Google Workspace security and trust

Protecting your data is our tiptop priority.

Overview

Leading with a security-first mindset.

Google started in the deject and runs on the cloud, and then it's no surprise that we fully empathise the security implications of powering your business in the cloud. Because Google and our enterprise services run on the same infrastructure, your organization will benefit from the protections we've built and employ everyday. Our robust global infrastructure, along with dedicated security professionals and our drive to innovate, enables Google to stay ahead of the curve and offer a highly secure, reliable, and compliant environment.

Trusted past the world'south leading organizations

Cut-edge cloud security.

Google has industry-leading noesis and expertise building secure deject infrastructure and applications at calibration. While many providers can make these assertions, nosotros believe security and privacy must be seen and understood past our customers, not only done behind the scenes.

  • Data Centers

    Acme-notch data center security

    Security and data protection are central to the design of Google's data centers. Our physical security model includes safeguards similar custom electronic admission cards, perimeter fencing, and metal detectors. We too utilise cutting-edge tools like biometrics and light amplification by stimulated emission of radiation-based intrusion detection to make physical breaches a "mission impossible" scenario for would-be attackers. See inside a Google data center.

    One of our data centers in Douglas County, Georgia.
    One of our data centers in Douglas County, Georgia.

  • Hardware

    Hardware designed for performance

    Google runs its data centers using custom designed hardware with a hardened operating system and file system. Each of these systems is optimized for security and performance. Since Google controls the hardware stack, we can chop-chop respond to any threats or weaknesses that may sally.

    Denise Harwood diagnoses an overheated CPU. For more than a decade, we have built some of the world's most efficient servers.
    Denise Harwood diagnoses an overheated CPU. For more than a decade, we have congenital some of the world'due south most efficient servers.

  • Infrastructure

    A resilient, highly reliable network

    Google's application and network architecture is designed for maximum reliability and uptime. Because data is distributed across Google's servers and information centers, your data will still exist accessible if a auto fails – or even if an entire data middle goes down. Google owns and operates information centers around the world to proceed the services you use running 24 hours a solar day, every mean solar day of the year. Our integrated approach to infrastructure security works in concert across multiple layers: hardware infrastructure, service deployment, user identity, storage, Internet communication, and operations security. Acquire more in our Infrastructure Security Design Whitepaper.

    Nordine is a Facility Technician in charge of the backup generators for our Belgium-based data center. He makes sure the data center keeps running even if the power goes out.
    Nordine is a Facility Technician in charge of the fill-in generators for our Belgium-based information center. He makes sure the data center keeps running even if the power goes out.

  • Encryption

    Data encryption at every step

    Google's private, global, software-divers network provides more flexibility, control, and security than any deject service provider. Our network connects multiple information centers using our own fiber, public fiber, and undersea cables. This allows us to deliver identical, highly available, low-latency services to Google Workspace customers beyond the globe, and limits exposure of customer data to the public Internet, where it may be subject to intercept. Google Workspace customers' data is encrypted when information technology's on a deejay, stored on backup media, moving over the Internet, or traveling betwixt data centers. Encryption is an important piece of the Google Workspace security strategy, helping to protect your emails, chats, Google Drive files, and other data.

    Get additional details on how data is protected at rest, in transit, and on backup media, besides as information on encryption key management in the Google Workspace Encryption Whitepaper.

    The fiber optic networks connecting our sites can run at speeds that are more than 200,000 times faster than a typical home Internet connection.
    The fiber optic networks connecting our sites tin run at speeds that are more than 200,000 times faster than a typical habitation Internet connection.

Promoting a culture of security.

Promoting a culture of security.

At Google, all employees are required to recollect "security first." Google employs many full-time security and privacy professionals, including some of the world's leading experts in information, application, and network security. To ensure Google stays protected, we incorporate security into our entire software development procedure. This can include having security professionals analyze proposed architectures and perform lawmaking reviews to uncover security vulnerabilities and better understand the different attack models for a new product or characteristic. When situations exercise ascend, our dedicated Google Workspace Incident Management Team is committed to ensuring incidents are addressed with minimal disruption to our customers through rapid response, assay, and remediation.

Contributing to the community.

Contributing to the community.

Google'southward research and outreach activities protect the wider community of Internet users – beyond just those who choose our solutions. Our full-time team known as Project Zero aims to find high-impact vulnerabilities in widely used products from Google and other vendors. We commit to doing our work transparently and to directly study bugs to software vendors – without involving 3rd parties.

