Google Meet security & privacy for admins

This article is for G Suite administrators. To find information for users, go to the Meet help center.
For details about security for G Suite for Education, go to Meet security and privacy for education.

Google Meet has many features to help protect your data and safeguard your privacy.

Open all   |   Close all

Privacy & compliance

There are several ways Google helps protects your privacy: by keeping you in control, by maintaining and continually evolving security features, and by complying with data protection laws and other industry standards. This lets you take advantage of Meet:

  • Control over your dataMeet adheres to the same robust privacy commitments and data protections as the rest of Google Cloud’s enterprise services. Learn more about privacy.
    • Customers own their data, not Google.
    • Google does not use customer data for advertising or sell customer data to third parties.
    • Customer data is encrypted in transit and customer recordings stored in Google Drive are encrypted at rest by default.
    • Meet does not have user attention-tracking features or software.
    • You can set retention policies for Meet recordings with Google Vault to help fulfill legal obligations.
  • Compliance—Our products, including Meet, regularly undergo independent verification of their security, privacy, and compliance controls. We consistently achieve certifications, attestations of compliance, or audit reports against global standards. We’ve also created resource documents and mappings against frameworks and laws where formal certifications or attestations might not be required or applied. Learn more about compliance.

    Our global list of compliance offerings for Meet include:
  • TransparencyWe follow a rigid process for responding to any government requests for customer data. We also disclose information about the number and type of requests we receive from governments through our Google Transparency Report. Learn more about transparency.
Encryption

To help ensure data security and privacy, Meet supports the following encryption measures:

  • All data in Meet is encrypted in transit by default between the client and Google for video meetings on a web browser, on the Meet Android and Apple® iOS® apps, and in meeting rooms with Google meeting room hardware.
  • If you join a video meeting by phone, the audio uses the telephone carrier’s network and might not be encrypted.
  • Meet recordings stored in Google Drive are encrypted at rest by default.
  • Meet adheres to Internet Engineering Task Force (IETF) security standards for Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). Learn more about DTLS.
Anti-abuse measures

Meet employs a vast array of anti-abuse measures to keep your video meetings safe. These include anti-hijacking controls for both web video meetings and telephony dial-ins. Here are some of the key anti-abuse measures we have in place:

Web browser or apps

  • Meeting codes—Each meeting code is 10 characters long, with 25 characters in the set. This makes it harder to brute force “guess” meeting codes.
  • Meeting details—Can be changed in the invite. Completely changing the video meeting invite changes both the meeting code and the phone PIN. This is especially useful if a user is no longer part of the meeting invite.
  • Joining a meeting—The following restrictions apply when people join a video meeting:
    • External participants can join directly, only if they are on the calendar invite or if they've been invited by in-domain participants from within the Meet session.
    • Any other external participants must request to join the meeting, which must be accepted by a member of the host organization.
    • We limit the ability of external participants to join the meeting more than 15 minutes in advance. Within this time, external participants on the calendar invite can join the meeting directly.
    • Additional features, such as the ability of an in-domain participant to remove an attendee from a meeting, gives in-domain participants more control over handling undesirable behavior during meetings. For more information on attendees, go to the audit records and Meet quality tool.

Telephony

  • Meeting PINs—PINs are generally 9 digits or more.
  • Meeting details—Phone number + PIN combinations are invalid outside the scheduled meeting time.
  • Joining a meetingPhone participants may not join unless it's within 15 minutes of the scheduled meeting time.
Secure deployment, access & controls

Meet offers multiple precautions to keep your data private and secure:

