Compliance

We are committed to complying with regulations across the world and across various industry sectors such as healthcare and education. You can use our services with confidence that Google provides the tools and controls you need to meet your compliance requirements.

To help answer some of the many questions we receive, we have created this FAQ and a companion Google Workspace security site. Be sure to check Google's Privacy and Terms page for tools and information relating to consumer privacy.

If you need to report an abuse issue, learn more about reporting abuse issues to our team.

How can I verify the security of Google Workspace and Google Cloud Platform?

Our customers and regulators expect independent verification of security, privacy, and compliance controls. Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations. Google solutions have regular audits for the following standards:

  • SOC1 (SSAE-18/ISAE-3402)—Google Workspace and Google Cloud Platform
  • SOC2—Google Workspace and Google Cloud Platform
  • SOC3—Google Workspace and Google Cloud Platform
  • ISO27001—Google Workspace and Google Cloud Platform
  • ISO27017—Google Workspace and Google Cloud Platform
  • ISO27018—Google Workspace and Google Cloud Platform
  • ISO27701—Google Workspace and Google Cloud Platform
  • HIPAA—Google Workspace and Google Cloud Platform
  • FedRAMP—Google Workspace and Google Cloud Platform
Can I obtain a copy of these certificates and audit reports? Where can I download the SOC3 audit report? Where can I see Google's ISO27001 certificate?

The SOC3 report proves that our controls have been examined by an independent accountant. It represents the practitioner’s report on management's assertion(s) that the entity's business being relied upon is in conformity with the applicable Trust Services Principle(s) and Criteria.

The ISO27001 certificate proves the functional scope of the ISO/IEC 27001:2013 standard. Certification is bounded by the Google Workspace (and Google Workspace for Education), Google Cloud Platform, Google Plus, Google Now, Google Analytics, and Analytics Premium offerings and the data contained or collected by those offerings and specified facilities.

You can obtain a copy of these compliance reports at Compliance Reports Manager by signing in to your account.

How does Google meet European data protection requirements?

Google has a broad customer base in Europe. Over 50% of our business customers are based outside of the United States. Google provides capabilities and contractual commitments created to meet applicable data protection laws. Google offers the Cloud Data Processing Addendum (CDPA) for Google Workspace and Google Cloud.

Along with independent third-party audits of our data protection practices and our ISO 27001 certification, and verification that our privacy practices and contractual commitments comply with ISO/IEC 27018:2014, we provide our customers with several compliance options to address EU data protection regulations.

Don’t EU data protection laws require personal data to be stored in the EU/EEA?

The EU GDPR protects the personal data of residents of the European Economic Area (EEA), and only permits the transfer of their personal data to non-EEA countries that have not been approved as providing "adequate" data protection in limited circumstances. The UK GDPR and Swiss Federal Data Protection Act impose similar restrictions. The use of approved Standard Contractual Clauses (SCCs) is one means of complying with these restrictions.

Google Cloud incorporates SCCs into the Cloud Data Processing Addendum (CDPA). In the absence of an alternative transfer solution, these will automatically protect the personal data of customers in Europe, the Middle East and Africa (EMEA). Customers outside EMEA will need to certify via the admin console that they are subject to European data protection law in order for the SCCs to be applied to their data (in the absence of an alternative transfer solution).

What about the U.S. government? Won’t storing data outside the U.S. mean it won’t be subject to U.S. government requests for data?

Storing your data outside a particular country does not necessarily protect the data from access by government access, as governments may retain the ability to compel disclosure of information outside their borders. That's why we are advocating for surveillance reform. We do not provide governments with access to our systems or to allow them to install equipment that gives them access to user data. For more information on how government requests for data are handled, please see the Safeguards for international data transfers with Google Cloud whitepaper and Google’s Transparency Report.

Where does Google store my data?

Your data will be stored in Google's network of data centers. Google maintains a number of geographically distributed data centers. Google's computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.

Can I store healthcare data in Google systems?

Google Workspace supports our customers’ compliance with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Customers who are subject to HIPAA and wish to use Google Workspace with Protected Health Information (PHI) must sign a Business Associate Agreement (BAA) with Google. Administrators for organizations with Google Workspace, Google Workspace for Education, and Google Workspace for Government can request a BAA before using Google services with PHI. For a list of HIPAA supported Google Workspace functionalities, please check here.

Do Google products meet privacy requirements for use by students and children?

Millions of students rely on Google Workspace for Education. Google Workspace for Education complies with the U.S. Family Educational Rights and Privacy Act (FERPA), and our commitment to do so is included in our agreements. We contractually require Google Workspace for Education schools to obtain parental consent regarding the use of our service in conformity with the U.S. Child Online Privacy Protection Act (COPPA), which facilitates compliance with COPPA requirements.

Can Google be used by U.S. government institutions?

