How Google protects your organization's security and privacy

Two of the most common topics of questions regarding Google in general, and Google Cloud specifically, are security and privacy. We take both topics very seriously and offer tools that let you control how we process your data for your organization. Our business is built on our customers' trust: trust in our ability to properly secure their data, our commitment to respect the privacy of the information they place in our systems, and the tools we provide them to keep control over their information.

To learn more about Google's position on reliability, privacy, and security, see How Google handles your data. Specifically, see the following FAQs for your questions regarding Google Cloud:

If you've identified an abuse incident with Google, report the incident to our team.

Frequently asked questions

Open All  |  Close all

What does a Google Cloud SOC 2/3 audit mean to me as an administrator?

An independent third-party auditor issued Google Cloud an unqualified Service Organizations Controls (SOC) 2/3 audit opinion. Google is proud to provide Google Cloud administrators the peace of mind knowing that their data is secure under the SOC 2/3 auditing industry standards. Learn more about the SOC3 public report. You can get a copy of our SOC 2 report from the Cloud Compliance Reports Manager

The independent third party auditor verified that Google Cloud has the following controls and protocols in place:

  • Logical security—Controls provide reasonable assurance that logical access to Google Cloud production systems and data is restricted to authorized individuals
  • Privacy—Controls provide reasonable assurance that Google has implemented policies and procedures addressing the privacy of customer data related to Google Cloud
  • Data center physical security—Controls provide reasonable assurance that data centers that house Google Cloud data and corporate offices are protected
  • Incident management and availability—Controls provide reasonable assurance that Google Cloud systems are redundant and incidents are properly reported, responded to, and recorded
  • Change management—Controls provide reasonable assurance that development of and changes to Google Cloud undergo testing and independent code review prior to release into production
  • Organization and administration—Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact Google Cloud
How does Google Cloud comply with the EU’s General Data Protection Regulation (GDPR)?

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

You can count on the fact that Google is committed to GDPR compliance for Google Cloud. We are also committed to helping our customers with their GDPR compliance journey by providing them with the robust privacy and security protections we have built into our services and contracts over the years.

Among other things, data controllers are required to use only data processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR.

Our data processing terms clearly articulate our privacy commitments to customers. We have evolved these terms over the years based on feedback from our customers and regulators and have updated them to specifically address GDPR changes.

Please visit our GDPR site for more information.

Can you provide a contractual commitment that you’ll comply with the GDPR?

GDPR will be directly applicable to data processors (for example, cloud service providers like Google) regardless of their contractual commitments in this regard. Google is committed to GDPR compliance and to helping its customers with their own compliance journey. Please refer to our GDPR updated Data Processing Amendment to facilitate your compliance assessment and GDPR readiness when using Google Cloud Services.

How can I opt in to the Data Processing Amendment?

You may opt in to the Data Processing Amendment by following the online process described here.

Where does Google store my data?

Google’s infrastructure is strategically distributed across multiple data centers around the globe. For clarity, some Google data storage facilities are located in countries outside the European Economic Area (EEA). Also, Google Cloud 24/7 support implementation ensures agile and effective delivery of the services around the globe, and some of the support centers are outside the EEA. We are not able to provide you the exact data center that your data is stored due to the above reasons.

Can my organization use our own authentication system to provide user access to Google Cloud services?
We make it easy to use Google account security by giving employees secure Single Sign-on (SSO) access to a wide set of Software as a Service (SaaS) and custom built apps on desktop and mobile devices. Our OpenID Connect (OIDC) Identity Provider (IdP) support can be used with many SaaS apps in the Google Workspace Marketplace, and has support for Security Assertion Markup Language (SAML) 2.0 for many popular SaaS providers. We’re also making it easy for admins to add new custom SAML app integrations. Organizations can do the integration themselves, or work with a Google partner to accomplish this.
How are Google passwords generated for Google Cloud user accounts?

To generate passwords for new user accounts, Google uses a mixed pattern of symbols, upper and lower case letters, and numbers. The length of the password will be the greater of the required minimum (8), or the minimum password length you've set for your domain.

An administrator/end-user deleted a number of email messages. How can I recover them?

Once an administrator or end-user has deleted any data in Google Cloud, we delete it according to your Customer Agreement and our Privacy Policy.

Data is irretrievable once an administrator deletes a user account. See the Help Center for best practices for deleting users.

If you need to recover email messages, Google offers additional archiving products (Google Vault) that can complement Google Workspace Business and Enterprise editions. For products not covered by Google Vault recovery solutions, please consult the Google Workspace Marketplace where one of our partners may have a solution suitable for your needs.

How does Google help prevent phishing?

Spammers can sometimes forge the “From” address on an email message so that it appears to come from a reputable organization’s domain. Known as phishing, this practice is often an attempt to collect sensitive data. To help prevent phishing, Google participates in the Domain based Message Authentication, Reporting & Conformance (DMARC) program, which lets domain owners tell email providers how to handle unauthenticated messages from their domain. Google Cloud customers can implement DMARC by creating a DMARC record within their administrator settings and implementing an SPF record and DKIM keys on all outbound mail streams.

How does Google respond to users in my domain who send spam?

In accordance with the Acceptable Use Policy:

  • If Google identifies a Google Workspace email user who is spamming, we reserve the right to immediately suspend the user.
  • If the spam is domain-wide, we reserve the right to suspend the entire account and deny administrator access to all the Google Cloud services.
Which of my users can access my Google Cloud administrative account?

Only the owner and managers of the domain name can create a Google Cloud administrative account. Upon signing up, a Google Cloud administrator is asked to verify control of the domain by making a change to the Domain Name System (DNS) records. Without this verification, Google does not allow an administrative account to be opened. None of the Google services can be actively managed for a domain until domain ownership is verified.

After an administrator has verified ownership, other usernames in the account may be granted administrative privileges at the discretion of any administrator.

Non-administrative users on the domain may also contact the Support team to request administrative access. The normal domain verification process ensures that the requestor has domain management rights.

Lastly, any individual who has access to your registered secondary email address can initiate a password reset and access the primary administrator account.

Which of my users can access other users' accounts?

Per your domain’s Customer Agreement, Google Cloud administrators for a domain can access all user accounts and the associated data, as described in our Privacy Policy.

As a domain administrator, you have control of all usernames and passwords within your domain. You can access your users' accounts in conformity with the Customer Agreement. However, we do require that you have a policy about such actions that is published to your users.

We will notify the registered secondary email address of any spam violations.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu