Yes, Gather is SOC 2 Type II certified. To request a copy of our report, please visit our Trust Center.

We have servers in the United States (NYC, San Francisco, Northern Virginia, Northern California), Brazil (Sao Paulo), Japan (Tokyo), Germany (Frankfurt), Singapore, and India (Mumbai).

You bet! Follow these links to read our Data Processing Agreement, Privacy Policy, and Terms of Service.

Gather is a US company and most of our processing of personal data does not fall directly within the territorial scope of the UK or EU GDPR.

Our services are intended for corporate users and are not actively targeted at clients in the UK or EU. We therefore do not process personal data in connection with the offer of goods and services to data subjects in the UK or EU.

We do, however, use advertising cookies and similar technologies on our marketing website, which would involve monitoring the behaviour of individuals in the UK or EU. When we process personal data in this way, we are subject to GDPR and are implementing measures to comply (including updating our cookie consent mechanism and transparency notice to meet the requirements of the GDPR).
The GDPR indirectly applies to Gather where Gather’s customers are subject to the GDPR and Gather acts as a “data processor”. Where this is the case, Gather enters into a data processing agreement and agrees to comply with certain terms required by the GDPR (e.g., notifying the customer in the event of a data breach, notifying the customer in the event of an individual rights request etc).

Yes. If your processing of personal data is subject to the GDPR, you will need to enter into our Data Processing Agreement, which incorporates standard contractual clauses approved by the European Commission for transfers of personal data to third countries.

Although the European Court of Justice has previously called into question the legitimacy of transfers of personal data to recipients in the US, the European Commission's adequacy decision in relation to the EU-U.S. Data Privacy Framework has acknowledged that the measures taken by the US under Executive Order 14086 adequately address the risks flagged in the CJEU's decision in Schrems II. The relevant restrictions in EO 14086 on the collection of data by national security authorities in the US apply to all data originating in the EU, regardless of whether the US recipient is certified under the DPF or not.

The same applies to data originating in the UK, following the UK Secretary of State's approval of the UK-U.S. Data Bridge.

Gather has included the SCCs as part of its data processing agreement. In addition, Gather has implemented a number of technical and organizational security measures to help safeguard personal data transferred to us from the EU/UK. For example, we encrypt data in transit and at rest and have implemented certain data access controls. We have also completed a transfer impact assessment which evaluates the potential risks associated with cross border data transfers.