Google Meet security & privacy for IT admins

This article is for administrators. If you're a user, go to the Meet help center. For details about security for Education editions, go to Meet security and privacy for education.

Protect your organization’s data and privacy with Google Meet's built-in features.

Protect privacy & data

Expand all  |  Collapse all

Privacy & compliance

Google helps protect your privacy by keeping you in control, and by maintaining and evolving security features. Google also complies with data protection laws and other industry standards. 

  • Control over your data—Meet adheres to the same privacy commitments and data protections as the rest of Google Cloud’s services. 
    • Customers own their data, not Google.
    • Google does not use customer data for advertising or sell customer data to third parties.
    • Customer data is encrypted in transit.
    • Customer recordings stored in Google Drive are encrypted at rest.
    • Meet does not have user attention-tracking features or software.
    • You can set retention policies for Meet recordings with Google Vault to help fulfill legal obligations.
    • Google does not store video, audio, or chat data unless a meeting participant initiates a recording during the Meet session.

For more details, go to the Privacy Resource Center.

Encryption

To help ensure data security and privacy, Meet supports the following encryption measures:

  • All data in Meet is encrypted in transit by default.
    • If you join a Meet meeting by phone or use a phone for audio in a meeting, the audio uses the phone carrier’s network and might not be encrypted.
  • Meet recordings stored in Google Drive are encrypted.
  • Meet adheres to Internet Engineering Task Force (IETF) security standards for Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). Learn more about the DTLS extension to establish keys for SRTP.

Advanced encryption

  • Meet encryption provides security to keep all data private. You can add an extra layer of encryption with Google Workspace client-side encryption (CSE).
  • CSE uses your organization's encryption keys to encrypt Meet video and audio streams on the client’s browser before the streams are sent to other meeting participants or Google.
  • To use CSE, connect Google Workspace to an external encryption key service and identity provider (IdP). For more details, go to Use client-side encryption for users' data.
Anti-abuse measures

Keep your users safe in meetings with Meet. Here are some of the key anti-abuse measures we have in place:

  • Meeting codes—Each meeting code is 10 characters long. With 25 characters in the set, it's very hard to guess a meeting code.
  • In-meeting features—Give your users more control in meetings by turning on host management. For details, go to Host Management.
  • Extra precautions for external participants—External participants can only join a meeting without asking to join if: 
    • They’re on the calendar invite before the meeting starts or they've been invited by someone in your organization who is already in the meeting. 
    • It's within 15 minutes of the scheduled start time for the meeting.
  • Dialing in by phone—Phone numbers and PINs are only valid during the scheduled meeting time. PINs are generally 9 digits or more. Phone participants can only join within 15 minutes of the scheduled meeting time.

Advanced anti-abuse measures

If the meeting has Google Workspace client-side encryption (CSE): 

  • External participants must have an invitation to request to join the meeting. 
  • Nobody can join using phones.

If the meeting doesn’t have CSE, any external participants can request to join the meeting. Only someone in your organization can accept the request.

Secure deployment, access & controls

Secure access to Meet to help ensure meeting safety for your users. Meet takes precautions to help secure your access:

  • Accessing Meet—Meet works entirely in the browser for users on Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge browsers. You don't have to install any plugins or software. You don’t have  to push out any security patches for Meet on end-user machines. On mobile devices, we recommend the Google Meet app from Google Play (Android) or the Apple App Store (iOS). For more details, go to Requirements for using Google Meet.
  • 2-Step Verification—We support multiple 2-step verification options for Meet. This includes security keys, one-time passwords and prompts, and SMS text messages. Learn how to Set up 2-Step Verification
  • Advanced Protection Program—Enroll in Google’s Advanced Protection Program, which provides the strongest protections available against phishing and account hijacking. Learn more about Google's Advanced Protection Program.
  • Additional authentication methods—Single sign-on (SSO) through SAML is available for Meet with all Google Workspace editions. 
  • Logs—Audit logging for Meet is available in the Google Admin console. For more details, go to Meet log events.
  • Track access—Log every time a Google admin accesses Meet recordings stored in Google Drive, along with the reason for access. For more details, go to Access Transparency.
  • Recordings—Store Meet recordings in Drive only in specific regions (for example, the U.S. or Europe) using the data regions feature. Regional storage limitations do not apply to video transcodes, processing, indexing, and so on.
Incident management

To protect you and your users, Google has strict processes around incident prevention, detection, and response. This kind of incident management is a big part of Google’s overall security and privacy program. It's also key to complying with global privacy regulations, such as GDPR. For more details, check out the Data incident response process.

Incident prevention

  • Testing—Google’s security team actively scans for security threats. The team uses penetration tests, quality assurance measures, intrusion detection, and software security reviews.
  • Internal code reviews—Source code review helps Google find hidden flaws and verifies whether key security controls are in place.
  • Google’s vulnerability reward program—Sometimes external security researchers report potential technical weak spots to Google.

Incident detection

  • Automated network and system logs analysis—Automated analysis of network traffic and system access helps identify suspicious, abusive, or unauthorized activity. This info is sent to Google’s security staff.
  • Product-specific tooling and processes—Google uses automated tooling to detect incidents at the product level.
  • Usage anomaly detection—Google uses many layers of machine learning systems to differentiate between safe and unsafe user activity. It looks for this activity across browsers, devices, application sign-ins, etc.
  • Data center and workplace services security alerts—Security alerts in data centers prompt scans for incidents that might affect your company.

Incident response

  • Expert response—Dedicated experts respond to all types and sizes of data incidents.
  • Notifications—A process for quickly notifying affected organizations. It's in line with Google’s commitments in our Terms of Service and agreements.
Safety best practices

Use the tips below to help you create a meeting space your users can trust.

Before a meeting 

  • Be careful when you share meeting links, especially in public. 
  • Be mindful when inviting external attendees. 
  • Be cautious when anonymous users request to join a meeting.
  • Use Google Calendar to send Meet invites. For details, go to Start or schedule a Google Meet meeting.
  • Turn on 2-step verification to help prevent account takeovers, even if someone has your password. For more details, go to Make your account more secure.
  • Take Google’s Security Checkup. It's a step-by-step tool that gives you personalized and actionable security recommendations to strengthen the security of your organization’s Google Account. Start your Security Checkup

During a meeting

  • Make sure the names and faces on each tile match. Anonymous users get to choose what name they'll use for a meeting.
  • Notice bad behavior during a meeting or a user you don't recognize? Use Host Management or moderator security controls to remove people from a meeting. For details, go to Add or remove people from a Google Meet meeting.

After a meeting

  • If you need to share a meeting screenshot publicly, make sure the URL isn't visible.
Meeting ID best practices

Use long IDs 

Long IDs are more secure than short meeting IDs and harder to guess. Long IDs are automatically added to calendar events and meeting invites when you create them, and they don't expire.

Use both ID types if you're in transition

Long IDs support calendar integrations and short IDs are helpful if your system is hard to enter long codes into. 
To join a meeting with a short ID, users have to enter the ID manually. Calendar events and invites include a link where users can get the short ID. Short IDs expire a few weeks after they're last used.

Report abuse

If you believe that someone is violating the Google Meet acceptable use policies, you can report that abuse.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
7866137974840569896