Compliance

We are proud to comply with regulations across the world and across various sensitive sectors of activity such as healthcare and education. You can use our services with confidence that Google provides the tools and protections you need to meet your compliance requirements.

In order to help answer some of the many questions we receive, we have created this FAQ and a corresponding Google Apps security site. We hope this helps to answer some of your questions about Google's position on these important issues! Be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.

If you need to report an abuse issue, learn more about reporting abuse issues to our team.

Compliance

How can I verify Google Apps’ and Google Cloud Platform’s security?

Our customers and regulators expect independent verification of security, privacy and compliance controls. Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations. Google solutions have regular audits for the following standard:

 

(SOC1) (SSAE-16/ISAE-3402): Google Apps , Google Compute Engine, Google Cloud Storage, Google App Engine

(SOC2): Google Apps , Google Compute Engine, Google Cloud Storage, Google App Engine

(SOC3): Google Apps , Google Compute Engine, Google Cloud Storage, Google App Engine

ISO27001: Google Apps , Google Compute Engine, Google Cloud Storage, Google Application Engine, Google DataStore, Google Big Query, Google Cloud SQL

HIPAA: Google Apps , Google Compute Engine, Google Cloud Storage, Google Big Query, Google Cloud SQL

FISMA: Google App Engine, Google Apps for Government

 

Can I obtain a copy of these certificates and audit reports? Where can I download the SOC3 audit report? Where can I see Google's ISO27001 certificate?

The SOC3 Seal of Assurance is published on a certified site and symbolizes that our controls have been examined by an independent accountant. It represents the practitioner’s report on management's assertion(s) that the entity's business being relied upon is in conformity with the applicable Trust Services Principle(s) and Criteria. The full SOC3 audit report is also available for download on this certified site. The extensive SOC2 report can be obtained under NDA. The ISO27001 certificate proves the functional scope of this ISO/IEC 27001:2005 Certification is bounded by the Google Apps for Business (and Google Apps for Education), Google Cloud Platform, Google Helpouts, Google Plus, Google Now, Google Analytics and Analytics Premium offerings and the data contained or collected by those offerings and specified facilities.

 

How does Google adhere to European data protection requirements?

Google has a broad customer base in Europe. Over 50% of our business customers are based outside of the United States. Google provides capabilities and contractual commitments created to meet data protection recommendations provided by the Article 29 Working Party. Google offers to sign EU Model Contract Clauses and a Data Processing Amendment. It is a participant in the U.S.-EU Safe Harbor Framework. Along with independent third-party audits of our data protection practices and our ISO 27001 certification, these provide our customers with several compliance options to address EU data protection regulations.

Don’t EU data protection laws require that personal data be stored in the EU/EEA?

The European Commission’s Data Protection Directive is an important piece of privacy legislation passed by the European Union (EU) in 1995. It restricts the movement of data from the EU to non-EU countries that do not meet the EU’s “adequacy” standard for privacy protection. Processing personal data strictly within the EU is one means of compliance with the Directive. Other means of compliance don’t require data location within the EU, such as participation in the U.S.-EU Safe Harbor Framework or the use of European Commission-approved model contract clauses.

 

What about the U.S. government? Won’t storing data outside of the U.S. mean it won’t be subject to U.S. government requests for data?

Storing your data in a particular country does not necessarily protect the data from access by foreign governments. Location of data in one jurisdiction doesn't necessarily mean that another can't compel its disclosure. Moreover, there are reports of government attempts to directly tap cable lines between data centers in multiple locations around the world. That's why we are advocating for surveillance reform. We refuse to provide governments with access to our systems or to install equipment that gives them access to user data. For more information, please visit Google’s Transparency Report.

 

Where does Google store my data?

Your data will be stored in Google's network of data centers. Google maintains a number of geographically distributed data centers. Google's computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.

 

Can I store healthcare data in Google systems?

Google Apps supports our customers’ compliance with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Customers who are subject to HIPAA and wish to use Google Apps with Protected Health Information (PHI) must sign a Business Associate Agreement (BAA) with Google. Administrators for Google Apps for Business, Education and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive and Google Apps Vault. Google Cloud Platform customers can get a BAA for Compute Engine, Cloud Storage, Cloud SQL, and BigQuery.

Do Google products meet privacy requirements for use by students and children?

More than 30 million students rely on Google Apps for Education. Google Apps for Education complies with the U.S. Family Educational Rights and Privacy Act (FERPA), and our commitment to do so is included in our agreements. We contractually require Google Apps for Education schools to obtain parental consent regarding the use of our service in conformity with the U.S. Child Online Privacy Protection Act (COPPA), which facilitates compliance with COPPA requirements.

Can Google be used by U.S. government institutions?

The Federal Information Security Management Act of 2002 (FISMA) is a U.S. federal law pertaining to the information security of federal agencies' information systems. Google Apps and Google App Engine have received an authorization to operate at the FISMA-Moderate level—the standard level for federal email systems—from the U.S. federal government. Hundreds of U.S. federal, state and local government agencies, are using Google Apps for Government, including the U.S. General Services Administration (GSA), which has migrated over 17,000 employees and contractors to Google Apps for Government.

My organization utilizes PCI/DSS data. What tools are available to help me remain compliant?

Payment Card Industry Data Security Standard (PCI DSS) compliance is a set of policies and technical requirements defined for systems that contain or process credit card information. Google Apps is not meant to process or store credit card transactions. Therefore, customers may configure controls to prevent emails with credit card information from being sent from Google Apps. This helps our customers maintain PCI DSS compliance. For Google Drive, Vault can be configured to run audits and make sure no credit card information is stored.

What eDiscovery tools are available for my organization to support legal & compliance requests?

Google Vault is an add-on for Google Apps that lets you retain, archive, search, and export your organization's email for your eDiscovery and compliance needs. Vault is entirely web-based, so there's no need to install or maintain any software. With Google Apps Vault, you can:

Search your domain's email data

Place user accounts (and related data) on litigation hold to preserve email data

Manage related searches and litigation holds under a single container, called a matter

Share matters among authorized users

Export search results in standard file formats

Save your search queries

Set email retention policies for your domain

Can I use Google services with data controlled under the International Traffic in Arms Regulations (ITAR)?

ITAR is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML). Google does not support use of our services with ITAR-controlled data.