Google Workspace security and trust

Protecting your data is our meridian priority.

Overview

Leading with a security-beginning mindset.

Google started in the cloud and runs on the cloud, then it's no surprise that we fully understand the security implications of powering your business concern in the cloud. Because Google and our enterprise services run on the same infrastructure, your organization will benefit from the protections we've built and utilise everyday. Our robust global infrastructure, along with dedicated security professionals and our drive to introduce, enables Google to stay alee of the curve and offer a highly secure, reliable, and compliant environment.

Trusted by the world's leading organizations

Cut-edge cloud security.

Google has manufacture-leading knowledge and expertise building secure deject infrastructure and applications at scale. While many providers can make these assertions, we believe security and privacy must be seen and understood by our customers, not just done behind the scenes.

  • Data Centers

    Superlative-notch data eye security

    Security and information protection are cardinal to the design of Google's data centers. Our concrete security model includes safeguards similar custom electronic admission cards, perimeter fencing, and metal detectors. We likewise use cutting-border tools like biometrics and laser-based intrusion detection to make physical breaches a "mission impossible" scenario for would-be attackers. Run across inside a Google information center.

    One of our data centers in Douglas County, Georgia.
    One of our information centers in Douglas County, Georgia.

  • Hardware

    Hardware designed for operation

    Google runs its data centers using custom designed hardware with a hardened operating organisation and file arrangement. Each of these systems is optimized for security and performance. Since Google controls the hardware stack, nosotros tin quickly respond to any threats or weaknesses that may emerge.

    Denise Harwood diagnoses an overheated CPU. For more than a decade, we have built some of the world's most efficient servers.
    Denise Harwood diagnoses an overheated CPU. For more than a decade, nosotros have congenital some of the world's well-nigh efficient servers.

  • Infrastructure

    A resilient, highly reliable network

    Google's application and network architecture is designed for maximum reliability and uptime. Because information is distributed across Google'south servers and information centers, your information volition still be accessible if a machine fails – or even if an entire data centre goes down. Google owns and operates data centers around the world to keep the services y'all use running 24 hours a mean solar day, every day of the year. Our integrated approach to infrastructure security works in concert across multiple layers: hardware infrastructure, service deployment, user identity, storage, Internet communication, and operations security. Acquire more in our Infrastructure Security Design Whitepaper.

    Nordine is a Facility Technician in charge of the backup generators for our Belgium-based data center. He makes sure the data center keeps running even if the power goes out.
    Nordine is a Facility Technician in charge of the backup generators for our Belgium-based data center. He makes sure the data heart keeps running even if the ability goes out.

  • Encryption

    Data encryption at every pace

    Google'southward individual, global, software-defined network provides more than flexibility, control, and security than whatsoever cloud service provider. Our network connects multiple data centers using our own fiber, public fiber, and undersea cables. This allows u.s. to deliver identical, highly available, low-latency services to Google Workspace customers beyond the earth, and limits exposure of customer data to the public Net, where it may exist field of study to intercept. Google Workspace customers' data is encrypted when it's on a disk, stored on fill-in media, moving over the Internet, or traveling between data centers. Encryption is an important piece of the Google Workspace security strategy, helping to protect your emails, chats, Google Drive files, and other information.

    Go additional details on how data is protected at rest, in transit, and on backup media, as well every bit information on encryption primal management in the Google Workspace Encryption Whitepaper.

    The fiber optic networks connecting our sites can run at speeds that are more than 200,000 times faster than a typical home Internet connection.
    The fiber optic networks connecting our sites can run at speeds that are more than than 200,000 times faster than a typical home Cyberspace connection.

Promoting a culture of security.

Promoting a culture of security.

At Google, all employees are required to think "security first." Google employs many full-time security and privacy professionals, including some of the world's leading experts in data, application, and network security. To ensure Google stays protected, we incorporate security into our entire software evolution process. This tin include having security professionals clarify proposed architectures and perform lawmaking reviews to uncover security vulnerabilities and meliorate understand the different set on models for a new production or feature. When situations practice arise, our dedicated Google Workspace Incident Management Team is committed to ensuring incidents are addressed with minimal disruption to our customers through rapid response, analysis, and remediation.

Contributing to the community.

Contributing to the community.

