We do everything in our power to protect businesses, schools, and government organizations from attempts to compromise their data. We vigorously resist any unlawful attempt to access our customers’ data, whether it be from a hacker or a government body.
In order to help answer some of the many security questions we receive, we have created this FAQ and a companion Google Workspace security site. We hope this helps to answer some of your questions about Google's position on these important issues. Be sure to check Google's Privacy and Terms page for tools and information relating to consumer privacy.
If you need to report an abuse issue, learn more about reporting abuse issues to our team.
Who owns the data that organizations put into Google Cloud?
To put it simply, the data that companies, schools, and government agencies put into our systems are theirs. Whether it’s corporate intellectual property, personal information, or a homework assignment, Google does not own that data.
That means two key things:
- We use your information for the purposes specified in your agreement, such as delivering you the service for which you pay. There are no ads in Google Cloud.
- You have control over your data. We provide you with tools to delete and export your data so that you can take your data with you at any time, use external services in conjunction with Google Workspace, or stop using our services altogether.
Google processes your data to fulfill our contractual obligation to deliver our services. Google’s customers own their data, not Google. The data that companies, schools, and students put into our systems is theirs. Google does not sell your data to third parties. Google offers our customers a detailed Data Processing Amendment that describes our commitment to protecting your data.
EY, an independent auditor, has verified that our privacy practices and contractual commitments for Google Workspace and Google Workspace for Education comply with ISO/IEC 27018:2014. For example:
- We do not use your data for advertising
- The data that you entrust with us remains yours
- We provide you with tools to delete and export your data
- We are transparent about where your data is stored
No. There are no ads in Google Workspace Services or Google Cloud Platform, and we have no plans to change this in the future. We do not scan for advertising purposes in Gmail or other Google Workspace services. Google does not collect or use data in Google Workspace services for advertising purposes.
The process is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.
Google Cloud does not scan your data or email in Google Workspace Services for advertising purposes. Our automated systems scan and index your data to provide you with your services and to protect your data, such as to perform spam and malware detection, to sort email for features like Priority Inbox and to return fast, powerful search results when users search for information in their accounts. The situation is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.
Google Workspace for Education services do not collect or use student data for advertising purposes or create advertising profiles.
Gmail for consumers and Google Workspace for Education users run on the same infrastructure, which provides high performance, reliability, and security to all of our users. However, Google Workspace is a separate offering that provides additional security, administrative, and archiving controls for education, business, and government customers.
Like many email providers, we perform scanning in Gmail to keep our customers secure and to improve their product experience. In Gmail for Google Workspace for Education, this includes virus and spam protection, spell check, relevant search results and features, such as Priority Inbox and auto-detection of calendar events. Scanning to provide product features is done on all incoming emails and is 100% automated. We do not scan Google Workspace for Education emails for advertising purposes.
Additionally, we do not collect or use any information stored in Google Workspace for Education users’ Google Drive or Docs (or Sheets, Slides, Drawings, Forms) for any advertising purposes.
Users who have chosen to show Adsense ads on their Google Sites will still have the ability to display those existing ads on their websites. However, it will no longer be possible to edit or add new AdSense ads to existing sites or to new pages.
We provide tools so that you can export data if you choose to use external services in conjunction with Google Workspace or stop using our services altogether, without penalty or additional cost imposed by Google.
Google may only access data in your account in strict compliance with our Privacy Policy and your Customer Agreement. We also offer a detailed Data Processing Amendment that further describes our commitment to protecting your data. For purposes of providing technical support, an administrator from your domain may choose to grant the Google Support team permission to access accounts in order to resolve a specified issue. Access Transparency logs provide information about actions of Google staff when they access your data.
Google’s security practices are verified and certified by third-party auditors. We have achieved ISO 27001 certification, which means that an independent auditor has examined the controls present in our data centers, infrastructure, and operation. This certification sets a bar for security that is often higher than what is achieved by many of our customers. Amongst these practices, employees are subject to background investigations based on their level of access. Any employee access is governed by a policy of “least privilege access,” which means that access is only granted to the information and resources that are necessary for the execution of the assigned task.
Google may only access data in your account in strict compliance with our Privacy Policy and your Customer Agreement. We also offer a detailed Data Processing Amendment that further describes our commitment to protecting your data. Access Transparency logs provide information about actions of Google staff when they access your data.
We believe that you should have control over your data. When you agree to our Data Processing Amendment, Google contractually commits to deleting your Google Workspace data from our systems within 180 days of your deleting it in our services.
When you delete data, the pointers to that data are removed immediately, but Google’s application and network architecture is designed for maximum reliability and uptime. Data is distributed across Google's servers and data centers. If a machine—or even an entire data center—fails, your data will still be accessible. As a result it can take up to 180 days to ensure that every bit of customer data is purged from our systems.
Respect for the privacy and security of the data you store with Google underpins our approach to complying with legal requests for user data. Our legal team reviews each and every government request for user data to make sure it satisfies legal requirements and Google's policies, and we push back when the requests are overly broad or don’t follow the correct process.
Google notifies users about legal demands when appropriate, unless prohibited by law or court order, and since 2009 has published aggregate statistics about government requests for user information in our Transparency Report.
If Google receives a government data request for Cloud customer data, it is Google’s policy to direct the government to request such data directly from the Cloud customer. Google has a rigorous process for evaluating and responding to government requests, including CLOUD Act data requests issued pursuant to a CLOUD Act executive agreement. We have a team that reviews and evaluates each request we receive to make sure it satisfies legal requirements. When compelled to produce data, Google promptly notifies enterprise customers before any information is disclosed, unless such notification is prohibited by law or except in emergency situations involving a threat to life. Google will, to the extent allowed by law and by the terms of the request, comply with a customer’s reasonable requests regarding its efforts to oppose a request.
Detailed information is available in our Transparency Report and Google Cloud Government Requests White Paper.
A number of our products provide capabilities that allow the storage of certain Customer Personal Data in the EU/EEA region. Please see GCP products that are available by location and Google Workspace Data regions.
Keep in mind that the data regions offering is not designed to help meet any legal, compliance, or regulatory requirements. That said, it may satisfy company specific policies around locating data.
No, but like the former EU Directive on data protection, the GDPR requires the implementation of appropriate safeguards for the transfer of personal data outside the EEA. Such appropriate safeguards can be provided by using existing mechanisms, such as Standard Contract Clauses.
For organizations that want more geo-control, data regions for Google Workspace provides fine-grained control of the geographical location for storage for email messages, documents, and some other Google Workspace content. The data regions offering is not designed to help meet any legal, compliance, or regulatory requirements; but it may satisfy company specific policies around locating data. For more information on this feature, see Choose a geographic location for your data.
Google’s infrastructure is strategically distributed across multiple data centers around the globe. For clarity, some Google data storage facilities are located in countries outside the European Economic Area (EEA). Also, Google Cloud 24/7 support implementation ensures agile and effective delivery of the services around the globe, and some of the support centers are outside the EEA. We are not able to provide you the exact data center that your data is stored due to the above reasons.