Google Cloud Security and Compliance

How Google protects your data

Regulatory Compliance

Our customers have varying regulatory compliance needs. Our clients operate across regulated industries, including finance, pharmaceutical and manufacturing. Google contractually commits to the following: Google will maintain adherence to ISO 27001, ISO 27018 and SOC 2/3 audits during the term of the agreement;

Google contractually commits to the following:

  • Google will maintain adherence to ISO 27001 and SOC 2/3 audits during the term of the agreement.
  • Defined Security Standards. Google will define how data is processed, stored, and protected through specific defined security standards.
  • Access to our Data Privacy Officer. Customers may contact Google’s Data Privacy Officer for questions or comments.
  • Data Portability. Administrators can export customer data in standard formats at any time during the term of the agreement. Google does not charge a fee for exporting data.

Data processing amendment

Google takes a global approach to our commitments on data processing. Google and many of our customers operate in a global environment. Google Workspace offers a Data Processing Amendment and EU Model Contract Clauses to facilitate compliance with jurisdictional-specific laws or regulations. Your organization can opt into our data processing amendment by following the instructions in our Help Center.

EU Data Protection Directive

The Article 29 Working Party is an independent European advisory body focused on data protection and privacy. They have provided guidance on how to meet European data privacy requirements when engaging with cloud computing providers. Google provides capabilities and contractual commitments created to meet data protection recommendations provided by the Article 29 Working Party.

EU model contract clauses

In 2010, the European Commission approved model contract clauses as a means of compliance with the requirements of the Directive. The effect of this decision is that by incorporating certain provisions into a contract, personal data can flow from those subject to the Directive to providers outside the EU or the European Economic Area. Google has a broad customer base in Europe. By adopting EU model contract clauses, we’re offering customers an additional option for compliance with the Directive.

U.S. Health Insurance Portability and Accountability Act (HIPAA)

Google Workspace supports our customers’ compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), which governs the confidentiality and privacy of protected health information (PHI). Customers who are subject to HIPAA and wish to use Google Workspace with PHI must sign a business associate agreement (BAA) with Google. The BAA covers Gmail, Google Calendar, Google Drive, Google Sites and Google Vault. Additional information can be found in our HIPAA Implementation Guide.

U.S. Family Educational Rights and Privacy Act (FERPA)

More than 30 million students rely on G Suite for Education. G Suite for Education services comply with FERPA (Family Educational Rights and Privacy Act) and our commitment to do so is included in our agreements.

Children’s Online Privacy Protection Act of 1998 (COPPA)

Protecting children online is important to us. We contractually require G Suite for Education schools to obtain parental consent that COPPA calls for to use our services, and our services can be used in compliance with COPPA.

This whitepaper applies to the following Google Workspace products:

Google Workspace, G Suite for Education, G Suite for Government, Google Workspace for Nonprofit, Drive, and G Suite Business

Download full whitepaper (PDF).