FAQs for G Suite users

Have a question about using G Suite? We might just have the answer!

Filter by category

Security

Top security FAQs

Will my data be scanned or used for advertising?

Unlike Google's consumer offerings, which may show ads, we do not collect, scan or use your G Suite data for advertising purposes and do not display ads in G Suite, Education or Government core services. We use your data to provide the G Suite services, and for system support, such as spam filtering, virus detection, spell-checking, capacity planning, traffic routing and the ability to search for emails and files within an individual account.

Put simply, the data that companies, school/universities and government agencies put into our G Suite services does not belong to Google. Whether it's corporate intellectual property, personal information or homework, Google does not own that data and Google does not sell that data to third parties.

How does Google keep my information secure?

Google was born in the cloud and has been built from the ground up to mitigate the unique threats for cloud systems. We make the performance and reliability used to run Google available to businesses, schools/universities and government institutions around the world.

The technology, scale and agility of our infrastructure bring unique security benefits to our customers.Our vast network of data centres are built with custom-designed servers that run our own operating system for security and performance. Because Google controls its entire hardware stack, we are able to quickly respond to threats that may emerge.

Google employs more than 550 full-time security and privacy professionals, including some of the world's foremost experts in information, application and network security. Just like all teams at Google, this team is constantly innovating and making the future more secure, not just for Google's billion users, but for the entire Internet.

It is this unique combination of people, technology and agility that ensure that your data is secure at Google. For more information, take a look at the G Suite Security Whitepaper.

Does Google meet my compliance requirements?

Google designed G Suite with very stringent privacy and security standards based on industry best practices. This helps our customers address their compliance and regulatory requirements. Google offers strong contractual commitments regarding data ownership, data use, security, transparency and accountability.

Google undergoes several independent third-party audits on a regular basis. These independent auditors examine the controls present in our data centres, infrastructure and operations. Examples of these audits and standards include:

SOC1™ (SSAE-16/ISAE-3402)
SOC2™
SOC3™
ISO27001
ISO 27018:2014
FedRAMP

For customers that operate in regulated environments, G Suite is also compliant with HIPAA (US Health Insurance Portability and Accountability Act). G Suite for Education can be used in compliance with laws and regulations which are important to schools and universities.

My organisation is subject to EU data protection requirements. Can I use G Suite?

Yes. Google has a broad customer base in Europe. Google provides capabilities and contractual commitments for our customers that are designed specifically to help them address EU data protection requirements and the guidance provided by the Article 29 Working Party. G Suite offers EU Model Contract Clauses and a Data Processing Amendment. Additionally, G Suite has been assessed as appropriate for use with the UK government's Security Principles "OFFICIAL (including OFFICIAL- SENSITIVE)"

How does Google respond to government requests for data?

Respect for the privacy and security of data that you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure that it satisfies legal requirements and Google's policies. Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorised official of the requesting agency and issued under an appropriate law. If we believe that a request is overly broad, we'll seek to narrow it. For more information, visit Google’s Transparency Report

Does Google encrypt my data?

Core customer data that is uploaded or created in G Suite services is encrypted at rest, as described in the help centre article

This encryption happens at is it is written to disk, without the customer having to take any action. Google encrypts data with distinct encryption keys, even if they belong to the same customer. Data is encrypted using 128-bit or stronger Advanced Encryption Standard (AES).

Google encrypts core G Suite data while it is "in transit" as well, whether it is travelling over the Internet between the customer and Google, or moving within Google as it shifts from one data centre to another. We encrypt this data between Google and our customers using HTTPS with Perfect forward secrecy.

Do you store multiple customers' information on the same server?

Yes, we store multiple customers' information on the same serving infrastructure. Customer data is stored on the same physical server; however, this does not compromise data security. This enables the high availability and low latency of our services, and means that we can implement strong, consistent security practices at scale.

Our G Suite products and storage system are designed and built from day one to offer security at scale. Customer data access is controlled by an advanced security feature stack that ensures that access rights for customer data are tightly controlled. We believe so strongly in the security of our architecture that we store our customers' data in the same manner that we store our own data, and we use G Suite to run our business, just as our customers do. By having a uniform environment that stores everyone's data, we can implement consistent security practices at scale. This also enables the high availability and low latency of our services.

Our systems are designed so that unauthorised parties cannot access your data. Your competitors can't access your data, and you can't access theirs. For more information, take a look at the Security Whitepaper.

