Common questions when considering G Suite
Already a G Suite customer? Go to our support page.
How does Google keep my information secure and prevent unauthorised access to my data?
G Suite has been built from the ground up to mitigate the unique threats to cloud systems. Google's standards for performance and reliability apply to businesses, schools, universities and government institutions around the world.
The technology, scale and agility of our infrastructure bring unique security benefits to our customers. Our vast network of data centres are built with custom-designed servers that run our own operating system for security and performance. Because Google controls its entire hardware stack, we are able to quickly respond to threats that may emerge.
Google employs dedicated security professionals to work on protecting your data, including some of the world's foremost experts in computer security. Just like all teams at Google, this team is constantly innovating and making the future more secure, not just for Google's billion users, but for business organisations as well.
Google has an outstanding track record of protecting user data. We protect this data from outside intrusions as well as insider threats. In addition, we tightly restrict and monitor any internal access to user data. The small set of employees with access is subject to rigorous authentication measures, detailed logging and activity scanning to detect inappropriate access via log analysis.
It is this unique combination of people, technology and agility that ensure your data is secure at Google. For more information, take a look at the G Suite Security Whitepaper.
Does G Suite meet my compliance requirements?
Google designed G Suite with very stringent privacy and security standards based on industry best practices. This helps our customers address their compliance and regulatory requirements. Google offers strong contractual commitments regarding data ownership, data use, security, transparency and accountability.
Google undergoes several independent third-party audits on a regular basis. The independent auditors examine the controls present in our data centres, infrastructure and operations. Examples of these audits and standards include:
SOC1™, (SSAE-16/ISAE-3402), SOC2™, SOC3™, ISO 27001, ISO 27018:2014 and FedRAMP.
Learn more about our certifications at Security and Trust.
Many G Suite services are also compliant with HIPAA (US Health Insurance Portability and Accountability Act).
G Suite for Education can be used in compliance with laws and regulations which are important to schools and universities.
Is G Suite HIPAA compliant?
G Suite supports customers' compliance with the US Health Insurance Portability and Accountability Act (HIPAA), which governs the safeguarding, use and disclosure of protected health information (PHI). Customers who are subject to HIPAA and wish to use G Suite for PHI processing or storage can sign a business associate amendment with Google. View more details about HIPAA compliance with G Suite.
How does Google respond to government requests for data?
Respect for the privacy and security of data that you store with Google underpins our approach to producing data in response to legal requests. When we receive such a request, our team reviews the request to make sure that it satisfies legal requirements and Google's policies. Generally speaking, for Google to produce any data, the request must be made in writing, signed by an authorised official of the requesting agency and issued under an appropriate law. If we believe that a request is overly broad, we'll seek to narrow it. For more information, see Google's Transparency Report.
Does Google encrypt my data?
Core customer data that is uploaded or created in G Suite services is encrypted at rest, as described in this help centre article.
This encryption happens as it is written to disk, without the customer having to take any action. Google encrypts data with distinct encryption keys, even if they belong to the same customer. Data is encrypted using 128-bit or stronger Advanced Encryption Standard (AES).
Google encrypts core G Suite data while it is "in transit" as well, whether it is travelling over the Internet between the customer and Google, or moving within Google as it shifts from one data centre to another. We encrypt this data between Google and our customers using HTTPS with forward secrecy.
Do I need to use third-party tools to keep my data secure within Google?
Google offers the security features required by most customers directly in G Suite. G Suite's Business and Enterprise editions offer some additional security features, such as advanced Google Drive auditing and security keys management at scale. In all plans, G Suite administrators have control over system configuration and applications from within a single dashboard via our Admin console – regardless of the size of the organisation.
Administrators can access advanced tools immediately, including authentication features such as two-step verification and single sign-on, or email security policies such as secure transport (TLS) enforcement, IRM and DLP which can be configured in a few clicks.
For customers with security needs beyond what is included in G Suite, we've created a partner marketplace that extends our capabilities.
My organisation is subject to EU data protection requirements. Can I use G Suite?
Yes. Google has a broad customer base in Europe. Google provides capabilities and contractual commitments for our customers designed specifically to help address EU data protection requirements and the guidance provided by the Article 29 Working Party. G Suite offers EU Model Contract Clauses and a Data Processing Amendment. Additionally, G Suite has been assessed as appropriate for use with the UK government's Cloud Security Principles "OFFICIAL (including OFFICIAL- SENSITIVE)".
Contact sales if you have further questions.
Contact support if you're already a G Suite customer.