Staying ahead of the security curve.

Security has ever been a top priority for Google. Hither are a few ways we've ready the bar higher:

enhanced_encryption

Perfect forward secrecy

Google is the first major cloud provider to enable perfect frontwards secrecy, which encrypts content as it moves between our servers and those of other companies. With perfect forward secrecy private keys for a connection are ephemeral, which in turn prevents retroactive decryption of HTTPS sessions by an antagonist or even the server operator. Many manufacture peers have followed suit or committed to adoption in the future.

stacked_email

100% electronic mail encryption

Every unmarried email message you send or receive – 100% of them – is encrypted while moving between Google's data centers. This ensures that your letters are safe not simply when they move between your devices and Gmail'southward servers, but besides every bit they motility internally within Google. Nosotros were likewise the first to permit users know when their email was sent insecurely across providers with the introduction of our TLS indicator.

vpn_key

Strengthening encryption

To protect against cryptanalytic advances, in 2013 Google doubled its RSA encryption key length to 2048 bits and started changing them every few weeks, raising the bar for the residuum of the manufacture.

Product Security Innovation

Information protection yous can trust and tailor.

Google Workspace offers administrators enterprise control over system configuration and awarding settings – all in a dashboard that you can use to streamline authentication, asset protection, and operational control. Apply integrated Cloud Identity features to manage users and enforce multi-gene hallmark and security keys for added protection. You lot can choose the Google Workspace edition that best meets your system'due south security needs.

Product Security Innovation

Admission and authentication

Data protection you can trust and tailor. video_youtube

The Security Primal protects yous and your Google Workspace users from phishing attacks.

Strong authentication

2-stride verification greatly reduces the risk of unauthorized access by asking users for additional proof of identity when signing in. Our security key enforcement offers another layer of security for user accounts by requiring a concrete key. The key sends an encrypted signature and works simply with the sites that it's supposed to, helping to guard against phishing. Google Workspace administrators can easily deploy, monitor, and manage the security keys at scale from within the administrator panel – without installing boosted software.

Suspicious login monitoring

We use our robust car learning capabilities to assistance notice suspicious logins. When we discover a suspicious login, nosotros notify administrators so they tin can piece of work to ensure the accounts are secured.

Centralized cloud admission direction

With support for unmarried sign-on (SSO), Google Workspace enables unified access to other enterprise cloud applications. Our identity and access management (IAM) service lets administrators manage all user credentials and cloud applications access in one place.

e-mail

Enhanced email security

Google Workspace allows administrators to prepare customized rules requiring email messages to exist signed and encrypted using Secure/Multipurpose Net Mail Extensions (S/MIME). These rules tin can be configured to enforce Due south/MIME when specific content is detected in email letters.

Context-aware admission

Based on the zero trust security model and Google'south BeyondCorp implementation, context-aware admission enables yous to provide secure access for your users while maintaining their productivity. It enforces granular controls and uses a single platform for both your cloud and on-premises applications and infrastructure resources. With context-aware access, yous can enforce granular access controls on Google Workspace apps, based on a user'southward identity and context of the request.

security

Advanced Protection Programme

Google'southward Avant-garde Protection Plan is our strongest protection for users at risk of targeted online attacks. With the Advanced Protection Program for enterprise, we'll enforce a curated set of strong account security policies for enrolled users. These include requiring security keys, blocking access to untrusted apps, and enhanced scanning for email threats.

Nugget protection

Information loss prevention

Google Workspace administrators can gear up upwards a data loss prevention (DLP) policy to protect sensitive information inside Gmail and Drive. Nosotros provide a library of predefined content detectors to make setup like shooting fish in a barrel. One time the DLP policy is in place, for example, Gmail can automatically check all outgoing email for sensitive information and automatically take activity to forbid data leakage: either quarantine the email for review, tell users to modify the data, or block the email from being sent and notify the sender. With easy-to-configure rules and optical character recognition (OCR) of content stored in images, DLP for Bulldoze makes it easy for administrators to audit files containing sensitive content and configure rules that warn and forbid users from sharing confidential data externally. Acquire more in our DLP Whitepaper.