How does Google prevent unauthorised access to my data?

Google has an outstanding track record of protecting user data. We protect this data from outside intrusions as well as insider threats. Our approach to outside threat management is extensively documented here. In addition, we tightly restrict and monitor any internal access to user data. The small set of employees with access is subject to rigorous authentication measures, detailed logging and activity scanning to detect inappropriate access via log analysis.

Do I need to use third-party tools to keep my data secure within Google?

Google offers the security features required for most customers directly in G Suite. G Suite's Business and Enterprise plans offer some additional security features, such as advanced Google Drive auditing and security keys management at scale. In all plans, G Suite administrators have full control over system configuration and applications from within a single dashboard via our Admin console – regardless of the size of the organisation.

Administrators can access advanced tools immediately, including authentication features such as 2-step verification and single sign on, or email security policies such as secure transport (TLS) enforcement, IRM and DLP which can be configured in a few clicks.

For customers with specific needs beyond what is included in G Suite, we've created a partner marketplace that extends our capabilities.

Is G Suite FedRAMP compliant?

Yes. G Suite, G Suite for Education, G Suite for Nonprofits, G Suite for Government and Google App Engine have received a FedRAMP Authorization to Operate (ATO) at the FIPS 199 Moderate impact level from the US federal government, which includes PII and Controlled Unclassified Information.

Federal Risk and Authorization Management Program (FedRAMP) is the required cloud security compliance standard for US federal agencies. It is a government-wide programme that helps agencies to implement cloud-based technology using a standardised approach to security, authorisation and monitoring.

Which Google services are ISO 27001 certified?

G Suite – including G Suite for Education – as well as Google Cloud Platform, Google Plus, Google Now, Google Analytics and Analytics Premium have achieved ISO 27001 certification.

ISO 27001 is one of the most widely recognised, internationally accepted independent security standards. This helps to assure our customers that Google is committed to on-going development and maintenance of a robust Information Security Management System (ISMS) and that an independent, third-party auditor will regularly audit and certify. You can view a copy of our ISO 27001 Certificate here.

In addition to ISO 27001 Google undergoes multiple independent third-party audits to provide additional transparency and comfort about our security practices. Our audits are summarised in our summary compliance paper

Back to top

Top security FAQs

Will my data be scanned or used for advertising?

Unlike Google's consumer offerings, which may show ads, we do not collect, scan or use your G Suite data for advertising purposes and do not display ads in G Suite, Education or Government core services. We use your data to provide the G Suite services, and for system support, such as spam filtering, virus detection, spell-checking, capacity planning, traffic routing and the ability to search for emails and files within an individual account.

Put simply, the data that companies, school/universities and government agencies put into our G Suite services does not belong to Google. Whether it's corporate intellectual property, personal information or homework, Google does not own that data and Google does not sell that data to third parties.

How does Google keep my information secure?

Google was born in the cloud and has been built from the ground up to mitigate the unique threats for cloud systems. We make the performance and reliability used to run Google available to businesses, schools/universities and government institutions around the world.

The technology, scale and agility of our infrastructure bring unique security benefits to our customers.Our vast network of data centres are built with custom-designed servers that run our own operating system for security and performance. Because Google controls its entire hardware stack, we are able to quickly respond to threats that may emerge.

Google employs more than 550 full-time security and privacy professionals, including some of the world's foremost experts in information, application and network security. Just like all teams at Google, this team is constantly innovating and making the future more secure, not just for Google's billion users, but for the entire Internet.

It is this unique combination of people, technology and agility that ensure that your data is secure at Google. For more information, take a look at the G Suite Security Whitepaper.

Does Google meet my compliance requirements?

Google designed G Suite with very stringent privacy and security standards based on industry best practices. This helps our customers address their compliance and regulatory requirements. Google offers strong contractual commitments regarding data ownership, data use, security, transparency and accountability.

Google undergoes several independent third-party audits on a regular basis. These independent auditors examine the controls present in our data centres, infrastructure and operations. Examples of these audits and standards include:

SOC1™ (SSAE-16/ISAE-3402)
SOC2™
SOC3™
ISO27001
ISO 27018:2014
FedRAMP

For customers that operate in regulated environments, G Suite is also compliant with HIPAA (US Health Insurance Portability and Accountability Act). G Suite for Education can be used in compliance with laws and regulations which are important to schools and universities.

My organisation is subject to EU data protection requirements. Can I use G Suite?

