At Google, we are fully committed to the privacy of your data. In addition to large investments in security to protect your data from external and internals threats, we also provide you with the tools you need to help meet your compliance requirements.
Certifications, Audits and Assessments
Google customers and regulators expect independent verification of our security, privacy, and compliance controls. In order to provide this, we undergo several independent third-party audits on a regular basis. For more information about the the audits read here
ISO 27001 is one of the most widely recognized and accepted independent security standards. Google has earned ISO 27001 certification for the systems, technology, processes, and data centers that run Google Apps. View our ISO 27001 certificate.
ISO 27018 audits confirm that Google data protection commitments meet a rigorous international privacy and data protection standard. These guidelines include not using your data for advertising, ensuring that your data remains yours, providing you with tools to delete and export your data, protecting your information from third-party requests, and being transparent about where your data is stored. An independent auditor has verified that Google Apps for Work complies with ISO/IEC 27018:2014. For more information, see the ISO 27018 blog post.
The American Institute of Certified Public Accountants (AICPA) SOC (Service Organization Controls) 2 and SOC 3 audit framework relies on its Trust Principles and Criteria for security, availability, processing integrity, and confidentiality. Google has both SOC 2 and SOC 3 reports. Our SOC 3 report is available for download.
The Google Apps for Work suite of products is compliant with the requirements of the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is the cloud security standard of the U.S. government. Google Apps is authorized for use by federal agencies for data with a "Moderate" impact level, such as PII and Controlled Unclassified Information.
Google Apps for Work has been assessed as appropriate for use with the “OFFICIAL” information UK Security Principles.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS does not permit the persistent storage of credit card information in any customer system. Customers who need to maintain PCI DSS compliance can set a DLP policy that prevents emails containing credit card information from being sent from Google Apps. For Google Drive, Vault can be configured to run audits and make sure no credit card information is stored. Google Cloud Platform is compliant with the Payment Card Industry (PCI) standard and can used by Google’s customers to process or store credit card transactions.
Google Apps supports our customers’ compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), which governs the safeguarding, use and disclosure of protected health information (PHI). Customers who are subject to HIPAA and wish to use Google Apps for PHI processing or storage can sign a business associate amendment with Google. The amendment covers Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides and Forms), Google Sites, and Google Apps Vault.
U.S. Family Educational Rights and Privacy Act (FERPA)
More than 30 million students rely on Google Apps for Education. Google Apps for Education services comply with FERPA (Family Educational Rights and Privacy Act). Our commitment to this compliance is included in our agreements.
Children’s Online Privacy Protection Act of 1998 (COPPA)
Protecting children online is important to us. We contractually require Google Apps for Education schools to obtain the parental consent that COPPA requires, and our services can be used in compliance with COPPA.