// Trust & Security Report
Gorgias Inc.
Ecommerce Customer Support Platform (Helpdesk + AI Agent)
Certifications held
4
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.gorgias.com“Gorgias has renewed SOC 2 Type II compliance for a 4th year! Granted on 11/30/2024, Gorgias retains security compliance and full-scale monitoring. [Report file: Gorgias SOC 2 Type II Report 12.31.2025.pdf]”
Verify on gorgias.com“HIPAA Compliance - Request the report [listed alongside SOC 2 Type II on the security page; Business Associate Agreement available in trust center]”
Verify on trust.gorgias.com“GDPR listed as a compliance category in the Trust Center alongside SOC 2 and CCPA; DPA and Transfer Impact Assessments are published at gorgias.com/legal/data-processing-agreement”
Verify on trust.gorgias.com“CCPA COMPLIANT — US Data Privacy [listed in the Trust Center compliance tab]”
> Show 2 unconfirmed / not-held certifications
source: trust.gorgias.comNot claimed on the Trust Center, security page, or enterprise page. Gorgias publishes SOC 2 Type II (the standard third-party security attestation for US SaaS) rather than ISO 27001; no ISO 27001 claim is made anywhere on gorgias.com.
source: gorgias.comNot claimed by Gorgias. Card data is handled by Stripe, a PCI DSS Level 1 payment processor listed on the subprocessor list ('our payment processor will collect Your payment method information' per the privacy policy), so Gorgias does not assert direct PCI DSS certification of its own platform.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Google Cloud Platform — US, EU, and Australia nodes confirmed via subprocessor list. No dedicated EU-only residency option documented for standard plans.
MATERIAL FLAG — ToS Section 4.2 explicitly states: 'Gorgias may, without providing any compensation to Customer or to any third party, use information gathered, collected, and/or generated in the course of providing the Services, including Customer Data, Feedback, Aggregate Data, Usage Data, and Output...solely to build and improve our internal machine learning and other artificial intelligence models.' There is no opt-out mechanism. Gorgias separately states it will NOT share customer data with third-party providers (e.g., OpenAI) for training, and OpenAI maintains a zero-data-retention policy for API calls. However, Gorgias itself trains its own internal models on customer data. The AI Agent FAQ headline 'customer data does not train LLMs' is technically accurate only for third-party LLMs, not Gorgias internal models.
// Security controls
Encryption at rest
Continuous encrypted backups; encryption key access restricted (Trust Center control)
trust.gorgias.comPenetration testing
Performed — trust center control 'Penetration testing performed' is listed; pen test report available on request from trust center
trust.gorgias.comBug bounty program
PAUSED — 'our bug bounty program is currently paused, and not accepting submissions.' Public vulnerability disclosure policy exists; report to security@gorgias.com
gorgias.comCybersecurity insurance
Cybersecurity insurance maintained (Trust Center internal security procedures control)
trust.gorgias.comDisaster recovery
Continuity and Disaster Recovery plans established and tested (Trust Center controls)
trust.gorgias.comData deletion on offboarding
Customer data deleted upon leaving (Trust Center data and privacy controls)
trust.gorgias.comAI sub-processors
OpenAI (US) is the only AI provider named on the legal subprocessor list ('AI research and deployment company'). Gorgias product documentation states AI Agent also routes to additional LLMs including Anthropic. A zero-data-retention policy applies to these third-party LLM API calls per the AI Agent security FAQ.
gorgias.com// Products & data scope
data: Handles customer PII, order data, conversation history, and payment context from Shopify and 300+ integrations. Data stored on GCP. DPA governs data processing.
Core product. SOC 2 Type II and HIPAA compliance apply here. Used by 17,000+ ecommerce brands.
data: Accesses full customer and order context to resolve tickets autonomously. Routes to third-party LLM APIs under a zero-data-retention policy (OpenAI is the named AI subprocessor; Gorgias docs also reference Anthropic and other models) plus Gorgias internal models. Gorgias ToS Section 4.2 permits using customer data to train its OWN internal models without opt-out.
Pre-trained on 1B+ ecommerce conversations. Brand-specific knowledge base built from merchant policies and SOPs. Critical AI training flag applies here.
data: Same scope as Helpdesk and AI Agent with additional controls: audit logs, HIPAA BAA, dedicated onboarding, SSO, and enhanced roles/permissions. HIPAA BAA must be executed separately.
Enterprise plan customers can request SOC 2 and HIPAA reports. Data residency region selection not documented for standard enterprise; contact sales for custom arrangements.
// What to watch
- MATERIAL: ToS Section 4.2 grants Gorgias unilateral right to train its internal AI/ML models on customer data without compensation or opt-out mechanism. FAQ language about zero-data-retention only applies to third-party LLM providers (OpenAI, Anthropic), not Gorgias's own models.
- Bug bounty program currently paused — no active crowdsourced vulnerability disclosure program in place.
- ISO 27001 not held. Gorgias maintains SOC 2 Type II (renewed 4 consecutive years), which is the standard third-party security attestation for US ecommerce SaaS; ISO 27001 is more common for EU-centric or international procurement. Buyers who specifically require ISO 27001 should confirm directly.
- Data residency region is not customer-selectable on standard plans; EU customers rely on SCCs in the DPA plus EU GCP nodes rather than a contractual EU-only residency guarantee.
- SCOPE NOTE on marketing: Gorgias's controller-side Privacy Notice (last revised March 30, 2026, Section 5 Marketing) permits sharing business-contact information with 'partners/sponsors/advertisers' for marketing. This Notice explicitly applies only to Gorgias's own subscribers/prospects as a controller and does NOT apply to end-customer support data that Gorgias processes as a processor on behalf of merchants (that data is governed by the DPA). The clause therefore concerns Gorgias's B2B marketing contacts, not merchants' customer support data.
// At a glance
Pricing model
Subscription, per-ticket-volume tiers; free trial available
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Gorgias Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.gorgias.com