Google Workspace security and trust

Protecting your data is our top priority.

Overview

Leading with a security-first mindset.

Google started in the cloud and runs on the cloud, so it's no surprise that we fully understand the security implications of powering your business organisation in the cloud. Because Google and our enterprise services run on the same infrastructure, your system volition benefit from the protections nosotros've built and employ everyday. Our robust global infrastructure, along with dedicated security professionals and our bulldoze to introduce, enables Google to stay ahead of the bend and offer a highly secure, reliable, and compliant environment.

Trusted by the globe's leading organizations

Cut-edge cloud security.

Google has manufacture-leading knowledge and expertise building secure cloud infrastructure and applications at scale. While many providers can make these assertions, we believe security and privacy must be seen and understood past our customers, not merely washed behind the scenes.

  • Data Centers

    Top-notch data center security

    Security and data protection are primal to the design of Google'southward data centers. Our physical security model includes safeguards similar custom electronic access cards, perimeter fencing, and metallic detectors. We also use cutting-edge tools like biometrics and laser-based intrusion detection to make physical breaches a "mission incommunicable" scenario for would-be attackers. Meet inside a Google data center.

    One of our data centers in Douglas County, Georgia.
    I of our data centers in Douglas Canton, Georgia.

  • Hardware

    Hardware designed for functioning

    Google runs its data centers using custom designed hardware with a hardened operating system and file system. Each of these systems is optimized for security and operation. Since Google controls the hardware stack, we tin can quickly reply to any threats or weaknesses that may sally.

    Denise Harwood diagnoses an overheated CPU. For more than a decade, we have built some of the world's most efficient servers.
    Denise Harwood diagnoses an overheated CPU. For more than a decade, we take built some of the earth's most efficient servers.

  • Infrastructure

    A resilient, highly reliable network

    Google's awarding and network architecture is designed for maximum reliability and uptime. Because data is distributed across Google's servers and data centers, your data will nevertheless be accessible if a auto fails – or fifty-fifty if an unabridged data center goes down. Google owns and operates data centers around the world to keep the services you use running 24 hours a mean solar day, every day of the year. Our integrated approach to infrastructure security works in concert beyond multiple layers: hardware infrastructure, service deployment, user identity, storage, Cyberspace advice, and operations security. Learn more than in our Infrastructure Security Blueprint Whitepaper.

    Nordine is a Facility Technician in charge of the backup generators for our Belgium-based data center. He makes sure the data center keeps running even if the power goes out.
    Nordine is a Facility Technician in charge of the fill-in generators for our Belgium-based information heart. He makes sure the data eye keeps running even if the ability goes out.

  • Encryption

    Data encryption at every footstep

    Google's private, global, software-defined network provides more flexibility, control, and security than any cloud service provider. Our network connects multiple information centers using our own fiber, public fiber, and undersea cables. This allows us to evangelize identical, highly available, low-latency services to Google Workspace customers across the globe, and limits exposure of customer information to the public Internet, where it may be subject to intercept. Google Workspace customers' data is encrypted when information technology's on a disk, stored on backup media, moving over the Cyberspace, or traveling between data centers. Encryption is an important piece of the Google Workspace security strategy, helping to protect your emails, chats, Google Drive files, and other data.

    Get additional details on how information is protected at residue, in transit, and on backup media, as well every bit information on encryption central direction in the Google Workspace Encryption Whitepaper.

    The fiber optic networks connecting our sites can run at speeds that are more than 200,000 times faster than a typical home Internet connection.
    The cobweb optic networks connecting our sites can run at speeds that are more than 200,000 times faster than a typical home Net connection.

Promoting a culture of security.

Promoting a culture of security.

At Google, all employees are required to think "security first." Google employs many full-time security and privacy professionals, including some of the world's leading experts in information, application, and network security. To ensure Google stays protected, we incorporate security into our entire software development process. This can include having security professionals analyze proposed architectures and perform code reviews to uncover security vulnerabilities and improve understand the dissimilar set on models for a new product or characteristic. When situations do ascend, our dedicated Google Workspace Incident Direction Team is committed to ensuring incidents are addressed with minimal disruption to our customers through rapid response, analysis, and remediation.

Contributing to the community.

Contributing to the community.

