Data security, transparency and privacy
Google works hard to earn and maintain your trust by processing your data in a secure, reliable and compliant environment.
Millions of businesses use G Suite and 58% of the Fortune 500 are actively using a paid, enterprise product from Google. G Suite has a large international customer base representing over 50% of our business customers. Our customers have varying regulatory needs; G Suite helps to address these diverse requirements by providing robust security, compliance and data protection capabilities. Google has industry-leading knowledge and expertise in building secure cloud infrastructure and applications at scale. While many providers can make these assertions, we believe that security and privacy must be seen and understood by our customers, and not be something that's just done behind the scenes.
Trust begins with understanding. Understanding requires transparency.
We welcome the opportunity to introduce you to our products and in particular, we invite you to review our detailed documentation, audit reports and certifications.
It's your data
Good privacy requires strong security. We've spent years developing an advanced, security-focused infrastructure to keep your information safe.
It's your data. G Suite customers own their data, not Google. The data that companies, schools/universities and students put into our systems is theirs. Google does not sell your data to third parties. Google offers our customers a detailed Data Processing Amendment that describes our commitment to protecting your data. For example, under the Data Processing Amendment, Google will process your data for any purpose specified in your agreement. Furthermore, we are committed to deleting data from our systems within 180 days of you deleting it in our services. Finally, we provide tools to make it easy for you to take your data with you if you choose to stop using our services altogether, without any penalty or additional cost being imposed by Google.
There is no advertising in G Suite Services. Google does not collect or use data in G Suite Services for advertising purposes.
Security and privacy controls
G Suite security and privacy controls can be fine-tuned by your organisation's administrator. For example, G Suite administrators can set a policy determining whether users can share their Google Drive documents outside your organisation or access documents created outside your organisation. Administrators can require multi-factor authentication and enforce the implementation of Security Keys. Administrators can also elect to receive notifications when anomalous events occur, such as suspicious login attempts, or service setting changes by other administrators.
A secure and reliable infrastructure
We work exceptionally hard to keep your information safe. Google employs more than 650 full-time professionals working to protect your data, including some of the world's foremost experts in computer security.
Google invests millions of dollars in our technology and bakes security protections into our products. Here are a few examples of how security and reliability are at the core of what we do:
- Google runs its data centres using custom hardware, running a custom operating system and file system. Each of these systems has been optimised for security and performance. As Google controls the hardware stack, we are able to respond quickly to any threats or weaknesses that may emerge.
- Google's application and network architecture is designed for maximum reliability and uptime. Data is distributed across Google's servers and data centres. If a machine fails, or even an entire data centre, your data will still be accessible. Google owns and operates data centres around the world to keep the services that you use running 24 hours a day, 7 days a week.
- G Suite offers a 99.9% service level agreement, and in recent years, we've exceeded this promise; most recently, Gmail achieved 99.978% availability in 2013. Furthermore, G Suite has no scheduled downtime or maintenance windows. Unlike most providers, we do not plan for our applications to be unavailable, even when we're upgrading our services or maintaining our systems.
- Google products are scrutinised by privacy, security and compliance specialists throughout the product life cycle. This helps ensure that data is handled appropriately and no unwarranted access is allowed or possible.
- In addition, we publish real-time availability status dashboards to our customers.
- Google is constantly working to extend and strengthen encryption across more services and links.
Keeping ahead of the security curve
Security has always been a top priority for Google. Here are a few ways that we're setting new standards in security:
- Google is the first major cloud provider to enable perfect forward secrecy, which encrypts content as it moves between our servers and those of other companies. Many industry peers have followed suit or have committed to adopting this in the future.
- Every single email message that you send or receive – 100% of them – is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centres. We were also the first to let users know when their email was sent insecurely across providers with the introduction of our TLS indicator.
- To protect against cryptanalytic advances, last year Google doubled the length of our RSA encryption keys to 2048 bits and we change them every few weeks, raising the bar for the rest of the industry.
- Google has long enjoyed a close relationship with the security research community. To honour all the cutting-edge external contributions that help Google keep our users safe, we maintain a Vulnerability Reward Programme for Google-owned web properties. Google was the first major cloud provider to offer a programme of this type.
At Google we work to continually meet rigorous privacy and compliance standards so that your users can rest easy knowing that their data is safe, private and secure.
Our customers and regulators expect independent verification of security, privacy and compliance controls. Google undergoes several independent third-party audits on a regular basis to provide this assurance.