Asset protection

report

Spam detection

Machine learning has helped Gmail achieve 99.9% accuracy in spam detection and block sneaky spam and phishing messages – the kind that could actually pass for wanted electronic mail. Less than 0.1% of e-mail in the boilerplate Gmail inbox is spam, and incorrect filtering of mail to the spam binder is even less likely (less than 0.05%).

Malware detection

To aid foreclose malware, Google automatically scans every zipper for viruses across multiple engines prior to a user downloading it. Gmail even checks for viruses in attachments queued for dispatch. This helps to protect everyone who uses Gmail and prevents the spread of viruses. Attachments in certain formats, such equally .ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .ISP, .JAR, .JS, .JSE, .LIB, .LNK, .MDE, .MSC, .MSI, .MSP, .MST, .NSH .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, and .WSH are automatically blocked – even when they're included as part of a compressed file.

Phishing prevention

Google Workspace uses machine learning extensively to protect users against phishing attacks. Our learning models perform similarity analysis between previously classified phishing sites and new, unrecognized URLs. As nosotros find new patterns we adjust more quickly than manual systems e'er could. Google Workspace likewise allows administrators to enforce the use of security keys, making it impossible to use credentials compromised in phishing attacks.

DMARC

Make phishing defense force

To help prevent abuse of your make in phishing attacks, Google Workspace follows the DMARC standard, which empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy, you lot can help protect users and your organisation's reputation.

Operational control

apps_policy

Integrated endpoint management

Google Workspace's fully integrated endpoint management offers continuous system monitoring and alerts you to suspicious device activity. Administrators can enforce endpoint policies, encrypt data on devices, lock lost or stolen mobile devices, and remotely wipe devices.

security

Security Heart

The security center for Google Workspace provides a unmarried, comprehensive view into the security posture of your Google Workspace deployment. It brings together security analytics, best practise recommendations and integrated remediation that empower you to protect your organization's data, devices and users.

playlist_add_check

Third-political party awarding access controls

As office of our hallmark controls, administrators become visibility and command into third-political party applications leveraging OAuth for authentication and corporate data admission. OAuth access can be disabled at a granular level, and vetted 3rd-party apps can be whitelisted.

With mobile device management, you can require screen locks, strong passwords, and erase confidential data with device wipe for Android and iOS.
With mobile device management, yous tin crave screen locks, strong passwords, and erase confidential information with device wipe for Android and iOS.

https

Information rights direction

To help administrators maintain control over sensitive data, we offering data rights management (IRM) in Drive. Administrators and users can disable downloading, printing, and copying of files from the advanced sharing menu, every bit well every bit set expiration dates on file access.

warning

Alert Center

The Warning Center for Google Workspace is a new way for admins to view essential notifications, alerts, and actions across Google Workspace. Insights effectually these potential alerts can help administrators assess their organization's exposure to security bug. Integrated remediation with the security center offers a streamlined fashion to resolve these issues.

language

Data regions

Many organizations leverage the power of our distributed data centers to maximize critical benefits, such as minimal latency and robust geo-redundancy. However, for organizations with stringent command requirements, information regions for Google Workspace lets you cull where certain covered data should be stored at rest—either in the US, across Europe, or distributed globally.

Compliance, eDiscovery & Analytics

Equipped for the toughest standards.

Google designed Google Workspace to encounter stringent privacy and security standards based on manufacture best practices. In improver to potent contractual commitments regarding data ownership, data use, security, transparency, and accountability, we requite you the tools y'all demand to assistance meet your compliance and reporting requirements.

Certifications, audits, and assessments

Google customers and regulators expect independent verification of our security, privacy, and compliance controls. In club to provide this, we undergo several contained tertiary-party audits on a regular basis.

ISO/IEC 27001

ISO/IEC 27001

ISO/IEC 27001 is i of the most widely recognized and accepted independent security standards. Google has earned ISO/IEC 27001 certification for the systems, technology, processes, and data centers that run Google Workspace. View our ISO/IEC 27001 certificate.

ISO/IEC 27017

ISO/IEC 27017

ISO/IEC 27017 is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services. Our compliance with the international standard was certified by Ernst & Immature CertifyPoint, an ISO certification body accredited past the Dutch Accreditation Quango (a member of the International Accreditation Forum, or IAF). View our ISO/IEC 27017 document.