Google's research and outreach activities protect the wider community of Cyberspace users – beyond merely those who choose our solutions. Our full-fourth dimension team known as Project Zip aims to discover high-bear on vulnerabilities in widely used products from Google and other vendors. Nosotros commit to doing our piece of work transparently and to directly study bugs to software vendors – without involving third parties.

Staying ahead of the security bend.

Security has always been a top priority for Google. Hither are a few means nosotros've set the bar higher:

enhanced_encryption

Perfect forward secrecy

Google is the first major cloud provider to enable perfect forward secrecy, which encrypts content as information technology moves between our servers and those of other companies. With perfect forward secrecy individual keys for a connection are imperceptible, which in turn prevents retroactive decryption of HTTPS sessions past an antagonist or even the server operator. Many manufacture peers have followed suit or committed to adoption in the hereafter.

stacked_email

100% email encryption

Every single electronic mail message you ship or receive – 100% of them – is encrypted while moving between Google'due south data centers. This ensures that your messages are safe not only when they move between your devices and Gmail'southward servers, just also equally they move internally within Google. Nosotros were also the get-go to let users know when their e-mail was sent insecurely across providers with the introduction of our TLS indicator.

vpn_key

Strengthening encryption

To protect against cryptanalytic advances, in 2013 Google doubled its RSA encryption key length to 2048 bits and started irresolute them every few weeks, raising the bar for the rest of the industry.

Product Security Innovation

Data protection you tin trust and tailor.

Google Workspace offers administrators enterprise control over system configuration and application settings – all in a dashboard that you can apply to streamline authentication, asset protection, and operational control. Utilise integrated Cloud Identity features to manage users and enforce multi-factor authentication and security keys for added protection. You can choose the Google Workspace edition that all-time meets your organization'due south security needs.

Product Security Innovation

Admission and hallmark

Data protection you can trust and tailor. video_youtube

The Security Fundamental protects yous and your Google Workspace users from phishing attacks.

Potent authentication

2-pace verification profoundly reduces the gamble of unauthorized access by asking users for additional proof of identity when signing in. Our security key enforcement offers some other layer of security for user accounts by requiring a physical key. The key sends an encrypted signature and works only with the sites that information technology'southward supposed to, helping to guard against phishing. Google Workspace administrators tin hands deploy, monitor, and manage the security keys at scale from within the administrator console – without installing boosted software.

Suspicious login monitoring

We apply our robust machine learning capabilities to help detect suspicious logins. When nosotros discover a suspicious login, nosotros notify administrators so they tin piece of work to ensure the accounts are secured.

Centralized cloud access management

With support for single sign-on (SSO), Google Workspace enables unified access to other enterprise cloud applications. Our identity and admission management (IAM) service lets administrators manage all user credentials and cloud applications admission in one identify.

e-mail

Enhanced electronic mail security

Google Workspace allows administrators to set customized rules requiring email messages to be signed and encrypted using Secure/Multipurpose Cyberspace Mail Extensions (South/MIME). These rules tin be configured to enforce S/MIME when specific content is detected in e-mail messages.

Context-enlightened access

Based on the zero trust security model and Google'due south BeyondCorp implementation, context-aware access enables you to provide secure admission for your users while maintaining their productivity. It enforces granular controls and uses a unmarried platform for both your deject and on-bounds applications and infrastructure resources. With context-aware access, you tin can enforce granular access controls on Google Workspace apps, based on a user's identity and context of the request.

security

Advanced Protection Program

Google'southward Advanced Protection Program is our strongest protection for users at risk of targeted online attacks. With the Advanced Protection Program for enterprise, we'll enforce a curated prepare of strong account security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and enhanced scanning for electronic mail threats.

Asset protection

Data loss prevention

Google Workspace administrators tin can fix a information loss prevention (DLP) policy to protect sensitive information inside Gmail and Drive. Nosotros provide a library of predefined content detectors to make setup easy. Once the DLP policy is in place, for case, Gmail can automatically check all outgoing email for sensitive information and automatically take action to preclude data leakage: either quarantine the email for review, tell users to change the information, or block the email from being sent and notify the sender. With easy-to-configure rules and optical grapheme recognition (OCR) of content stored in images, DLP for Drive makes it easy for administrators to audit files containing sensitive content and configure rules that warn and prevent users from sharing confidential data externally. Larn more in our DLP Whitepaper.