  • Accessing Meet—For users on Chrome, Mozilla® Firefox®, Apple Safari®, and the new Microsoft® Edge® browsers, we don't require any plugins or software to be installed. Meet works entirely in the browser. This limits the attack surface for Meet and the need to push out frequent security patches on end-user machines. On mobile devices, we recommend you install the Google Meet app from Google Play (Android) or the App Store (iOS). Learn more about accessing Google Meet.
  • 2-Step Verification—We support multiple 2 Step Verification (2SV) options for Meet: security keys, Google Authenticator, Google prompt, and SMS text message.
  • Advanced Protection ProgramMeet users can enroll in Google’s Advanced Protection Program (APP). APP provides our strongest protections available against phishing and account hijacking, is specifically designed for the highest-risk accounts, and we’ve yet to see people successfully phished if they participate in APP, even if they are repeatedly targeted. Learn more about advanced protection.
  • Additional authentication methods—Single sign-on (SSO) via SAML is available for Meet in all G Suite editions and Google’s multi-factor authentication (MFA) stack can be used when using the corporate identity provider.
  • Logs—Audit logging for Meet is available within the Admin console for G Suite Enterprise. Learn more about Google Meet audit logs.
  • Log accessWe offer Access Transparency, a feature which logs any Google admin access to Meet recordings stored in Drive, along with the reason why that access happened. Access Transparency is offered as part of G Suite Enterprise. Learn more about Access Transparency.
  • RecordingsThe G Suite data regions feature can be used to store Meet recordings in Drive only in specific regions (for example, the US or Europe). Regional storage limitations do not apply to video transcodes, processing, indexing, etc.
Incident response

Incident management is a major aspect of Google’s overall security and privacy program and is key to complying with global privacy regulations such as GDPR. We have stringent processes in place around incident prevention, detection and response. Learn more about the incident management.

Incident prevention

  • Automated network and system logs analysis—Automated analysis of network traffic and system access helps identify suspicious, abusive, or unauthorized activity and are escalated to Google’s security staff.
  • Testing—Google’s security team actively scans for security threats using penetration tests, quality assurance (QA) measures, intrusion detection, and software security reviews.
  • Internal code reviews—Source code review discovers hidden vulnerabilities, design flaws, and verifies if key security controls are implemented.
  • Google’s vulnerability reward program—Potential technical vulnerabilities in Google-owned browser extensions, mobile, and web applications that might affect the confidentiality or integrity of user data are sometimes reported by external security researchers.

Incident detection

  • Product-specific tooling and processes—Automated tooling is employed wherever possible to enhance Google’s ability to detect incidents at the product level.
  • Usage anomaly detection—Google employs many layers of machine learning systems to differentiate between safe and anomalous user activity across browsers, devices, application logins, and other usage events.
  • Data center and / or workplace services security alerts—Security alerts in data centers scan for incidents that might affect the company’s infrastructure.

Incident response

  • Security incidents—Google operates a world-class incident response program that delivers these key functions:
    • Pioneering monitoring systems, data analytics, and machine learning services to proactively detect and contain incidents.
    • Dedicated subject matter experts deployed to respond to any type or size of data incident.
    • A mature process for promptly notifying affected customers, in line with Google’s commitments in our Terms of service and customer agreements.
Safety best practices
Establishing a trusted meeting space is important to create a safe experience for all attendees. 
  • Be mindful when sharing meeting links in public forums. 
  • If a meeting screenshot needs to be shared publicly, make sure the URL, located in the address bar of the browser, is removed from the screenshot. 
  • Consider using Google Calendar to send Meet invites for private meetings with a trusted group of participants. Learn about using Meet with Calendar.
  • Be sure to vet and only accept new attendees that you recognize before allowing them to enter a meeting.
  • If you notice disruptive behavior during a meeting, use moderator security controls such as removing or muting a participant
  • Turn on 2-Step Verification to help prevent account takeovers, even if someone obtained your password. Learn how to make your account more secure.
  • Consider enrolling in the Advanced Protection Programthe strongest set of protections Google has against phishing and account hijacking. Learn more about the Advanced Protection Program.
  • Take the Google Security Checkup. We built this step-by-step tool to give you personalized and actionable security recommendations to help you strengthen the security of your Google Account. Start the Google Security Checkup.

Related topics

Was this helpful?
How can we improve it?