ISO/IEC 27018

ISO/IEC 27018

Google Workspace's compliance with ISO/IEC 27018:2014 affirms our delivery to international privacy and data protection standards. ISO/IEC 27018 guidelines include not using your information for advertisement, ensuring that your information in Google Workspace services remains yours, providing y'all with tools to delete and export your information, protecting your information from third-party requests, and being transparent about where your data is stored. View our ISO/IEC 27018 certificate.

SOC 2/3

SOC ii/iii

The American Institute of Certified Public Accountants (AICPA) SOC (Service Organization Controls) ii and SOC iii inspect framework relies on its Trust Principles and Criteria for security, availability, processing integrity, and confidentiality. Google has both SOC 2 and SOC 3 reports. Download our SOC 3 report.

FedRAMP

FedRAMP

Google Workspace products are compliant with the requirements of the Federal Hazard and Authority Management Program (FedRAMP). FedRAMP is the cloud security standard of the U.S. regime. Google Workspace is authorized for utilise by federal agencies for data information technology has classified at a "Moderate" impact level, which may include PII and Controlled Unclassified Information. Google Workspace has been assessed as adequate for utilize with "OFFICIAL" (including "OFFICIAL SENSITIVE") data in accord with the Great britain Security Principles. For details on product and services compliance, visit the FedRAMP Google Services page.

PCI DSS

PCI DSS

Google Workspace customers who need to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance can set upwards a data loss prevention (DLP) policy that prevents emails containing payment carte du jour information from beingness sent from Google Workspace. For Drive, Vault can be configured to run audits and make certain no cardholder data is stored.

FISC Compliance

FISC Compliance

FISC (Center for Financial Industry Information Systems) is a public interest incorporated foundation tasked with conducting research related to engineering, utilization, control, and threat/defence force related to financial information systems in Nippon. Ane of the key documents created past the arrangement is the "FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions," which describes controls related to facilities, operations, and technical infrastructure. Google has developed a guide to help customers understand how Google's command environs aligns with the FISC guidelines. Most of the controls outlined in our guide are part of our third-political party audited compliance programs, including ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certifications. View our response to the FISC controls. For further data, please contact sales.

Esquema Nacional de Seguridad (ENS) - Spain

Esquema Nacional de Seguridad (ENS) - Spain

The Esquema Nacional de Seguridad (ENS) accreditation scheme for Kingdom of spain has been developed by La Entidad Nacional de Acreditación (ENAC) in close collaboration with the Ministry building of Finance and Public Administration and the National Cryptologic Eye (CCN). The ENS was established as function of Royal Decree 3/2010 (amended past Prescript 951/2015) and serves to establish principles and requirements for the adequate protection of information for Castilian public sector entities. Google Cloud (GCP and Google Workspace) has met the requirements to comply with ENS at the 'High' level.

Regulatory compliance

HIPAA

HIPAA

Google Workspace supports customers' compliance with the U.S. Health Insurance Portability and Accountability Human action (HIPAA), which governs the safeguarding, utilize, and disclosure of protected health information (PHI). Customers who are subject area to HIPAA and wish to utilise Google Workspace for PHI processing or storage tin can sign a business associate amendment with Google. View more details most HIPAA compliance with Google Workspace.

EU Standard Contractual Clauses

Eu Standard Contractual Clauses

Google Workspace meets data protection recommendations from the Article 29 Working Political party and maintains adherence to Eu Standard Contractual Clauses with our Information Processing Amendment, Subprocessor Disclosure, and European union Standard Contractual Clauses. Google also maintains compliance with Privacy Shield and allows for Information Portability, wherein administrators tin export data in standard formats without any additional charge.

General Data Protection Regulation

General Data Protection Regulation

At Google Workspace, we champion initiatives that prioritize and improve the security and privacy of user information. Nosotros've made updates to our Information Processing Amendment to ensure that Google Workspace customers can confidently use our services now that the GDPR is in effect. We've also implemented stringent policies, processes, and controls through our Information Processing Amendment and Standard Contractual Clauses. In those agreements nosotros commit to comply with the obligations applicable to u.s. under the GDPR with respect to the processing we practise on behalf of our customers, and we have worked closely with European Information Protection Authorities to meet their expectations. Acquire more.

U.S. FERPA

U.South. FERPA

Millions of students rely on Google Workspace for Education. Google Workspace for Teaching services comply with the Family unit Educational Rights and Privacy Act (FERPA). Our commitment to this compliance is included in our agreements.

