Gorgias SOC 2 and security: what it covers, and what it doesn't (2026)
Alicia Kirana Utomo
Katelin Teen
Last edited June 14, 2026
What SOC 2 actually means (and what it doesn't)
SOC 2 is an audit framework run by the American Institute of CPAs. An independent auditor checks a software vendor against a set of controls called the Trust Services Criteria, then issues a report. It is not a government licence and not a one-size pass/fail stamp, it's a detailed report a buyer reads.
The single most useful thing to know is the difference between the two report types, because vendors blur it constantly:
- SOC 2 Type I confirms controls were designed correctly on a single day. It's a snapshot.
- SOC 2 Type II confirms those controls actually operated effectively over a window of 6 to 12 months. It's a track record.
Type II is the one worth caring about, and it's the one Gorgias holds. A Type I report can be earned in an afternoon of paperwork; a Type II means an auditor watched the controls run for the better part of a year.
There are five Trust Services Criteria an auditor can cover: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Only Security (the "Common Criteria") is mandatory, the other four are included at the vendor's discretion, which is one reason you read the actual report rather than trusting the logo. If you want the deeper background on the platform itself first, our Gorgias review covers what the product does day to day.
Does Gorgias have SOC 2? Yes, Type II
Gorgias holds SOC 2 Type II and has renewed it annually. Its Trust Center states the latest renewal was granted on 11/30/2024 and that this is its fourth consecutive year, and it lists a downloadable report titled "Gorgias SOC 2 Type II Report 12.31.2025.pdf." Gorgias first announced the certification after a six-month independent audit, with renewals running since 2022. (The 11/30/2024 date is when the most recent renewal was granted; the report filename simply reflects the audit period it covers, through 12/31/2025.) For background on the company behind the badge, see our look at who owns Gorgias.
The Trust Center is run on Vanta, which means the controls behind the badge are continuously monitored rather than checked once a year and forgotten. That's a good sign: it's the difference between a vendor that treats compliance as a live system and one that treats it as an annual fire drill. The same applies to any AI helpdesk agent you're evaluating, continuous monitoring beats a stale PDF.
How to get the Gorgias SOC 2 report
The actual report sits behind a short request, which is normal, SOC 2 reports contain enough internal detail that vendors rarely post them publicly. Here's the path:
- Open the Gorgias Trust Center and find the gated "SOC 2 Type II Report" document.
- Submit a "Request Access" form (the security page routes the same request through the Vanta portal). You can also email security@gorgias.com.
- If you're already on a paid plan, you have a shortcut. Section 8 of the Gorgias DPA lets a customer accept a current SOC 2 Type II report in lieu of running their own on-site audit, as long as it's within 12 months and there've been no material control changes.
That third point is more valuable than it looks. For a small ecommerce team, a vendor-provided SOC 2 Type II report is often the entire security review, you read it instead of commissioning your own. The same Trust Center also gates a penetration-test report, an incident-response plan, and a cryptography policy if your procurement team wants the full set.
Gorgias's full compliance picture
Here's where the marketing and the reality diverge a little. Plenty of "Gorgias is enterprise-grade" claims float around, so it's worth laying out exactly which certifications are Gorgias's own and which belong to someone else in the stack.
| Framework | Gorgias status | What's actually behind it |
|---|---|---|
| SOC 2 Type II | ✅ Held, renewed yearly (4th year) | First-party cert; report dated 12/31/2025, via the Trust Center |
| SOC 2 Type I | Superseded | Gorgias is at the stronger Type II; no standalone Type I advertised |
| GDPR | ✅ Compliant | Public DPA with EU/UK/Swiss SCCs |
| CCPA / US privacy | ✅ Compliant | "CCPA Compliant" badge on the Trust Center; written into the DPA |
| HIPAA + BAA | ⚠️ Available on request | Offered, but the report and BAA are gated behind an access request |
| ISO 27001 | ❌ Not Gorgias's own | Belongs to Google Cloud, its host, not to Gorgias |
| PCI DSS | ❌ Not held | Card data isn't stored; payments are delegated to Stripe |
So the honest summary: SOC 2 Type II is the cert Gorgias holds and audits; GDPR, CCPA and HIPAA are handled contractually and operationally rather than as separate certificates; and ISO 27001 and PCI DSS aren't Gorgias's to claim. None of that is a knock, it's a normal and solid posture for an ecommerce helpdesk. It just means you should cite the SOC 2 Type II report, not an ISO 27001 badge, when you write up your vendor review. (If the cost of all this is your real question, our Gorgias pricing guide and the Gorgias ticket-limit breakdown cover the billing model.)
Beyond the badge: how Gorgias handles your data
A certificate is a summary. The substance is what the vendor does with your data when nobody's auditing, and Gorgias's 2025 Security Whitepaper and DPA are reasonably specific here.
Encryption. Gorgias sends data "exclusively over HTTPS transport layer security (TLS) encrypted connections," and all data on its servers is encrypted at rest with keys managed in Google Cloud's key management service. One small caveat for the thorough: Gorgias's own pages say "encrypted at rest" without naming a specific cipher like AES-256, so if your security team needs that on paper, ask for it directly.
Hosting and residency. Gorgias runs on Google Cloud Platform, not AWS, which is the assumption a lot of buyers walk in with. Encrypted backups are kept across multiple Google Cloud regions, and the subprocessor list shows Google Cloud spanning the US, EU and Australia. What Gorgias does not publicly promise is a guaranteed EU-only residency option for a single tenant, so if data residency is a hard requirement for you, confirm it in writing before signing.