This means that an independent auditor has examined the controls present in our data centres, infrastructure and operations. Google has annual audits for the following standards:
- ISO 27001: One of the most widely recognised, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centres serving G Suite.
- ISO 27017: An international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services.
- ISO 27018: An international standard of practice for protection of personally identifiable information (PII) in public cloud services.
- SSAE16 (SOC 1)/ISAE 3402 Type II: An audit framework to attest to controls at a service organisation in support of internal controls over financial reporting.
- SOC 2 and SOC 3: Audit frameworks for trust principles that includes security, availability, processing integrity and confidentiality.
- FedRAMP: A government-wide programme that provides a standardised approach to security assessment, authorisation and continuous monitoring for cloud products and services. Google maintains a FedRAMP Authorisation to Operate (ATO) for G Suite and App Engine.
Google's third-party audit approach is designed to be comprehensive in order to provide assurances of Google's level of information security with regard to confidentiality, integrity and availability. Customers may use these third-party audits to assess how Google's products can meet their compliance and data-processing needs.
EU Data Privacy and Model Contract Clauses
The Article 29 Working Party is an independent European advisory body focused on data protection and privacy. They have provided guidance on how to meet European data privacy requirements when engaging with cloud computing providers.
50% of our business customers are based outside the United States.
Google has a broad customer base in Europe. As previously stated, over 50% of our business customers are based outside the United States. Our clients operate across regulated industries, including finance, pharmaceuticals and manufacturing. Google provides capabilities and contractual commitments created to meet data protection recommendations provided by the Article 29 Working Party. Google offers EU Model Contract Clauses and a Data Processing Amendment. In addition to other privacy and security protections, Google will contractually commit to:
- Privacy Shield.Google maintains compliance with Privacy Shield during the term of the agreement;
- Data Portability. Administrators can export customer data in standard formats at any time during the term of the agreement. Google does not charge a fee for exporting data;
- Google maintains adherence to EU Model Contract Clauses, our Data Processing Amendment and Sub-processor Disclosure.
Our representatives in Europe and all over the world are standing by to help answer any other questions that you might have.
US Healthcare Information Privacy obligations, HIPAA
G Suite supports our customers' compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Customers who are subject to HIPAA and wish to use G Suite with Protected Health Information (PHI) must sign a Business Associate Agreement (BAA) with Google. Administrators for G Suite, G Suite for Education and G Suite for Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive (*including Docs, Sheets, Slides and Forms), Google Vault and Google Sites services.
US Family Educational Right Privacy obligations, FERPA
More than 40 million students rely on G Suite for Education. G Suite for Education complies with FERPA (Family Educational Rights and Privacy Act) and our commitment to doing so is included in our agreements.
Children's Online Privacy Protection Act of 1998, COPPA
Protecting children online is important to us. We contractually require G Suite for Education schools to obtain the parental consent that COPPA calls for to use our services, and our services can be used in compliance with COPPA.
Federal Risk and Authorization Management Program, FedRAMP
The G Suite suite of products is compliant with the requirements of the Federal Risk and Authorization Management Program (FedRAMP). FedRamp is the cloud security standard of the US government; it uses a "do once, use many times" framework that is intended to expedite US government agency security assessments and help agencies move to secure cloud solutions. G Suite is authorised for use by federal agencies for data with a "Moderate" impact level, such as PII and Controlled Unclassified Information.
G Suite has also been assessed as appropriate for use with the "OFFICIAL" information UK Security Principles.
Google continues to push for greater transparency
We shine a light on how governments and other parties affect your security and privacy online because you deserve to know. Google has a strong track record of informing customers of third-party data requests, in addition to having a transparent process on how these requests are handled. We were the first to publish a transparency report in 2010, and we now publish information about all types of legal process that we receive, including process issued under national security authorities. Along with our industry peers, we've also called upon governments to provide greater transparency and accountability regarding surveillance of individuals and access to their information.
We were the first to publish a transparency report in 2010.
Respect for the privacy and security of data that you store with Google underpins our approach to complying with legal requests for user data. Our legal team reviews each and every government request for user data to make sure that it satisfies legal requirements and Google's policies, and we push back when the requests are overly broad or don't follow the correct process. We do this frequently – for instance when we persuaded a court to drastically limit a US government request for two months of user search queries. When we are legally required to comply with these requests, we deliver that information to the authorities. Google notifies users about legal demands when appropriate, unless prohibited by law or court order, and we have published aggregate statistics about government requests for user information in our Transparency Report going back to 2009.