Google's enquiry and outreach activities protect the wider customs of Internet users – across merely those who cull our solutions. Our full-time team known equally Project Zip aims to discover high-impact vulnerabilities in widely used products from Google and other vendors. Nosotros commit to doing our work transparently and to directly study bugs to software vendors – without involving third parties.

Staying ahead of the security curve.

Security has always been a meridian priority for Google. Here are a few ways we've set the bar college:

enhanced_encryption

Perfect forward secrecy

Google is the first major cloud provider to enable perfect forward secrecy, which encrypts content as it moves between our servers and those of other companies. With perfect forward secrecy private keys for a connectedness are imperceptible, which in turn prevents retroactive decryption of HTTPS sessions by an antagonist or even the server operator. Many manufacture peers have followed suit or committed to adoption in the futurity.

stacked_email

100% email encryption

Every single electronic mail message you lot send or receive – 100% of them – is encrypted while moving between Google'southward data centers. This ensures that your messages are rubber not only when they move between your devices and Gmail's servers, only also equally they move internally inside Google. We were also the first to let users know when their electronic mail was sent insecurely beyond providers with the introduction of our TLS indicator.

vpn_key

Strengthening encryption

To protect confronting cryptanalytic advances, in 2013 Google doubled its RSA encryption key length to 2048 bits and started irresolute them every few weeks, raising the bar for the rest of the industry.

Product Security Innovation

Data protection yous can trust and tailor.

Google Workspace offers administrators enterprise command over arrangement configuration and application settings – all in a dashboard that you can utilize to streamline hallmark, asset protection, and operational command. Use integrated Cloud Identity features to manage users and enforce multi-cistron authentication and security keys for added protection. You can choose the Google Workspace edition that best meets your organization'southward security needs.

Product Security Innovation

Access and authentication

Data protection you can trust and tailor. video_youtube

The Security Primal protects you and your Google Workspace users from phishing attacks.

Strong authentication

2-step verification greatly reduces the take a chance of unauthorized access by asking users for additional proof of identity when signing in. Our security central enforcement offers some other layer of security for user accounts by requiring a physical primal. The key sends an encrypted signature and works only with the sites that information technology'due south supposed to, helping to guard confronting phishing. Google Workspace administrators can easily deploy, monitor, and manage the security keys at scale from within the administrator console – without installing additional software.

Suspicious login monitoring

We use our robust automobile learning capabilities to assist discover suspicious logins. When we discover a suspicious login, we notify administrators then they can work to ensure the accounts are secured.

Centralized cloud admission direction

With support for unmarried sign-on (SSO), Google Workspace enables unified access to other enterprise cloud applications. Our identity and access management (IAM) service lets administrators manage all user credentials and cloud applications admission in i identify.

e-mail

Enhanced email security

Google Workspace allows administrators to fix customized rules requiring electronic mail messages to be signed and encrypted using Secure/Multipurpose Internet Post Extensions (South/MIME). These rules tin can be configured to enforce S/MIME when specific content is detected in electronic mail messages.

Context-enlightened access

Based on the nix trust security model and Google'south BeyondCorp implementation, context-aware access enables yous to provide secure access for your users while maintaining their productivity. It enforces granular controls and uses a single platform for both your cloud and on-premises applications and infrastructure resource. With context-aware access, you tin can enforce granular access controls on Google Workspace apps, based on a user's identity and context of the asking.

security

Advanced Protection Program

Google's Advanced Protection Programme is our strongest protection for users at risk of targeted online attacks. With the Advanced Protection Program for enterprise, we'll enforce a curated prepare of strong account security policies for enrolled users. These include requiring security keys, blocking admission to untrusted apps, and enhanced scanning for email threats.

Asset protection

Information loss prevention

Google Workspace administrators can fix a data loss prevention (DLP) policy to protect sensitive information inside Gmail and Drive. We provide a library of predefined content detectors to brand setup piece of cake. Once the DLP policy is in place, for example, Gmail can automatically cheque all outgoing email for sensitive data and automatically have action to prevent information leakage: either quarantine the e-mail for review, tell users to change the data, or block the email from being sent and notify the sender. With easy-to-configure rules and optical character recognition (OCR) of content stored in images, DLP for Drive makes information technology easy for administrators to inspect files containing sensitive content and configure rules that warn and forestall users from sharing confidential data externally. Acquire more in our DLP Whitepaper.

