As part of Google's long-term commitment to security and transparency, you can use Access Transparency to review logs of actions taken by Google staff when accessing user content. User-generated content is text entered into gmail, docs, sheets, slides, and other apps.
What’s in Access Transparency logs?
Access Transparency logs include data about Google staff activity, including:
- Actions by the Support team that you may have requested by phone.
- Lower-level engineering investigations into your support requests.
- Other investigations made for valid business purposes, such as recovering from an outage.
Access Transparency use cases
There are a variety of reasons why you might use Access Transparency. Some examples include:
- Verify that Google is accessing your data for valid business reasons, such as fixing a problem or responding to a request.
- Verify that Google staff are correctly addressing a request.
- Collect and analyze tracked access events through an automated security information and event management (SIEM) tool.
G Suite services that write Access Transparency logs
The table below lists the G Suite services that write Access Transparency logs. GA indicates that a log type is generally available for a service. Beta indicates that a log type is available, but might be changed in backward-incompatible ways and isn't subject to any SLA or deprecation policy.
Access Transparency logs are produced by the following products:
|Products with Access Transparency support||Availability|
|Services supporting Access Transparency products||Availability|
|Search and Intelligence||GA|
|Rare Access Storage and Indices||Beta|
Access Transparency logs aren’t available for any G Suite editions, products or services not explicitly stated above. Third-party data indexing, YouTube, video, images, migration and emergency access to support quality of service are also excluded.
When is an Access Transparency log entry created?
An Access Transparency supported service writes a log entry when people at Google access user content that was created using the supported service. For example, a log entry is created if a Support engineer is helping to fix a Calendar problem.
A log entry isn’t written when:
- A user grants a Google staff person permission to access the data via doc sharing.
- Google is legally prohibited from notifying you of the access.
- The data in question is a public resource identifier, such as a file identification number.
- A system job accesses the data. For example, a compression job that runs on the data or machine learning functions. (In this case, Google uses an internal version of Binary Authorization to check that system code running on Access Transparency supported services is reviewed by a second party.)