Trust & Compliance Center
Explore our security architecture, responsible AI principles, certifications, and privacy commitments in one place.
Security and Trust, by Design
The Conga Advantage Platform is built on enterprise-grade infrastructure, with security and governance woven into every layer. From data privacy to global standards, we give your teams the clarity to move quickly, with confidence.
Responsible AI
AiMe is Conga’s purpose-built AI that brings governance, guardrails, and transparency to every interaction.
Enterprise Security
SOC 2, ISO 27001, and ISO 27701 certified. All data encrypted at rest and in transit.
Data Privacy
Your data is never used to train shared or global AI models. Retention, residency, and deletion rights included.
Customer Control
Granular RBAC, audit logs, and admin tools to configure, monitor, and restrict AiMe in your org.
How We Build AI You Can Rely On
AiMe is aligned to the NIST AI Risk Management Framework, so your legal, IT, and compliance teams can understand what AiMe does, why it does it, and how it is governed.
Transparent by design
AiMe surfaces how every recommendation is generated. Users see reasoning behind AI-driven actions, and confidence scores are shown wherever AiMe makes a suggestion.
Human oversight, always
AiMe never acts autonomously on high-stakes decisions. Agent guardrails, approval thresholds, and human-in-the-loop confirmation can be built into every workflow.
Validated before release
AiMe uses third-party models that undergo testing, bias auditing, and benchmarking their providers before release. Rollback to any prior model version within hours if needed.
Built for Enterprise Security
Conga runs on enterprise-grade cloud infrastructure with multi-region availability across US, EU, and APAC. Built to meet the demands of global enterprise, every layer is designed to protect your data and your business.
Encryption
Enterprise access control
Global data residency
Always-on security testing
Critical security incidents
Found a Security Issue? Let Us Know.
Conga operates a responsible disclosure program. If you have identified a potential vulnerability on the Conga platform, our security team wants to hear from you.
Frequently Asked Questions
-
How does Conga use AI in its products?
Conga leverages AI to enhance our products by automating tasks, providing predictive and prescriptive analytics, and improving user experience. AI helps us deliver smarter, faster, and more efficient solutions to our customers. Some examples of how our products use AI are detailed below.
Predictive and Prescriptive AI: Products like Price Optimization & Management use both predictive and prescriptive AI models to categorize datasets, produce a product or price recommendation, or deliver a forecast prediction or optimization result. Models are often combined to solve a particular use case or improve the models’ output.
Generative AI: Features like AI Data Mapping, AI Agents, and our Chatbot rely on generative AI large language models (LLMs) leveraging Microsoft Azure OpenAI. In contrast to predictive AI models, these models work to generate new content or data and allow for greater efficiencies and overall improved user experience.
Some common examples include:
Conversation: support natural language inputs and questions from users.
Summarization: summarize content and data into a digestible format, including charts, graphs, and visualizations.
Explanation: surface results in easy-to-read natural language, including translation into local language.
Automation: combine multiple, manual steps into an automated flow to help users achieve a goal or desired outcome. For example, suggest multiple products based on user specifications and add to a quote.
Data Translation: accelerate the translation of data from one system to another, e.g. customer master data from SAP to Conga.
-
What data do you collect for AI training and AI Agent usage?
We collect data that is essential for the functionality and improvement of our AI models and AI Agent interactions. This includes:
User Interaction Data: How you use our products, feature usage, and navigation patterns.
Transactional Data: Transaction files, which, depending on the use case and product, may include customer and product data. This data is used to train your algorithm so it can provide recommendations specific to your customers and use case. It will not include Personal Data or otherwise incorporate data in a form that could identify any individual.
Feedback and Support Data: Your feedback, support requests, and any interaction with our customer support team.
For additional details about Personal Data collected by Conga, please see your Data Processing Addendum with Conga and our Privacy Notice.
-
Do you use the data I submit to the Subscription Service to benefit your other customers?
No, our proprietary AI models are trained on each specific customer’s dataset only. This allows the Conga solution to provide recommendations which are specific to each individual customer and each individual customer’s business case.
When enhancing our proprietary models, we will often review those enhancements across different customer datasets to validate the model is handling unique data conditions accurately. However, this will not involve the sharing of data across customer environments.
In summary:
- your data will NOT be shared with other Conga customers;
- your data will only be used to train your specific model;
- model training takes place within your environment and is not shared or used to train models for other customers;
- models trained on your data will NOT be used to score or provide recommendations to other Conga customers; and
- Conga customers will NOT have access to or benefit from any other customer’s trained model. Separately, Conga may collect anonymized, aggregate usage information ("Service Attributes"), such as feature usage patterns and interaction data, for purposes including analytics, benchmarking, and improving Conga's services. Service Attributes are fully anonymized and aggregated so that they cannot identify you, your users, or your content. Service Attributes are not Customer Data and are not used to train customer-specific models. For full details, see Conga’s AI Addendum.
-
How does Microsoft Azure OpenAI use my data?
We leverage the Microsoft Azure OpenAI Service to power our AI Agents. These Agents, including any token inputs, do not alter or train any back-end LLMs.
Your prompts (inputs), completions (outputs), embeddings, and training data:
- are tokenized before transmission to and from Azure OpenAI Service;
- are NOT available to other customers;
- are NOT available to OpenAI;
- are NOT used to improve OpenAI models; and
- are NOT used to improve any Microsoft or 3rd-party products or services.
The Azure OpenAI Service is fully controlled by Microsoft; Microsoft hosts the OpenAI models in Microsoft’s Azure environment and the Azure OpenAI Service does NOT interact with any services operated by OpenAI (e.g. ChatGPT or OpenAI API).
-
What third-party services are used in Conga's document processing AI features (Discovery Agent)?
Conga’s Discovery Agent and Q&A Agent use a small number of specialized third-party services for document processing, including Google Cloud Vision (OCR), AWS Textract (table detection), Zuva (provision extraction), and Azure OpenAI (language model processing). Conga enforces a zero-data-retention policy with each of these providers: your documents are processed in real time and are not stored or retained after processing is complete.
-
How do you ensure my data is secure?
Any data used to train AI models or facilitate AI Agent workflows will have the same protections as Customer Data in our Subscription Services. Conga maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards designed to ensure that Customer Data remains secure and is handled in compliance with all regulatory requirements applicable to Conga and the Subscription Services. For more details, refer to Conga’s Data Security Exhibit.
-
Do you comply with your regulatory obligations in your use of AI, including the EU AI Act?
Conga’s commitment to compliance with applicable laws and regulations is documented in your Master Services Agreement with Conga. Conga’s AI features are developed with privacy and security in mind, ensuring Conga’s compliance with its regulatory requirements as an AI system provider and a data processor. Please reach out to Conga if you require any assistance or have any further questions regarding how we ensure compliance with our regulatory obligations.
-
What is the classification of Conga’s products under the EU AI Act?
Depending on the Conga product and features, our products qualify as either minimal or limited risk AI systems under the EU AI Act.
-
Who can I contact if I have more questions about AI and data usage?
If you are an existing customer, please reach out to your customer success manager with any questions or concerns. If you are new to Conga, please contact us here.