Case Study: Conga Privacy Compliance

Data protection is a key consideration in today’s interconnected world, and few companies understand this better than Conga. As a leading provider of contract lifecycle management (CLM) and document automation solutions, Conga demonstrates a strong commitment to privacy and data protection compliance. However, adapting to continuously evolving regulatory frameworks is a challenging task for any company. This case study explores how Conga, with strategic guidance and support from VeraSafe, successfully aligned its data privacy practices, policies, and agreements to comply with evolving privacy regulations across a sophisticated data environment.

Customer Profile

Headquartered in Broomfield, Colorado, Conga is a B2B software solutions provider with 1,555 employees and operations spanning North America, Europe, and Asia. Its 11,000+ customers range from small and medium-sized businesses to large enterprises in a variety of industries and geographic locations. The company’s vast network of vendors and partners contributes to a complex data ecosystem of controllers, processors, and sub-processors across multiple geographic locations.

“Conga’s compliance situation was complex. We had to navigate multi-jurisdictional entities, an intricate network of sub-processors, and a diverse range of SaaS products—all during a time of legal uncertainty.”

Isabel Fernández del Campo Aguiló, Senior Privacy Advisor at VeraSafe


In recent years, companies like Conga have faced increasing privacy and data protection obligations, with the EU’s GDPR setting the stage in 2018 and California’s CCPA adding further complexity by 2020. Conga was up to the challenge, having already made substantial efforts in data protection, even without a dedicated privacy department. But, like many companies inside and outside the EU, it found the expansive and sometimes ambiguous aspects of the GDPR frustrating, leading to questions about DPIAs, DPO requirements, Schrems II implications, SCC adoption, and sourcing data from third parties. In addition, Conga’s data operations had an international reach. With servers in Australia and Germany and a client-base spanning the U.S., India, APAC, and Europe, it was imperative for the company to maintain up-to-date and compliant data protection measures on a global scale. 

By late 2021, Conga turned to VeraSafe for guidance and support.

Contact VeraSafe to discuss your data security management and privacy program today.