Security

Your data is logically protected as if it were on its own server. Unauthorized parties cannot access your data. Other customers cannot access your data, and you can’t access theirs. In fact, all user accounts are protected by our secure architecture that ensures that one user cannot see another user's data.

Google services provide the ability to access all data using HTTPS-encrypted tunnels. This protocol is activated by default for all users. It helps ensure that no one except the user can read their data. The mobile email client also uses encrypted access to ensure the privacy of communications. We also require encryption for access to your mail data by third-party email clients.

Yes, SSL (Secure Sockets Layer)/TLS (Transport Layer Security) connectivity is available for all Google Workspace customers and is enabled by default for new customers.

With secure transport (TLS) enforcement, administrators can require that email to or from specific domains or email addresses be encrypted with TLS. For instance, a customer organization may choose to transmit all messages to its outside legal counsel via a secure connection. If TLS isn't available at a specified domain, inbound mail will be rejected and outbound mail isn't transmitted.

The technology, scale, and agility of our infrastructure bring you unique security benefits. Our data centers are built with custom-designed servers, running our own operating system for security and performance. Google’s 700+ security engineers, including some of the world’s foremost experts, work around the clock to spot threats early and respond quickly. We get better as we learn from each incident, and even incentivize the security research community, with which we actively engage, to expose our systems’ vulnerabilities. Here are a few examples of how security and reliability are at the core of what we do:

Google’s data centers use custom hardware running a custom hardened operating system and file system. Each of these systems has been optimized for security and performance. Because Google controls the entire hardware stack, we are able to quickly respond to any threats or weaknesses that may emerge.

Google is the first major cloud provider to enable Perfect Forward Secrecy, which encrypts content as it moves between our servers and those of other companies. Many industry peers have followed suit or have committed to adopting it in the future.

Google encrypts Gmail, Attachment, and Drive data while in transit. This ensures that your messages are safe not only when they move between you and Google's servers, but also as they move between Google's data centers.

To protect against cryptanalytic advances, in 2013, Google doubled the length of our RSA encryption keys to 2048 bits and we change the keys every few weeks.

Google’s customers and regulators expect independent verification of our security, privacy, and compliance controls. In order to provide this, we undergo several independent third-party audits on a regular basis. For each one, an independent auditor examines our data centers, infrastructure, and operations.

Google Workspace and Google Cloud Platform undergo SOC1^™, SOC2^™, and SOC3^™ audits, by the American Institute of Certified Public Accountants (AICPA) and certification for ISO/IEC 27001, 27017, and 27018. This means that an independent auditor has examined the controls protecting the data in our systems (including logical security, privacy, and data center security), and assured that these controls are in place and operating effectively.

Yes. Google values the cutting-edge external contributions that can help keep our users safe, so we maintain a Vulnerability Reward Program for Google-owned web properties. Your organization can sign up for this program. Google was the first major cloud provider to offer a program of this type. Learn more about this program

Yes. Data is encrypted at several levels. Google forces HTTPS (Hypertext Transfer Protocol Secure) for all transmissions between users and Google Workspace services and uses Perfect Forward Secrecy (PFS) for all its services. Google also encrypts message transmissions with other mail servers using 256-bit Transport Layer Security (TLS) and utilizes 2048 RSA encryption keys for the validation and key exchange phases. This protects message communications when client users send and receive emails with external parties also using TLS.

PFS requires that the private keys for a connection are not kept in persistent storage. Anyone who breaks a single key can no longer decrypt months’ worth of connections; in fact, not even the server operator is able to retroactively decrypt HTTPS sessions.

Google is constantly working to extend and strengthen encryption across more services and links.

Customer data that is uploaded or created in Google Workspace services is encrypted at rest, as described in the list below. We have also enabled HTTPS for all of our Google Workspace services so that your data is encrypted when traveling from your device to Google and also while in transit between Google data centers. The list below details what type of data is encrypted for each Google Workspace service:

• Gmail—Messages and attachments.
• Calendar—Events and descriptions of events.
• Classroom—Classes and all related information.
• Drive—Files in Drive and all file metadata (e.g. titles and comments.)
• Docs—Content authored by the owner or collaborators of the document, except content embedded into the document that is hosted on other Google products not referenced in this list, for example, YouTube.
• Sheets (including Forms)—Content authored by the owner or collaborators of the spreadsheets, except content embedded into the spreadsheets that is hosted on other Google products not referenced in this list, for example, YouTube.
• Slides—Content authored by the owner or collaborators of the presentation, except content embedded in the presentation that is hosted on other Google products not referenced in this list, for example, YouTube.
• Talk—Archived "on the record" conversations.
• Hangouts chat—Archived "on the record" conversations. "Off the record" chats are not kept, hence encryption at rest is not applicable.
• Sites—Content authored by the owners or collaborators of the site; except (i) content embedded into the site that is hosted on other Google products not referenced in this list, for example, YouTube; (ii) content embedded into the site that remains hosted on other third-party websites, via Sites, Gadgets or image hotlinking.
• Contacts—Content of end users’ address books.
• Groups—Group message archives.
• Vault—Content created by Vault administrators is encrypted; saved queries, audit logs are encrypted. Vault’s exports of Gmail, messages and attachments, Talk conversations, Hangouts chat, and Drive files (except video content) are also encrypted.
• Keep—Content authored by the owner or collaborators of the note or list.