COPPA

COPPA

Protecting children online is important to us. We contractually crave Google Workspace for Education schools to obtain the parental consent that the Children's Online Privacy Protection Deed of 1998 (COPPA) requires, and our services can be used in compliance with COPPA.

South Africa's POPI Act

Southward Africa's POPI Act

Google provides product capabilities and contractual commitments to facilitate customer compliance with South Africa'south Protection of Personal Information (POPI) Human action. Customers who are discipline to POPI tin define how their data is stored, processed, and protected past signing a Information Processing Subpoena.

eDiscovery and archiving

Data retention and eDiscovery

Vault allows yous to retain, search, and export your organisation'southward data from select Google Workspace apps. Vault is entirely web-based, so in that location's no need to install or maintain actress software.

import_export

Export Google Workspace apps information

Vault allows you to export select Google Workspace apps data to standard formats for additional processing and review – all in a manner that supports legal standards while respecting chain of custody guidelines.

unsubscribe

Content compliance

Google Workspace'southward monitoring tools let administrators to scan email messages for alphanumeric patterns and objectionable content. Administrators tin can create rules to either reject matching emails earlier they reach their intended recipients or deliver them with modifications.

Reporting analytics

list

Like shooting fish in a barrel monitoring

Like shooting fish in a barrel interactive reports assist you assess your organization's exposure to security problems at a domain and user level. Extensibility with a drove of application programming interfaces (APIs) enable you to build custom security tools for your own environment. With insight into how users are sharing data, which third-party apps are installed, and whether appropriate security measures such as 2-footstep verification are in identify, y'all can improve your security posture.

error

Inspect tracking

Google Workspace allows administrators to track user actions and set up custom alerts within Google Workspace. This tracking spans across the Admin Console, Gmail, Bulldoze, Calendar, Groups, mobile, and 3rd-party awarding authorization. For example, if a marked file is downloaded or if a file containing the discussion "Confidential" is shared exterior the organisation, administrators tin be notified.

Insights using BigQuery

With BigQuery, Google's enterprise information warehouse for large-scale data analytics, you lot can analyze Gmail logs using sophisticated, high-performing custom queries, and leverage third-party tools for deeper analysis.

Transparency

Trust is essential to our partnership.

Transparency is function of Google'south DNA. We work hard to earn and maintain trust with our customers through transparency. The customer – non Google – owns their data. Google does not sell your data to third parties, there is no advertising in Google Workspace, and we never collect or use data from Google Workspace services for any advert purposes.

Transparency

No ads, always

Google does non collect, scan, or apply your data in Google Workspace services for advertising purposes and we exercise not brandish ads in Google Workspace. We use your data to provide Google Workspace services, and for system back up, such equally spam filtering, virus detection, spell-checking, chapters planning, traffic routing, and the power to search for emails and files within an individual business relationship.

user_attributes

You own your data

The information that companies, schools, and government agencies put into Google Workspace services does not vest to Google. Whether it's corporate intellectual property, personal information, or a homework assignment, Google does not ain that information and Google does non sell that data to tertiary parties.

consignment

Access Transparency

Access Transparency supports our commitment to customer trust by giving yous fine-grained logs of actions taken by Google staff and the reason for each admission, including references to specific support tickets where relevant.

Neal uses special equipment to completely erase all of the data on old servers.
Neal uses special equipment to completely erase all of the information on old servers.

playlist_add_check

Your apps are always attainable

Google Workspace offers a 99.9% service level understanding. Furthermore, Google Workspace has no scheduled downtime or maintenance windows. Unlike most providers, we plan for our applications to always exist bachelor, even when nosotros're upgrading our services or maintaining our systems.

You stay in control and in the know

We're committed to providing you with data about our systems and processes – whether that's a real-time performance overview, the results of a data handling audit, or the location of our data centers. It's your data; we ensure you accept control over it. You tin delete your data or export it at any time. We regularly publish Transparency Reports detailing how governments and other parties can impact your security and privacy online. We think y'all deserve to know, and we have a long rails record of keeping y'all informed and standing up for your rights.

William is an Operations Engineer and is part of the emergency response team. On a daily basis, he's on the lookout for everything from tornados to drive failures.
William is an Operations Engineer and is part of the emergency response team. On a daily basis, he's on the sentinel for everything from tornados to drive failures.