How Google protects your organization's security and privacy
Two of the most common topics of questions regarding Google in general, and G Suite specifically, are security and privacy. We take both topics very seriously and offer tools that let you control how we process your data for your organization. Our business is built on our customers' trust: trust in our ability to properly secure their data, our commitment to respect the privacy of the information they place in our systems, and the tools we provide them to keep control over their information.
To learn more about Google's position on reliability, privacy, and security, see How Google handles your data.
If you've identified an abuse incident with G Suite, report the incident to our team.What does a G Suite SOC 2/3 audit mean to me as an administrator?
An independent third-party auditor issued G Suite an unqualified Service Organizations Controls (SOC) 2/3 audit opinion. Google is proud to provide G Suite administrators the peace of mind knowing that their data is secure under the SOC 2/3 auditing industry standards. Learn more about the SOC3 public report.
The independent third party auditor verified that G Suite has the following controls and protocols in place:
- Logical security—Controls provide reasonable assurance that logical access to G Suite production systems and data is restricted to authorized individuals
- Privacy—Controls provide reasonable assurance that Google has implemented policies and procedures addressing the privacy of customer data related to G Suite
- Data center physical security—Controls provide reasonable assurance that data centers that house G Suite data and corporate offices are protected
- Incident management and availability—Controls provide reasonable assurance that G Suite systems are redundant and incidents are properly reported, responded to, and recorded
- Change management—Controls provide reasonable assurance that development of and changes to G Suite undergo testing and independent code review prior to release into production
- Organization and administration—Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact G Suite
To generate passwords for new user accounts, Google uses a mixed pattern of symbols, upper and lower case letters, and numbers. The length of the password will be the greater of the required minimum (8), or the minimum password length you've set for your domain.
Data is irretrievable once an administrator deletes a user account. See the Help Center for best practices for deleting users.
If you need to recover email messages, Google offers additional archiving products that can complement G Suite, Government and Education editions. For non-email data recovery solutions, please consult the G Suite Marketplace where one of our partners may have a solution suitable for your needs.
Spammers can sometimes forge the “From” address on an email message so that it appears to come from a reputable organization’s domain. Known as phishing, this practice is often an attempt to collect sensitive data. To help prevent phishing, Google participates in the Domain-based Message Authentication, Reporting & Conformance (DMARC) program, which lets domain owners tell email providers how to handle unauthenticated messages from their domain. G Suite customers can implement DMARC by creating a DMARC record within their administrator settings and implementing an SPF record and DKIM keys on all outbound mail streams.
In accordance with the G Suite Acceptable Use Policy:
- If Google identifies a G Suite email user who is spamming, we reserve the right to immediately suspend the user.
- If the spam is domain-wide, we reserve the right to suspend the entire account and deny administrator access to all the G Suite services.
Only the owner and managers of the domain name can create a G Suite administrative account. Upon signing up, a G Suite administrator is asked to verify control of the domain by making a change to the Domain Name System (DNS) records. Without this verification, Google does not allow an administrative account to be opened. None of the Google services can be actively managed for a domain until domain ownership is verified.
After an administrator has verified ownership, other usernames in the account may be granted administrative privileges at the discretion of any administrator.
Non-administrative users on the domain may also contact the G Suite Support team to request administrative access. The normal domain verification process ensures that the requestor has domain management rights.
As a domain administrator, you have control of all usernames and passwords within your domain. You can access your users' accounts in conformity with the Customer Agreement. However, we do require that you have a policy about such actions that is published to your users.
We will notify the registered secondary email address of any spam violations.