This article provides privacy best practices for Google Workspace administrators when contacting and working with Google Cloud Support. To obtain guidance on the specific requirements applicable to your organization, we recommend that you consult with a legal expert, as this article does not constitute legal advice.
In this article...
In a Support case, Support Data (as defined in the Google Workspace Technical Support Services Guidelines) includes customer contact information, case details, support interactions, and customer feedback provided in customer surveys. Support Data is a subset of Service Data, the processing of which is covered in the Google Cloud Privacy Notice.
Occasionally you might send sensitive data (such as credentials, service account keys, and access tokens) to Google Cloud Support. You can ask the support agent to remove such content in the support ticket. Support personnel follow an internal process to proactively identify such sensitive information stored in the support ticket. Support personnel are empowered and trained to flag any case that could potentially compromise personal information or Google data and escalate review to a designated internal team to evaluate these cases and take appropriate action.
Google also builds support tools to help you sanitize the sensitive information. For example, Google created a HAR Analyzer tool to help you screen HAR files, which alerts you not to disclose sensitive data such as cookies, passwords, credit card numbers, and more. Google uses the HAR file to investigate if requests get a specific error-response code or if the request is aborted. Google also examines the HAR file to find out if the issue is caused by non-error responses or if the HAR file failed to capture the error causing the issue.
Note: HAR, which is an abbreviation for HTTP Archive, is a JSON-formatted archive file format for logging a web browser's interaction with a website.
If for any reason you need to share personally identifiable information (PII) or sensitive personally identifiable information (SPII) with Google Cloud Support for troubleshooting purposes, you can host a file using Google Drive and share the link with Support. As a Google Workspace administrator, you control who has access to the file and how long the file will be retained.
You can share the file with Google Cloud Support using a shared account (noreply.googleapps.com) that lives on a centralized Google-owned, Google-managed Workspace production environment. Google Cloud Support agents are configured as users so that you can share data and allow access to the support agents for troubleshooting purposes. For example, log files that are too large for upload to support cases may be shared this way. The support agent instructs you to set an expiration date and revoke Google Cloud Support’s access when the case is closed.
Note: As a Google Workspace administrator, you're sent an email communication with step-by-step instructions for how to share files with Google Cloud Support.
Google Cloud Support engages third-party entities (see Google Workspace and Cloud Identity Subprocessors) to perform limited activities in connection with Google Cloud Support. Support subprocessors do not have access to Customer Data stored or processed by Workspace services. The Support subprocessors only have access to Customer Data if you explicitly elect to share your Customer Data in the course of a support case.
The following security safeguards are in place to control access to Customer Data by such subprocessors:
- Subprocessors exclusively use Google-managed machines to access corporate resources.
- Google's internal systems have built-in interconnected controls that will grant or deny access to a support agent depending on systematized checks that are performed (in other words, to confirm the owner of a support case).
- System access by subprocessors is systematically logged and periodically audited to ensure appropriate use.
- Subprocessors have no access to Customer Data (for example, text entered by the user into Gmail, Docs, Sheets, and Slides) unless you specifically share this data with the support agent during the support case.
You can initiate a case deletion by contacting Support, and the Support team will review the request. In rare cases, Support will need to retain certain information for an extended period of time for legitimate business or legal purposes—for example, in case there's a billing dispute or a security breach.
If you need access to your support interactions, and if those interactions aren't available in the Support Portal, you can request a copy of your support interactions by opening a standard support case. You can also request a copy by signing in to the Google Admin console to contact the Google Cloud Data Protection Team—using the form that's available under Account settings > Legal & Compliance. You can request the call recording, chat transcripts, email communications, and case comments for the case you need information for.
Google Cloud Support uses support case data to keep a consistent record of your support issues. This can be informative when addressing future support issues or situations related to your customer account. Google Cloud Support also leverages past cases while encountering new issues for other customers. Past cases serve as examples to inform similar support interactions in the future. Additionally, Google Cloud Support uses support case data to conduct quality review, build automated solutions for customer responses, and improve the customer support experience.
If you purchase Google Workspace from a Google reseller, you can receive Support help related to your account, domain settings, and billing directly from the reseller.
Depending on the Workspace license that's purchased from the reseller, there are several ways to contact Google Cloud Support. For example, you can directly open a support case through the Google Admin console (where you can choose to include your reseller in the support ticket), or a reseller can open a support ticket on your behalf through the Customer Care Portal. For the latter, you need to give the reseller permission (limitations apply) to access your account and help them to troubleshoot your cases. We suggest that you reach an agreement with your reseller on a policy for accessing the Google Admin console. This enables you to access support cases that your reseller files on your behalf.
If you have a separate, standalone support contract with the reseller, it's the reseller’s responsibility to provide the appropriate level of support. Google Cloud does not have control or visibility into these agreements. If you have a direct Support contract with your reseller, we suggest that you apply privacy best practices during your support interactions with them.
As part of Google's long-term commitment to security and transparency, you can use Access Transparency to review logs of actions taken by Google personnel when accessing user content. You have access to this service if you have an Enterprise Plus or Education Plus subscription.
With Access Transparency, user-generated content is text entered into Gmail, Docs, Sheets, Slides, and other apps. By reviewing the Access Transparency logs, you can verify that Google is accessing your data for valid business reasons, such as fixing a problem or responding to a request. When accessing user content for troubleshooting purposes, Support agents are required to enter a valid business reason—such as an active support case number or ePIN for the cases they have owned. You'll see the following justification reason in the description field: CUSTOMER_INITIATED_SUPPORT
Google has a dedicated internal Support team to answer questions on privacy and data protection to ensure Google Workspace services can help meet your compliance needs. To contact the Google Cloud Data Protection Team, sign in to the Google Admin console, and then go to this contact page.