Where your data actually travels. This is the part a SOC 2 badge alone won't show you. Your customers' support data doesn't just sit inside Gorgias, it flows to a list of named subprocessors, and that's exactly what SOC 2 is meant to put controls around.
The subprocessor list (last revised March 30, 2026) includes OpenAI for AI features, Stripe for payments, Twilio for SMS and voice, plus Cloudflare, Datadog, and others. For most of these the data lives in the US, which is why the EU transfer machinery in the DPA exists. Usefully, Section 5 of the DPA gives you 15 days' advance notice of any new subprocessor and a 10-day window to object on data-protection grounds.
Breach notification and deletion. Two numbers worth knowing. On a security breach, Gorgias commits to notify you within a fixed window:
"[We] notify Customer of a Security Breach without undue delay, and in any event within 72 hours after becoming aware of it."
That line is from Section 6 of the Gorgias DPA. And on the way out, Section 9 commits Gorgias to return and delete your personal data within 90 days of contract termination, though backup copies may persist for a reasonable period before they age out. If you want the practical walk-through of requesting deletion, we wrote a separate Gorgias GDPR and data-deletion guide.
Testing. Gorgias runs annual grey-box penetration tests and publishes a public status page for incidents. One inconsistency we'll flag honestly: the 2025 whitepaper describes an active private bug-bounty program, while the live security page says the bug bounty is "currently paused." Minor, but the kind of thing a careful reviewer notices. For what it's worth, we found no public record of an actual Gorgias data breach.
Access controls: SSO, SAML, and 2FA
Compliance certificates cover the back end. Day to day, the security control your team touches is login, and here Gorgias is more generous than most helpdesks at the entry level.
| Control | Availability |
|---|---|
| Google & Microsoft 365 SSO | ✅ All Helpdesk plans |
| Custom SAML SSO (Okta, JumpCloud) | Separate "custom SSO" setup (tier not stated publicly) |
| Two-factor authentication (2FA) | Self-serve; admins can enforce, 14-day grace period |
| Role-based permissions | ✅ Available |
| Email verification fallback | Triggered on new locations / IPs unused for 30 days |
The standout is that Google and Microsoft SSO is on every Helpdesk plan, not gated behind an enterprise tier, which is a good call. Custom SAML SSO via the likes of Okta is a separate setup, and Gorgias's docs don't publicly state which paid tier it requires, so ask if SAML is a must-have. Admins can also make 2FA mandatory for the whole workspace with a 14-day enforcement grace period, and set up auto-join by approved email domain. If you're administering the account, our Gorgias sign-in guide covers the access basics.
SOC 2 is table stakes, not the whole story
Here's the reframe we'd want any ecommerce founder to walk away with. A SOC 2 Type II report is necessary, and Gorgias has a good one. But in 2026, your support tool isn't just storing tickets, it's running a Gorgias AI support agent that reads Shopify order data, issues refunds, and edits subscriptions. The badge audits the vendor's controls; it does not answer what their AI does with your data.
Three questions sit outside the scope of a standard SOC 2 report, and they're the ones we'd ask any AI support vendor, Gorgias included:
- Does the vendor (or its AI subprocessor) train models on your data? Gorgias uses OpenAI as a subprocessor; OpenAI's API terms say business data isn't used for training, but you should confirm the chain explicitly rather than assume it.
- How isolated is your data from other customers? Multi-tenant SaaS is normal, but the strictness of the isolation varies, and it's rarely spelled out on a marketing page.
- How much can the AI agent actually see and do? An agent that can issue refunds and read every customer's order history is a bigger security surface than a chatbot that answers FAQs. Scope control is a security feature.
These aren't reasons to avoid Gorgias, they're the standard you'd hold any AI helpdesk to, and they're worth building into your vendor checklist alongside the SOC 2 report. If you're comparing options on this axis, our roundup of the best AI helpdesk software weighs data handling, not just features. We do the same in our guide to the best AI for Shopify support.
Try eesel
If you're evaluating an AI support layer with those three questions front of mind, that's exactly the lens eesel is built for. eesel runs autonomous AI agents inside the helpdesks you already use, and treats data handling as a first-order feature: your data is never used to train any models, each workspace is fully isolated from every other customer, and you control precisely what the agent can see and act on through a simulation-and-scoping setup before it ever touches a live ticket.
On the compliance side, eesel is GDPR and CCPA compliant with standard and custom DPAs, honours deletion requests within 60 days, and is SOC 2 Type II in progress under continuous Vanta monitoring (the full report is available under NDA on completion). You can read the details on the eesel security page or start free and scope an agent against your own data first. For the cost side of the comparison, our Gorgias pricing breakdown lays out what the AI agent actually runs you.
Frequently Asked Questions
Does Gorgias have SOC 2 compliance?
How do I get a copy of the Gorgias SOC 2 report?
Is Gorgias GDPR and HIPAA compliant?
Where does Gorgias store my data?
Is a SOC 2 badge enough to trust an AI support tool?
Article by
Alicia Kirana Utomo
Kira is a writer at eesel AI with a Computer Science background and over a year of hands-on experience evaluating AI-powered customer service tools. She focuses on breaking down how helpdesk platforms and AI agents actually work so that support teams can make better buying decisions.