Asset protection

report

Spam detection

Motorcar learning has helped Gmail achieve 99.ix% accuracy in spam detection and block sneaky spam and phishing messages – the kind that could actually pass for wanted e-mail. Less than 0.1% of e-mail in the average Gmail inbox is spam, and wrong filtering of postal service to the spam folder is even less likely (less than 0.05%).

Malware detection

To help prevent malware, Google automatically scans every zipper for viruses across multiple engines prior to a user downloading it. Gmail even checks for viruses in attachments queued for dispatch. This helps to protect everyone who uses Gmail and prevents the spread of viruses. Attachments in certain formats, such every bit .ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .ISP, .JAR, .JS, .JSE, .LIB, .LNK, .MDE, .MSC, .MSI, .MSP, .MST, .NSH .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, and .WSH are automatically blocked – even when they're included equally office of a compressed file.

Phishing prevention

Google Workspace uses car learning extensively to protect users against phishing attacks. Our learning models perform similarity analysis between previously classified phishing sites and new, unrecognized URLs. Every bit we find new patterns we adapt more quickly than manual systems ever could. Google Workspace also allows administrators to enforce the use of security keys, making information technology impossible to utilize credentials compromised in phishing attacks.

DMARC

Brand phishing defense

To help forbid abuse of your brand in phishing attacks, Google Workspace follows the DMARC standard, which empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy, you tin can help protect users and your system's reputation.

Operational control

apps_policy

Integrated endpoint management

Google Workspace'due south fully integrated endpoint management offers continuous system monitoring and alerts you to suspicious device activity. Administrators can enforce endpoint policies, encrypt data on devices, lock lost or stolen mobile devices, and remotely wipe devices.

security

Security Center

The security center for Google Workspace provides a single, comprehensive view into the security posture of your Google Workspace deployment. Information technology brings together security analytics, all-time practise recommendations and integrated remediation that empower you lot to protect your organization's information, devices and users.

playlist_add_check

Third-party application access controls

As part of our hallmark controls, administrators get visibility and command into third-party applications leveraging OAuth for authentication and corporate data access. OAuth access can be disabled at a granular level, and vetted third-party apps tin can be whitelisted.

With mobile device management, you can require screen locks, strong passwords, and erase confidential data with device wipe for Android and iOS.
With mobile device management, you can require screen locks, strong passwords, and erase confidential data with device wipe for Android and iOS.

https

Information rights management

To assistance administrators maintain control over sensitive information, we offer information rights direction (IRM) in Drive. Administrators and users can disable downloading, printing, and copying of files from the advanced sharing bill of fare, as well as ready expiration dates on file admission.

warning

Alert Middle

The Alert Eye for Google Workspace is a new manner for admins to view essential notifications, alerts, and actions beyond Google Workspace. Insights around these potential alerts tin can help administrators appraise their organisation's exposure to security issues. Integrated remediation with the security center offers a streamlined way to resolve these bug.

language

Data regions

Many organizations leverage the power of our distributed data centers to maximize critical benefits, such as minimal latency and robust geo-redundancy. However, for organizations with stringent control requirements, data regions for Google Workspace lets you choose where certain covered data should be stored at rest—either in the United states of america, across Europe, or distributed globally.

Compliance, eDiscovery & Analytics

Equipped for the toughest standards.

Google designed Google Workspace to meet stringent privacy and security standards based on industry best practices. In addition to strong contractual commitments regarding information ownership, data use, security, transparency, and accountability, nosotros give you the tools you need to assistance run into your compliance and reporting requirements.

Certifications, audits, and assessments

Google customers and regulators expect contained verification of our security, privacy, and compliance controls. In order to provide this, nosotros undergo several independent 3rd-party audits on a regular ground.

ISO/IEC 27001

ISO/IEC 27001

ISO/IEC 27001 is one of the most widely recognized and accepted independent security standards. Google has earned ISO/IEC 27001 certification for the systems, technology, processes, and data centers that run Google Workspace. View our ISO/IEC 27001 certificate.

ISO/IEC 27017

ISO/IEC 27017

ISO/IEC 27017 is an international standard of practice for data security controls based on ISO/IEC 27002 specifically for cloud services. Our compliance with the international standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Quango (a fellow member of the International Accreditation Forum, or IAF). View our ISO/IEC 27017 document.