Asset protection

report

Spam detection

Automobile learning has helped Gmail achieve 99.9% accuracy in spam detection and cake sneaky spam and phishing messages – the kind that could actually pass for wanted electronic mail. Less than 0.1% of e-mail in the average Gmail inbox is spam, and incorrect filtering of post to the spam folder is even less likely (less than 0.05%).

Malware detection

To aid prevent malware, Google automatically scans every zipper for viruses across multiple engines prior to a user downloading it. Gmail even checks for viruses in attachments queued for dispatch. This helps to protect anybody who uses Gmail and prevents the spread of viruses. Attachments in certain formats, such as .ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .Internet service provider, .JAR, .JS, .JSE, .LIB, .LNK, .MDE, .MSC, .MSI, .MSP, .MST, .NSH .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, and .WSH are automatically blocked – even when they're included as function of a compressed file.

Phishing prevention

Google Workspace uses machine learning extensively to protect users against phishing attacks. Our learning models perform similarity analysis between previously classified phishing sites and new, unrecognized URLs. As we find new patterns we adapt more quickly than manual systems ever could. Google Workspace also allows administrators to enforce the use of security keys, making it impossible to use credentials compromised in phishing attacks.

DMARC

Brand phishing defence force

To help preclude corruption of your make in phishing attacks, Google Workspace follows the DMARC standard, which empowers domain owners to determine how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy, y'all can assistance protect users and your organization'southward reputation.

Operational command

apps_policy

Integrated endpoint direction

Google Workspace's fully integrated endpoint management offers continuous system monitoring and alerts you to suspicious device activity. Administrators can enforce endpoint policies, encrypt data on devices, lock lost or stolen mobile devices, and remotely wipe devices.

security

Security Eye

The security center for Google Workspace provides a single, comprehensive view into the security posture of your Google Workspace deployment. It brings together security analytics, best practice recommendations and integrated remediation that empower you to protect your system's data, devices and users.

playlist_add_check

3rd-party application access controls

As part of our authentication controls, administrators go visibility and control into third-political party applications leveraging OAuth for hallmark and corporate data access. OAuth admission can be disabled at a granular level, and vetted third-party apps tin can be whitelisted.

With mobile device management, you can require screen locks, strong passwords, and erase confidential data with device wipe for Android and iOS.
With mobile device management, yous can require screen locks, strong passwords, and erase confidential data with device wipe for Android and iOS.

https

Information rights management

To assist administrators maintain control over sensitive data, we offer information rights management (IRM) in Bulldoze. Administrators and users tin disable downloading, printing, and copying of files from the advanced sharing menu, as well every bit set expiration dates on file access.

warning

Alert Centre

The Alarm Center for Google Workspace is a new way for admins to view essential notifications, alerts, and deportment across Google Workspace. Insights effectually these potential alerts can assist administrators appraise their organisation's exposure to security issues. Integrated remediation with the security heart offers a streamlined way to resolve these issues.

linguistic communication

Information regions

Many organizations leverage the ability of our distributed data centers to maximize disquisitional benefits, such as minimal latency and robust geo-back-up. Yet, for organizations with stringent control requirements, information regions for Google Workspace lets you choose where certain covered data should exist stored at residue—either in the The states, across Europe, or distributed globally.

Compliance, eDiscovery & Analytics

Equipped for the toughest standards.

Google designed Google Workspace to meet stringent privacy and security standards based on industry best practices. In addition to strong contractual commitments regarding data ownership, data use, security, transparency, and accountability, nosotros give yous the tools you need to help run across your compliance and reporting requirements.

Certifications, audits, and assessments

Google customers and regulators expect independent verification of our security, privacy, and compliance controls. In order to provide this, we undergo several independent third-party audits on a regular basis.

ISO/IEC 27001

ISO/IEC 27001

ISO/IEC 27001 is 1 of the most widely recognized and accepted independent security standards. Google has earned ISO/IEC 27001 certification for the systems, engineering, processes, and data centers that run Google Workspace. View our ISO/IEC 27001 certificate.

ISO/IEC 27017

ISO/IEC 27017

ISO/IEC 27017 is an international standard of do for information security controls based on ISO/IEC 27002 specifically for cloud services. Our compliance with the international standard was certified by Ernst & Young CertifyPoint, an ISO certification trunk accredited by the Dutch Accreditation Council (a member of the International Accreditation Forum, or IAF). View our ISO/IEC 27017 certificate.