Yes. Google has a broad customer base in Europe. Google provides capabilities and contractual commitments for our customers that are designed specifically to help them address EU data protection requirements and the guidance provided by the Article 29 Working Party. G Suite offers EU Model Contract Clauses and a Data Processing Amendment. Additionally, G Suite has been assessed as appropriate for use with the UK government's Security Principles "OFFICIAL (including OFFICIAL- SENSITIVE)"

How does Google respond to government requests for data?

Respect for the privacy and security of data that you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure that it satisfies legal requirements and Google's policies. Generally speaking, for us to produce any data, the request must be made in writing, signed by an authorised official of the requesting agency and issued under an appropriate law. If we believe that a request is overly broad, we'll seek to narrow it. For more information, visit Google’s Transparency Report

Does Google encrypt my data?

Core customer data that is uploaded or created in G Suite services is encrypted at rest, as described in the help centre article

This encryption happens at is it is written to disk, without the customer having to take any action. Google encrypts data with distinct encryption keys, even if they belong to the same customer. Data is encrypted using 128-bit or stronger Advanced Encryption Standard (AES).

Google encrypts core G Suite data while it is "in transit" as well, whether it is travelling over the Internet between the customer and Google, or moving within Google as it shifts from one data centre to another. We encrypt this data between Google and our customers using HTTPS with Perfect forward secrecy.

Do you store multiple customers' information on the same server?

Yes, we store multiple customers' information on the same serving infrastructure. Customer data is stored on the same physical server; however, this does not compromise data security. This enables the high availability and low latency of our services, and means that we can implement strong, consistent security practices at scale.

Our G Suite products and storage system are designed and built from day one to offer security at scale. Customer data access is controlled by an advanced security feature stack that ensures that access rights for customer data are tightly controlled. We believe so strongly in the security of our architecture that we store our customers' data in the same manner that we store our own data, and we use G Suite to run our business, just as our customers do. By having a uniform environment that stores everyone's data, we can implement consistent security practices at scale. This also enables the high availability and low latency of our services.

Our systems are designed so that unauthorised parties cannot access your data. Your competitors can't access your data, and you can't access theirs. For more information, take a look at the Security Whitepaper.

How does Google prevent unauthorised access to my data?

Google has an outstanding track record of protecting user data. We protect this data from outside intrusions as well as insider threats. Our approach to outside threat management is extensively documented here. In addition, we tightly restrict and monitor any internal access to user data. The small set of employees with access is subject to rigorous authentication measures, detailed logging and activity scanning to detect inappropriate access via log analysis.

Do I need to use third-party tools to keep my data secure within Google?

Google offers the security features required for most customers directly in G Suite. G Suite's Business and Enterprise plans offer some additional security features, such as advanced Google Drive auditing and security keys management at scale. In all plans, G Suite administrators have full control over system configuration and applications from within a single dashboard via our Admin console – regardless of the size of the organisation.

Administrators can access advanced tools immediately, including authentication features such as 2-step verification and single sign on, or email security policies such as secure transport (TLS) enforcement, IRM and DLP which can be configured in a few clicks.

For customers with specific needs beyond what is included in G Suite, we've created a partner marketplace that extends our capabilities.

Is G Suite FedRAMP compliant?

Yes. G Suite, G Suite for Education, G Suite for Nonprofits, G Suite for Government and Google App Engine have received a FedRAMP Authorization to Operate (ATO) at the FIPS 199 Moderate impact level from the US federal government, which includes PII and Controlled Unclassified Information.

Federal Risk and Authorization Management Program (FedRAMP) is the required cloud security compliance standard for US federal agencies. It is a government-wide programme that helps agencies to implement cloud-based technology using a standardised approach to security, authorisation and monitoring.

Which Google services are ISO 27001 certified?

G Suite – including G Suite for Education – as well as Google Cloud Platform, Google Plus, Google Now, Google Analytics and Analytics Premium have achieved ISO 27001 certification.

ISO 27001 is one of the most widely recognised, internationally accepted independent security standards. This helps to assure our customers that Google is committed to on-going development and maintenance of a robust Information Security Management System (ISMS) and that an independent, third-party auditor will regularly audit and certify. You can view a copy of our ISO 27001 Certificate here.

In addition to ISO 27001 Google undergoes multiple independent third-party audits to provide additional transparency and comfort about our security practices. Our audits are summarised in our summary compliance paper

Still have questions?

Contact sales