ISO/IEC 27018

ISO/IEC 27018

Google Workspace'due south compliance with ISO/IEC 27018:2014 affirms our commitment to international privacy and data protection standards. ISO/IEC 27018 guidelines include not using your information for advertising, ensuring that your data in Google Workspace services remains yours, providing you with tools to delete and export your data, protecting your data from third-party requests, and being transparent most where your data is stored. View our ISO/IEC 27018 certificate.

SOC 2/3

SOC 2/3

The American Institute of Certified Public Accountants (AICPA) SOC (Service Organization Controls) 2 and SOC 3 audit framework relies on its Trust Principles and Criteria for security, availability, processing integrity, and confidentiality. Google has both SOC two and SOC 3 reports. Download our SOC 3 study.

FedRAMP

FedRAMP

Google Workspace products are compliant with the requirements of the Federal Risk and Say-so Management Program (FedRAMP). FedRAMP is the cloud security standard of the U.S. regime. Google Workspace is authorized for use past federal agencies for data it has classified at a "Moderate" impact level, which may include PII and Controlled Unclassified Data. Google Workspace has been assessed every bit acceptable for use with "OFFICIAL" (including "OFFICIAL SENSITIVE") information in accord with the Britain Security Principles. For details on production and services compliance, visit the FedRAMP Google Services page.

PCI DSS

PCI DSS

Google Workspace customers who need to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance can set up a data loss prevention (DLP) policy that prevents emails containing payment card information from being sent from Google Workspace. For Bulldoze, Vault tin be configured to run audits and make sure no cardholder information is stored.

FISC Compliance

FISC Compliance

FISC (Heart for Financial Industry Information Systems) is a public involvement incorporated foundation tasked with conducting enquiry related to technology, utilization, control, and threat/defence force related to financial data systems in Japan. One of the cardinal documents created past the system is the "FISC Security Guidelines on Reckoner Systems for Cyberbanking and Related Fiscal Institutions," which describes controls related to facilities, operations, and technical infrastructure. Google has developed a guide to assist customers understand how Google'south control environment aligns with the FISC guidelines. Most of the controls outlined in our guide are part of our third-party audited compliance programs, including ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certifications. View our response to the FISC controls. For farther information, please contact sales.

Esquema Nacional de Seguridad (ENS) - Spain

Esquema Nacional de Seguridad (ENS) - Spain

The Esquema Nacional de Seguridad (ENS) accreditation scheme for Spain has been developed by La Entidad Nacional de Acreditación (ENAC) in close collaboration with the Ministry of Finance and Public Administration and the National Cryptologic Centre (CCN). The ENS was established as part of Royal Decree 3/2010 (amended by Decree 951/2015) and serves to establish principles and requirements for the adequate protection of information for Castilian public sector entities. Google Cloud (GCP and Google Workspace) has met the requirements to comply with ENS at the 'Loftier' level.

Regulatory compliance

HIPAA

HIPAA

Google Workspace supports customers' compliance with the U.Due south. Health Insurance Portability and Accountability Act (HIPAA), which governs the safeguarding, use, and disclosure of protected health information (PHI). Customers who are subject to HIPAA and wish to utilize Google Workspace for PHI processing or storage can sign a business associate amendment with Google. View more details about HIPAA compliance with Google Workspace.

EU Standard Contractual Clauses

EU Standard Contractual Clauses

Google Workspace meets data protection recommendations from the Commodity 29 Working Political party and maintains adherence to EU Standard Contractual Clauses with our Data Processing Amendment, Subprocessor Disclosure, and EU Standard Contractual Clauses. Google also maintains compliance with Privacy Shield and allows for Information Portability, wherein administrators can export data in standard formats without any boosted accuse.

General Data Protection Regulation

General Data Protection Regulation

At Google Workspace, we champion initiatives that prioritize and improve the security and privacy of user information. Nosotros've made updates to our Data Processing Amendment to ensure that Google Workspace customers can confidently use our services now that the GDPR is in effect. We've also implemented stringent policies, processes, and controls through our Data Processing Subpoena and Standard Contractual Clauses. In those agreements nosotros commit to comply with the obligations applicable to us under the GDPR with respect to the processing nosotros do on behalf of our customers, and we have worked closely with European Data Protection Authorities to meet their expectations. Learn more than.

U.S. FERPA

U.Southward. FERPA

Millions of students rely on Google Workspace for Education. Google Workspace for Education services comply with the Family Educational Rights and Privacy Act (FERPA). Our commitment to this compliance is included in our agreements.