ISO/IEC 27018

ISO/IEC 27018

Google Workspace'southward compliance with ISO/IEC 27018:2014 affirms our commitment to international privacy and data protection standards. ISO/IEC 27018 guidelines include not using your data for ad, ensuring that your data in Google Workspace services remains yours, providing you with tools to delete and export your information, protecting your information from 3rd-party requests, and being transparent virtually where your information is stored. View our ISO/IEC 27018 document.

SOC 2/3

SOC 2/three

The American Institute of Certified Public Accountants (AICPA) SOC (Service Organisation Controls) 2 and SOC 3 inspect framework relies on its Trust Principles and Criteria for security, availability, processing integrity, and confidentiality. Google has both SOC ii and SOC 3 reports. Download our SOC 3 written report.

FedRAMP

FedRAMP

Google Workspace products are compliant with the requirements of the Federal Adventure and Potency Management Plan (FedRAMP). FedRAMP is the cloud security standard of the U.S. regime. Google Workspace is authorized for apply by federal agencies for data it has classified at a "Moderate" impact level, which may include PII and Controlled Unclassified Information. Google Workspace has been assessed as adequate for use with "OFFICIAL" (including "OFFICIAL SENSITIVE") information in accordance with the UK Security Principles. For details on product and services compliance, visit the FedRAMP Google Services page.

PCI DSS

PCI DSS

Google Workspace customers who demand to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance can set up a data loss prevention (DLP) policy that prevents emails containing payment card data from being sent from Google Workspace. For Drive, Vault can exist configured to run audits and make certain no cardholder data is stored.

FISC Compliance

FISC Compliance

FISC (Center for Financial Industry Information Systems) is a public interest incorporated foundation tasked with conducting research related to engineering, utilization, control, and threat/defence force related to fiscal data systems in Japan. 1 of the central documents created by the arrangement is the "FISC Security Guidelines on Computer Systems for Cyberbanking and Related Financial Institutions," which describes controls related to facilities, operations, and technical infrastructure. Google has adult a guide to help customers understand how Google's command environment aligns with the FISC guidelines. Most of the controls outlined in our guide are part of our third-political party audited compliance programs, including ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certifications. View our response to the FISC controls. For further information, delight contact sales.

Esquema Nacional de Seguridad (ENS) - Spain

Esquema Nacional de Seguridad (ENS) - Spain

The Esquema Nacional de Seguridad (ENS) accreditation scheme for Spain has been developed by La Entidad Nacional de Acreditación (ENAC) in close collaboration with the Ministry building of Finance and Public Administration and the National Cryptologic Heart (CCN). The ENS was established every bit office of Royal Decree 3/2010 (amended past Decree 951/2015) and serves to establish principles and requirements for the adequate protection of data for Spanish public sector entities. Google Deject (GCP and Google Workspace) has met the requirements to comply with ENS at the 'High' level.

Regulatory compliance

HIPAA

HIPAA

Google Workspace supports customers' compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), which governs the safeguarding, employ, and disclosure of protected health information (PHI). Customers who are subject to HIPAA and wish to apply Google Workspace for PHI processing or storage can sign a concern acquaintance amendment with Google. View more details most HIPAA compliance with Google Workspace.

EU Standard Contractual Clauses

EU Standard Contractual Clauses

Google Workspace meets data protection recommendations from the Article 29 Working Party and maintains adherence to European union Standard Contractual Clauses with our Data Processing Amendment, Subprocessor Disclosure, and European union Standard Contractual Clauses. Google also maintains compliance with Privacy Shield and allows for Data Portability, wherein administrators tin export information in standard formats without any additional charge.

General Data Protection Regulation

General Data Protection Regulation

At Google Workspace, we champion initiatives that prioritize and better the security and privacy of user data. Nosotros've made updates to our Data Processing Amendment to ensure that Google Workspace customers can confidently employ our services now that the GDPR is in consequence. We've also implemented stringent policies, processes, and controls through our Data Processing Subpoena and Standard Contractual Clauses. In those agreements we commit to comply with the obligations applicable to us under the GDPR with respect to the processing we do on behalf of our customers, and we have worked closely with European Data Protection Regime to encounter their expectations. Learn more.

U.S. FERPA

U.S. FERPA

Millions of students rely on Google Workspace for Teaching. Google Workspace for Education services comply with the Family Educational Rights and Privacy Human action (FERPA). Our delivery to this compliance is included in our agreements.

