When you use Gather, we want to ensure you're able to create a secure virtual environment where people can confidently hold private conversations and interact with others.
This article provides an overview of our privacy and security policies and certifications. If you have more questions, feel free to contact us.
We are currently working toward our SOC 2 Type 2 compliance, expected to be completed in Q1 2024.
- We have servers in the United States (NYC, San Francisco, Northern Virginia, Northern California), Brazil (Sao Paulo), Japan (Tokyo), Germany (Frankfurt), Singapore, and India (Mumbai).
- Yes! On our Enterprise Subscription we currently support SP and IdP initiated SAML SSO. Click here to learn more or contact us to discuss getting started.
- Gather is a US company and most of our processing of personal data does not fall directly within the territorial scope of the UK or EU GDPR.
Our services are intended for corporate users and are not actively targeted at clients in the UK or EU. We therefore do not process personal data in connection with the offer of goods and services to data subjects in the UK or EU.
We do, however, use advertising cookies and similar technologies on our marketing website, which would involve monitoring the behaviour of individuals in the UK or EU. When we process personal data in this way, we are subject to GDPR and are implementing measures to comply (including updating our cookie consent mechanism and transparency notice to meet the requirements of the GDPR).
The GDPR indirectly applies to Gather where Gather’s customers are subject to the GDPR and Gather acts as a “data processor”. Where this is the case, Gather enters into a data processing agreement and agrees to comply with certain terms required by the GDPR (e.g., notifying the customer in the event of a data breach, notifying the customer in the event of an individual rights request etc).
- Yes. If your processing of personal data is subject to the GDPR, you will need to enter into our Data Processing Agreement, which incorporates standard contractual clauses approved by the European Commission for transfers of personal data to third countries.
Although the European Court of Justice has previously called into question the legitimacy of transfers of personal data to recipients in the US, the European Commission's adequacy decision in relation to the EU-U.S. Data Privacy Framework has acknowledged that the measures taken by the US under Executive Order 14086 adequately address the risks flagged in the CJEU's decision in Schrems II. The relevant restrictions in EO 14086 on the collection of data by national security authorities in the US apply to all data originating in the EU, regardless of whether the US recipient is certified under the DPF or not.
The same applies to data originating in the UK, following the UK Secretary of State's approval of the UK-U.S. Data Bridge.
- Gather has included the SCCs as part of its data processing agreement. In addition, Gather has implemented a number of technical and organizational security measures to help safeguard personal data transferred to us from the EU/UK. For example, we encrypt data in transit and at rest and have implemented certain data access controls. We have also completed a transfer impact assessment which evaluates the potential risks associated with cross border data transfers.