The Federal Information Security Management Act of 2002 (FISMA) is a U.S. federal law pertaining to the information security of federal agencies' information systems. FISMA applies to all information systems used or operated by U.S. federal agencies, or by contractors or other organizations on behalf of the government.

The Federal Risk and Authorization Management Program (FedRAMP) implements FISMA for U.S. federal agencies using cloud computing services. FedRAMP is the required cloud security compliance standard for Federal agencies.

Google Workspace, including Google Workspace, Google Workspace for Education, Google Workspace for Nonprofits and Government, and Google App Engine have received a FedRAMP Authorization to Operate (ATO) at the FIPS 199 Moderate impact level, the standard level for Controlled Unclassified Information.

My organization handles payment card data and is subject to PCI DSS. What tools are available to help me remain compliant?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and technical requirements defined for systems that contain or process payment card information. Google Cloud Platform has been assessed by a Qualified Security Assessor (QSA) and found to be in compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). Google is using the QSA’s Report on Compliance to confirm that application developers can create and operate their own secure and compliant solutions using its platform. Google Workspace is not meant to process or store credit card transactions. Therefore, customers may configure controls to prevent emails with credit card information from being sent from Google Workspace. This helps our customers maintain PCI DSS compliance.

Google Cloud Platform undergoes an annual third-party audit to certify individual products against the PCI DSS. This means that these services provide an infrastructure upon which customers may build their own services or applications which store, process, or transmit cardholder data. It is important to note that customers are still responsible for ensuring that their applications are PCI DSS compliant. To learn how to use Google Cloud Platform to implement PCI DSS in your application, see PCI Data Security Standard compliance.

What eDiscovery tools are available for my organization to support legal and compliance requests?

Google Vault is an add-on for Google Workspace that lets you retain, archive, search, and export your organization's email for your eDiscovery and compliance needs. Vault is entirely web-based, so there's no need to install or maintain any software. With Vault, you can:

  • Keep data for as long as you need it.
  • Remove data when you no longer need it.
  • Search, hold, and export data of interest.

For more information, see What is Google Vault?

Can I use Google services with data controlled under the International Traffic in Arms Regulations?

The International Traffic in Arms Regulations (ITAR) is a set of U.S. government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML). Google does not support use of our services with ITAR-controlled data.

How do Google Cloud services comply with the EU’s General Data Protection Regulation (GDPR)?

The GDPR is a complex piece of legislation. For details of Google Cloud’s approach to the GDPR, please see the resources at Google Cloud & the General Data Protection Regulation (GDPR). With regard to the data transfer restrictions imposed by the GDPR, Google Cloud includes Standard Contractual Clauses (SCCs) in the CDPA. In the absence of an alternative transfer solution, these automatically protect the Customer Personal Data of customers in Europe, the Middle East and Africa (EMEA), and will protect the Customer Personal Data of customers outside EMEA if those customers certify via the Google Admin console that they are subject to European data protection law.

What is the difference between the Google Workspace and the consumer versions of Google Workspace apps?

Google Workspace services are offered by Google to organizations under the Google Workspace Terms of Service and the Cloud Data Processing Addendum. Consumer apps are offered by Google directly to its end users under Google Terms of Service and the Google Privacy Policy. There is significant overlap in the features and functionality of Google Workspace apps and consumer versions of these apps. Google Workspace services have controls that allow an organization's administrators to have control over the security and privacy settings of the apps for their organization.

Does Google offer the Cloud Data Processing Addendum for consumer versions of the Google Workspace apps?

No. Our Cloud Processing Addendum, including incorporated Standard Contractual Clauses, is only available for the customers who use Google Workspace. The consumer versions of the Google Workspace apps are offered under the Google Terms of Service and Privacy Policy.

You may want to consult with your legal counsel about your specific privacy and data protection obligations and which model suits your compliance needs.

How does Google adhere to AADC requirements?

We're committed to building products that are secure by default, private by design, and that put people in control. And while our policies don’t allow children under the age of consent to create a standard Google account, we’ve worked hard to design enriching product experiences specifically for them, teens, and families.

We encourage you to work with your legal counsel to assess obligations around Age Appropriate Design Code (AADC) and other child privacy-focused regulations.

For Google Workspace Business and Enterprise accounts, it's up to the domain administrator to determine if AADC applies to any users in its domain. If it does, we recommend turning off all additional services for users under the age of 18. This is because Google Workspace Business and Enterprise plans are business accounts. Additional Services accessed via a business account do not currently have child-focused privacy features. This is not the case for Google Workspace for Education accounts, where Google Workspace for Education domains have implemented the age-based access setting (for more information, see Control access to Google services by age).

Was this helpful?

How can we improve it?
Main menu
10697112328837875008
true
Search Help Center
true
true
true
false
false