Set up requirements and recommendations
You must be a Google Workspace super administrator for your organization to complete the steps in this guide.
Verify that your organization isn't managing email and chat message storage. If this feature is configured to automatically delete messages, it interferes with Vault retention rules. Sign in to the Admin console and change this setting to Do not delete email and chat messages automatically.
Consider enabling comprehensive message storage. Other Google products might send email on a user's behalf. This setting ensures that a copy of those messages is stored in the user's Gmail mailbox and is available to Vault. Learn more
Consider turning on Chat history for your organization. Retention rules and holds always apply to Chat spaces. However, they apply to direct messages only when history is turned on.
Consider turning on message archiving in Google Groups for Business for groups of interest. Vault can hold, retain, and search messages only in groups that have archiving is turned on. However, group owners can change this setting for their groups. If a group owner turns archiving off, the messages from that group are still available in user mailboxes.
Step 1. If needed, buy Vault licenses
Vault is included with most Google Workspace editions, but it's an add-on for some. You can buy and assign licenses to everyone (full-organization licensing) or to only a subset of people (partial-organization licensing).
Buy Vault licenses for your organization. You need a Vault license for every user that you want to be able to retain and search data for. Consult with people in your organization who understand its business and legal requirements to decide who needs a Vault license.
Assign Vault licenses to users.
Step 2. Control who can sign in to Vault
To allow users to sign in to Vault, turn on Vault for all or selected users. Learn how
This setting has no effect on which accounts can be retained, held, and searched by Vault. All user accounts with G Suite and Vault licenses can be retained, held, and searched.
This setting has no effect on which accounts can change retention rules, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.
If you turn on Vault for everyone in your organization, the Vault icon appears in everyone’s list of apps. If your organization has set up organizational units, we recommend you restrict access to organizational units that have Vault privileges.
Step 3. (Optional) Grant Vault privileges to authorized users
Grant privileges to users who you want to create retention rules, place holds, or perform investigations. At first, only super admins can use Vault features. Learn how
Step 4. Sign in to Vault
If you recently purchased Vault or started the 30-day trial, we recommend that you wait 30–60 minutes before you sign in to Vault. If you sign in immediately after purchase, you might not be able to access all of Vault.
Go to https://vault.google.com.
Sign in with your Google Workspace username and password.
Other authorized users in your organization can sign in to Vault the same way after you give them access.
Step 5. Set your organization's default retention rules
Set retention rules to control how long data is retained before it's allowed to be purged from user accounts and all Google systems. We recommend that you consult your organization's legal team when you set up retention rules.
Before you begin, learn how retention works. The following steps describe how to set default retention rules, but you can set custom retention rules instead.
Set custom retention rules to keep data that matches specific conditions for set time. Set a default retention rule when you need to keep all data for a service for all licensed accounts in your organization for a set time. Custom retention rules override default retention rules, even when the default retention rule has a longer retention period.
- In Vault, click Retention. If Retention isn't listed, ask a Google Workspace administrator to give you Vault privileges ("Manage retention policies").
- On the Default rules tab, click a service, such as Drive or Gmail .
Choose how long to keep messages or files:
- To permanently retain data, select Indefinitely.
- To retain data for a set time, select Retention period and enter the number of days, from 1 to 36,500. The retention period is calculated based on the following start times:
- Gmail, Groups, and Chat messages—days from when the message was sent or received.
- Drive—days from when the file was either created or last modified.
- Voice—days from when the data was sent or received.
If you set a retention period, choose what to do with data after the retention period expires:
Vault immediately allows services to purge data that exceeds the retention period when you submit a new rule. This can include data users expect to keep. Do not continue to the next step until you're sure the rule is configured correctly.
- To purge only the data that users have already deleted, choose the first option.
- To purge all data, choose the second option. This rule can purge data that users expect to keep, such as messages in their Gmail inbox or files in Drive.
Click Create. If you set a retention period, Vault asks you to confirm you understand the effects of this retention rule. Check the boxes and click Accept to create the rule.
Repeat this process for all services you want to set default retention rules for.
Google Vault is now set up! Vault preserves your organization's data as specified in the retention rules you configured.
- What happens after you set default retention rules: Unless a custom rule or hold applies, data is preserved according to the default retention rule.
- What happens when a user deletes a message or file: The message or file is removed from that user's account. However, when the default retention rule or a custom rule applies, the message or file is still available in Vault for the remainder of the retention period. Deleted messages and files retained by Vault don't count against the user's storage quota.