Conga Collaborate

Security, Privacy, and Architecture

Services Overview

The Conga Collaborate service enhances and speeds up the document generation process. It allows users to establish pre-built templates to create documents from any CRM system in an online format. Conga Collaborate users can automate business processes to route, send, and store these documents. Users also have the ability to share documents, then view and track engagement.

Conga Infrastructure

The Conga service is regionally hosted with Amazon Web Services (AWS), available in the continental United States. The region is mirrored across multiple, geographically dispersed data centers for fault tolerance and business continuity.

Encryption for External Connections

TLS encryption technology is utilized for data transfer between all parties involved in the process. TLS connections are negotiated for at least 256-bit encryption or stronger. The private key used to generate the cipher key is at least 2048 bits. It is recommended that the latest available browsers approved by be utilized for connecting to the Conga service because they are compatible with higher cipher strengths and have improved security.

Network Access Control

A limited number of Conga operations team members are granted access to Customer environments, and then only after the completion of a successful background check, awareness and acknowledgment of privacy and confidentiality agreements, and security training. Additional authentication, authorization, and accounting are implemented through standard security mechanisms. These measures are designed to ensure that only approved operations and support engineers have access to the systems. Remote access to the environment is restricted to select operations staff.

Network Bandwidth and Latency

Conga relies on the AWS network infrastructure to provide low latency network availability between Conga, Salesforce, and end users. The AWS Cloud infrastructure is built around regions and availability zones. A region is a physical location in the world where we have multiple availability zones. Availability zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, and housed in separate facilities. These availability zones offer you the ability to operate production applications and databases which are more highly available, fault tolerant and scalable than would be possible from a single data center. Conga monitors applicable networks and addresses internal issues that may impact availability.

Anti-Virus and Anti-Malware Controls

Conga leverages best in class tools in order to monitor and block virus and malware behavior. This includes protection against emerging threats beyond traditional, signature based solutions.

Firewalls and Intrusion Prevention

Conga utilizes firewalls as one component of a layered approach to application infrastructure security. To control access and allow only authorized traffic to Conga infrastructure, managed firewalls are used. In addition, Conga employs security policies to manage ingress and egress of data based upon protocol, port, source and destination within the environment. Any traffic not adhering to these strict access controls is discarded at the internet boundary. Internally host-based intrusion prevention and monitoring systems are deployed at the server and network layers, respectively.

System Hardening and Monitoring

Conga employs standardized system hardening practices across Conga-managed devices. This includes restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and logging.

Services undergo 3rd party penetration tests on an annual basis or prior to release of a material change.

Account Provisioning and Access Control

Identity management is used to provide authentication. Users must have a valid username and password to access the system. User profiles containing first and last name, email address, login name, and password are associated with User Security Roles. Single Sign-On is also an option for ease of user administration and greater security controls. The Conga Collaborate Service utilizes SAML 2.0 for our SSO solution.

Conga employee access to the service is limited to only that access required for support and maintenance purposes. Employee access is contingent on a successful background check, confidentiality agreements, and documented authorization by an engineering VP or above. Access is strictly controlled via VPN and other authentication mechanisms.

Data Management and Protection

All Conga systems used in the provision of the Conga services, including AWS infrastructure components and operating systems, log information to their respective system log facility or a centralized Syslog server (for network systems) to enable security reviews and analysis.

Post termination, data will be disposed of in a manner designed to ensure that they cannot reasonably be accessed or read.

The information customers provide during their use of Conga services that pertains to other individuals and entities is not collected or used by Conga, and remains under the ownership of Conga’s customers. Conga processes customer data under the direction of its customers and has no direct control or ownership of the personal data it processes. Customers are responsible for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent prior to transferring the data to Conga for processing purposes.

All data stored within the system is encrypted at rest using 256-bit Advanced Encryption Standard (AES) and in transit leveraging TLS encryption.

Incident Response

Conga has a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Key staff are trained in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools. To help ensure the swift resolution of security incidents, the Conga security team is available 24/7 to all employees. If an incident involves customer data, Conga will inform the customer and support investigative efforts via our security team.

Physical Security

Processing occurs within AWS data centers that are housed in nondescript facilities. Professional security staff strictly control physical access, both at the perimeter and at building ingress points. Video surveillance intrusion detection systems are in place at a minimum of all ingress and egress points. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification, are signed in, and are continually escorted by authorized staff.


Conga services are designed to leverage the benefits of a cloud architecture. This includes the capability to provision machines in excess of the average capacity to support spikes in demand.

Availability and Disaster Recovery

Conga maintains geographically diverse data centers and leverages the near seamless failover technologies from AWS. The people, processes, and technology necessary to conduct our business are distributed among these sites, with critical business operations conducted at multiple globally diverse locations. If activity at any one of these sites is disrupted, our systems are designed to continue operating at the other locations without serious interruption for customers.

Available data centers are built in clusters in various regions. All data centers are online and serving customers. No data center is “cold.” In the case of failure, automated processes move customer data traffic away from the affected area. Each availability zone is designed as an independent failure zone.

Office Disruptions

Conga maintains a globally diverse operations staff in the event core offices have any significant disruption. Additionally, all Conga employees have laptops and a secure process to access necessary resources to support infrastructure and customers.

Conga Audits and Certifications

Conga is committed to achieving and maintaining the trust and confidence of our customers. Integral to this mission is Conga’s dedicated, in-house security and privacy team. This team is tasked with enabling Conga customers to meet a multitude of compliance, data protection, and regulatory obligations from around the globe. Conga’s trust and assurance activities include:

  • Conga certifies to the U.S. Department of Commerce that it adheres to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Conga’s current certification is available at https://
  • Data Processing Addendums or Agreements including the Standard Contractual Clauses as approved by the European Commission and incorporating stringent requirements of Article 28 of the EU General Data Protection Regulation 2016/679.
  • Service Organization Control (SOC) reports: Conga’s information security control environment undergoes an independent evaluation annually. Conga’s most recent SOC 2, Type II report covering security,  and availability, and confidentiality is available upon request.
  • Penetration testing conducted by industry-recognized 3rd party on material environment changes or annually.
  • Conga only utilizes infrastructure partners demonstrating the ability to meet rigorous standards (ISO 27001, SOC 2).