COPPA

COPPA

Protecting children online is important to united states of america. We contractually crave Google Workspace for Educational activity schools to obtain the parental consent that the Children's Online Privacy Protection Act of 1998 (COPPA) requires, and our services can exist used in compliance with COPPA.

South Africa's POPI Act

South Africa'south POPI Deed

Google provides production capabilities and contractual commitments to facilitate customer compliance with S Africa'south Protection of Personal Information (POPI) Act. Customers who are subject to POPI can define how their information is stored, processed, and protected by signing a Data Processing Subpoena.

eDiscovery and archiving

Data retention and eDiscovery

Vault allows you to retain, search, and export your organisation's information from select Google Workspace apps. Vault is entirely spider web-based, so there'due south no demand to install or maintain extra software.

import_export

Export Google Workspace apps information

Vault allows you to export select Google Workspace apps information to standard formats for additional processing and review – all in a manner that supports legal standards while respecting chain of custody guidelines.

unsubscribe

Content compliance

Google Workspace's monitoring tools allow administrators to browse e-mail messages for alphanumeric patterns and objectionable content. Administrators can create rules to either refuse matching emails before they reach their intended recipients or deliver them with modifications.

Reporting analytics

list

Easy monitoring

Easy interactive reports help you appraise your organization'southward exposure to security issues at a domain and user level. Extensibility with a collection of application programming interfaces (APIs) enable yous to build custom security tools for your own environment. With insight into how users are sharing data, which 3rd-party apps are installed, and whether appropriate security measures such equally 2-pace verification are in identify, you tin can improve your security posture.

error

Audit tracking

Google Workspace allows administrators to rails user actions and set up custom alerts within Google Workspace. This tracking spans across the Admin Panel, Gmail, Drive, Calendar, Groups, mobile, and third-party application say-so. For example, if a marked file is downloaded or if a file containing the word "Confidential" is shared exterior the organization, administrators can be notified.

Insights using BigQuery

With BigQuery, Google'southward enterprise data warehouse for large-scale data analytics, you can analyze Gmail logs using sophisticated, high-performing custom queries, and leverage 3rd-party tools for deeper analysis.

Transparency

Trust is essential to our partnership.

Transparency is part of Google's DNA. We work difficult to earn and maintain trust with our customers through transparency. The customer – not Google – owns their data. Google does not sell your data to third parties, there is no advertising in Google Workspace, and nosotros never collect or apply information from Google Workspace services for any advertising purposes.

Transparency

No ads, ever

Google does not collect, scan, or use your data in Google Workspace services for advertizing purposes and we do not display ads in Google Workspace. We utilise your data to provide Google Workspace services, and for system back up, such as spam filtering, virus detection, spell-checking, capacity planning, traffic routing, and the ability to search for emails and files within an individual account.

user_attributes

You own your information

The information that companies, schools, and government agencies put into Google Workspace services does not belong to Google. Whether it's corporate intellectual property, personal information, or a homework assignment, Google does not own that data and Google does not sell that data to third parties.

assignment

Access Transparency

Admission Transparency supports our delivery to client trust by giving you fine-grained logs of actions taken by Google staff and the reason for each access, including references to specific support tickets where relevant.

Neal uses special equipment to completely erase all of the data on old servers.
Neal uses special equipment to completely erase all of the data on old servers.

playlist_add_check

Your apps are e'er accessible

Google Workspace offers a 99.9% service level agreement. Furthermore, Google Workspace has no scheduled reanimation or maintenance windows. Unlike nearly providers, nosotros plan for our applications to ever be available, even when we're upgrading our services or maintaining our systems.

Yous stay in command and in the know

We're committed to providing you with data about our systems and processes – whether that's a real-time performance overview, the results of a information handling audit, or the location of our data centers. Information technology's your information; we ensure you have control over it. You can delete your data or consign it at any time. We regularly publish Transparency Reports detailing how governments and other parties tin can impact your security and privacy online. We retrieve you deserve to know, and we accept a long track record of keeping you lot informed and standing upwardly for your rights.

William is an Operations Engineer and is part of the emergency response team. On a daily basis, he's on the lookout for everything from tornados to drive failures.
William is an Operations Engineer and is office of the emergency response team. On a daily ground, he'due south on the sentry for everything from tornados to drive failures.