COPPA

COPPA

Protecting children online is important to us. We contractually require Google Workspace for Education schools to obtain the parental consent that the Children's Online Privacy Protection Act of 1998 (COPPA) requires, and our services can be used in compliance with COPPA.

South Africa's POPI Act

South Africa's POPI Human action

Google provides product capabilities and contractual commitments to facilitate customer compliance with South Africa'south Protection of Personal Information (POPI) Act. Customers who are field of study to POPI can define how their information is stored, processed, and protected by signing a Information Processing Amendment.

eDiscovery and archiving

Information retentivity and eDiscovery

Vault allows y'all to retain, search, and consign your organization's information from select Google Workspace apps. Vault is entirely spider web-based, and so there's no need to install or maintain extra software.

import_export

Export Google Workspace apps data

Vault allows you to export select Google Workspace apps data to standard formats for additional processing and review – all in a manner that supports legal standards while respecting chain of custody guidelines.

unsubscribe

Content compliance

Google Workspace's monitoring tools permit administrators to browse email messages for alphanumeric patterns and objectionable content. Administrators can create rules to either decline matching emails earlier they attain their intended recipients or deliver them with modifications.

Reporting analytics

list

Easy monitoring

Like shooting fish in a barrel interactive reports help y'all assess your system's exposure to security bug at a domain and user level. Extensibility with a collection of application programming interfaces (APIs) enable you to build custom security tools for your own surround. With insight into how users are sharing data, which tertiary-party apps are installed, and whether advisable security measures such as 2-footstep verification are in place, you lot tin can ameliorate your security posture.

mistake

Audit tracking

Google Workspace allows administrators to track user actions and ready up custom alerts inside Google Workspace. This tracking spans beyond the Admin Console, Gmail, Bulldoze, Agenda, Groups, mobile, and third-party application authorization. For instance, if a marked file is downloaded or if a file containing the word "Confidential" is shared outside the organization, administrators tin be notified.

Insights using BigQuery

With BigQuery, Google's enterprise data warehouse for large-calibration data analytics, you can analyze Gmail logs using sophisticated, high-performing custom queries, and leverage tertiary-party tools for deeper analysis.

Transparency

Trust is essential to our partnership.

Transparency is part of Google's Dna. We work hard to earn and maintain trust with our customers through transparency. The customer – not Google – owns their information. Google does non sell your information to third parties, there is no advert in Google Workspace, and we never collect or use data from Google Workspace services for any advert purposes.

Transparency

No ads, ever

Google does not collect, scan, or use your data in Google Workspace services for advertizement purposes and we do not display ads in Google Workspace. We utilize your data to provide Google Workspace services, and for system support, such every bit spam filtering, virus detection, spell-checking, capacity planning, traffic routing, and the power to search for emails and files within an individual account.

user_attributes

You own your data

The data that companies, schools, and government agencies put into Google Workspace services does not belong to Google. Whether information technology's corporate intellectual property, personal information, or a homework consignment, Google does not ain that data and Google does non sell that data to tertiary parties.

assignment

Access Transparency

Access Transparency supports our delivery to customer trust by giving yous fine-grained logs of deportment taken by Google staff and the reason for each access, including references to specific back up tickets where relevant.

Neal uses special equipment to completely erase all of the data on old servers.
Neal uses special equipment to completely erase all of the information on sometime servers.

playlist_add_check

Your apps are always accessible

Google Workspace offers a 99.ix% service level agreement. Furthermore, Google Workspace has no scheduled reanimation or maintenance windows. Dissimilar most providers, we programme for our applications to ever exist available, even when we're upgrading our services or maintaining our systems.

You stay in control and in the know

We're committed to providing y'all with information near our systems and processes – whether that'southward a real-time performance overview, the results of a data treatment audit, or the location of our data centers. Information technology'southward your data; nosotros ensure you take control over it. Y'all tin can delete your data or export it at whatever time. We regularly publish Transparency Reports detailing how governments and other parties can affect your security and privacy online. Nosotros call back you deserve to know, and nosotros have a long rail record of keeping you informed and standing upward for your rights.

William is an Operations Engineer and is part of the emergency response team. On a daily basis, he's on the lookout for everything from tornados to drive failures.
William is an Operations Engineer and is office of the emergency response team. On a daily ground, he's on the scout for everything from tornados to drive failures.