Request the report [listed alongside SOC 2 Type II on the security page; Business Associate Agreement available in trust center]

    Verify on gorgias.com
    GDPR
    HELD

    GDPR listed as a compliance category in the Trust Center alongside SOC 2 and CCPA; DPA and Transfer Impact Assessments are published at gorgias.com/legal/data-processing-agreement

    Verify on trust.gorgias.com
    CCPA
    HELD

    CCPA COMPLIANT — US Data Privacy [listed in the Trust Center compliance tab]

    Verify on trust.gorgias.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Not claimed on the Trust Center, security page, or enterprise page. Gorgias publishes SOC 2 Type II (the standard third-party security attestation for US SaaS) rather than ISO 27001; no ISO 27001 claim is made anywhere on gorgias.com.

    source: trust.gorgias.com
    PCI DSS
    NOT CONFIRMED

    Not claimed by Gorgias. Card data is handled by Stripe, a PCI DSS Level 1 payment processor listed on the subprocessor list ('our payment processor will collect Your payment method information' per the privacy policy), so Gorgias does not assert direct PCI DSS certification of its own platform.

    source: gorgias.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Google Cloud Platform — US, EU, and Australia nodes confirmed via subprocessor list. No dedicated EU-only residency option documented for standard plans.

    MATERIAL FLAG — ToS Section 4.2 explicitly states: 'Gorgias may, without providing any compensation to Customer or to any third party, use information gathered, collected, and/or generated in the course of providing the Services, including Customer Data, Feedback, Aggregate Data, Usage Data, and Output...solely to build and improve our internal machine learning and other artificial intelligence models.' There is no opt-out mechanism. Gorgias separately states it will NOT share customer data with third-party providers (e.g., OpenAI) for training, and OpenAI maintains a zero-data-retention policy for API calls. However, Gorgias itself trains its own internal models on customer data. The AI Agent FAQ headline 'customer data does not train LLMs' is technically accurate only for third-party LLMs, not Gorgias internal models.

    // Security controls

    Infrastructure

    Google Cloud Platform (GCP); subprocessors in US, EU, and Australia

    gorgias.com

    Encryption in transit

    App data sent exclusively via HTTPS TLS encrypted connections

    gorgias.com

    Encryption at rest

    Continuous encrypted backups; encryption key access restricted (Trust Center control)

    trust.gorgias.com

    SSO

    SSO for Google and Microsoft 365

    gorgias.com

    Multi-factor authentication

    Two-factor authentication supported

    gorgias.com

    Penetration testing

    Performed — trust center control 'Penetration testing performed' is listed; pen test report available on request from trust center

    trust.gorgias.com

    Bug bounty program

    PAUSED — 'our bug bounty program is currently paused, and not accepting submissions.' Public vulnerability disclosure policy exists; report to security@gorgias.com

    gorgias.com

    Incident Response Plan

    Published in trust center as a downloadable policy

    trust.gorgias.com

    Cybersecurity insurance

    Cybersecurity insurance maintained (Trust Center internal security procedures control)

    trust.gorgias.com

    Disaster recovery

    Continuity and Disaster Recovery plans established and tested (Trust Center controls)

    trust.gorgias.com

    Status page

    Live uptime and status page available

    gorgias.com

    Data deletion on offboarding

    Customer data deleted upon leaving (Trust Center data and privacy controls)

    trust.gorgias.com

    AI sub-processors

    OpenAI (US) is the only AI provider named on the legal subprocessor list ('AI research and deployment company'). Gorgias product documentation states AI Agent also routes to additional LLMs including Anthropic. A zero-data-retention policy applies to these third-party LLM API calls per the AI Agent security FAQ.

    gorgias.com

    // Products & data scope

    Gorgias HelpdeskCustomer Support / Ticketing

    data: Handles customer PII, order data, conversation history, and payment context from Shopify and 300+ integrations. Data stored on GCP. DPA governs data processing.

    Core product. SOC 2 Type II and HIPAA compliance apply here. Used by 17,000+ ecommerce brands.

    Gorgias AI AgentAI Customer Support Automation

    data: Accesses full customer and order context to resolve tickets autonomously. Routes to third-party LLM APIs under a zero-data-retention policy (OpenAI is the named AI subprocessor; Gorgias docs also reference Anthropic and other models) plus Gorgias internal models. Gorgias ToS Section 4.2 permits using customer data to train its OWN internal models without opt-out.

    Pre-trained on 1B+ ecommerce conversations. Brand-specific knowledge base built from merchant policies and SOPs. Critical AI training flag applies here.

    Gorgias EnterpriseEnterprise Customer Support Platform

    data: Same scope as Helpdesk and AI Agent with additional controls: audit logs, HIPAA BAA, dedicated onboarding, SSO, and enhanced roles/permissions. HIPAA BAA must be executed separately.

    Enterprise plan customers can request SOC 2 and HIPAA reports. Data residency region selection not documented for standard enterprise; contact sales for custom arrangements.

    // What to watch

    • MATERIAL: ToS Section 4.2 grants Gorgias unilateral right to train its internal AI/ML models on customer data without compensation or opt-out mechanism. FAQ language about zero-data-retention only applies to third-party LLM providers (OpenAI, Anthropic), not Gorgias's own models.
    • Bug bounty program currently paused — no active crowdsourced vulnerability disclosure program in place.
    • ISO 27001 not held. Gorgias maintains SOC 2 Type II (renewed 4 consecutive years), which is the standard third-party security attestation for US ecommerce SaaS; ISO 27001 is more common for EU-centric or international procurement. Buyers who specifically require ISO 27001 should confirm directly.
    • Data residency region is not customer-selectable on standard plans; EU customers rely on SCCs in the DPA plus EU GCP nodes rather than a contractual EU-only residency guarantee.
    • SCOPE NOTE on marketing: Gorgias's controller-side Privacy Notice (last revised March 30, 2026, Section 5 Marketing) permits sharing business-contact information with 'partners/sponsors/advertisers' for marketing. This Notice explicitly applies only to Gorgias's own subscribers/prospects as a controller and does NOT apply to end-customer support data that Gorgias processes as a processor on behalf of merchants (that data is governed by the DPA). The clause therefore concerns Gorgias's B2B marketing contacts, not merchants' customer support data.

    // At a glance

    Pricing model

    Subscription, per-ticket-volume tiers; free trial available

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Gorgias Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.gorgias.com

    > Browse all vendor trust reports