We are committed to complying with applicable data protection laws

We are always working to stay compliant, which helps make compliance easier for your business. We encourage regular audits, maintain certifications, provide industry-standard contractual protections, and share tools and information you can use to strengthen your business’s compliance.

Audits and certifications

When you share your business’s data, we want you to know it is protected. We proactively ask third parties to review our product controls against international standards, like ISO standards and SSAE16/ISAE 3402 – so you know your business’s data is handled responsibly. In addition, a U.S.-based, qualified, independent third party reviews the effectiveness of our controls at least every two years.

Expand all Collapse all

  • ISO 27001 (Information security management)

    ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes, and data centers serving Google Cloud Platform, G Suite, Google Analytics, Google Analytics 360, Tag Manager 360, Optimize 360, Attribution 360, Audience Center 360, Data Studio, DoubleClick for Publishers, Adwords Customer Match and DoubleClick Digital Marketing.

  • ISO 27017 (Cloud security)

    ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for cloud services.

    Google has been certified compliant with ISO 27017 for Google Cloud Platform products and G Suite.

  • ISO 27018 (Cloud privacy)

    ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in public cloud services.

    Google has been certified compliant with ISO 27018 for Google Cloud Platform products and G Suite.

  • SSAE16/ISAE 3402

    The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and Criteria for security, availability, processing integrity, and confidentiality.

    Google has both SOC 2 and SOC 3 reports for Google Cloud Platform and G Suite. You can download our SOC 3 report. We also have SOC 1 Type 2 for AdWords, AdSense, DoubleClick Campaign Manager, DoubleClick for Publishers, and DoubleClick Ad Exchange, available to customers under NDA.

  • Privacy Shield

    The Privacy Shield Frameworks are designed to provide a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. We adhere to the EU-US and Swiss-US Privacy Shield Frameworks (view certification).

  • FedRAMP

    FedRAMP is a program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. federal government. Google maintains a FedRAMP Authorization to Operate (ATO) for G Suite and Google App Engine.

  • PCI DSS (Payment Card Industry Data Security Standard)

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements for entities that store, process, or transmit payment card data. The following Google services have been reviewed by an independent Qualified Security Assessor and determined to be compliant with the current version of PCI DSS: Android Pay, Google App Engine, Google Compute Engine, Google Cloud Storage, Google Cloud Datastore, Google Cloud SQL, Google BigQuery, Google Cloud Dataproc, Google Cloud Dataflow, Google Container Engine, Google Container Registry, Google Cloud Bigtable.

Contractual protections

We already offer Data Processing and Security Terms (or Data Processing Amendments) for Google Cloud Platform, G Suite, and certain Google Analytics Suite products. For these products and other products where we act as a processor of personal data under the GDPR, we will make available updated contractual terms in line with the GDPR’s new requirements for our customers. See “Updated terms” to learn more.

Show contractual protections keyboard_arrow_right Hide contractual protections keyboard_arrow_down

We offer Data Processing and Security Terms (or Data Processing Amendments) for Google Cloud Platform, G Suite, Google Analytics, and Google Analytics 360.

We also offer European Model Contract Clauses to address EU data-transfer requirements for Google Cloud Platform and G Suite. We have obtained Common Opinions from EU Data Protection Authorities confirming that our Data Processing and Security Terms (or Data Processing Amendments) and our Model Contract Clauses for Google Cloud Platform and G Suite are in line with the Standard Contractual Clauses published by the European Commission.

We offer a Business Associate Agreement addressing requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA) for certain products within Google Cloud Platform and G Suite.

Resources to support and simplify your data compliance

Compliance with data protection laws can be extremely complex. We provide helpful information, offer technical solutions, and share best practices that help make it easier for your business to comply with data protection regulations wherever you operate.

We offer technical solutions to save you time
We contribute to industry best practices to make compliance easier for everyone
We provide easy access to documentation

We offer technical solutions to save you time

Since your customers are concerned about their own data privacy, we provide you with technical solutions that save you time to help your business manage consents, mask IP addresses, and help you find sensitive data. Some of our solutions:

  • We offer solutions to manage cookie consents at cookiechoices.org.
  • We provide information and tools to developers to help manage Android in-app permissions.
  • In Google Analytics and Google Analytics 360, we offer IP masking to further anonymize IP addresses you are collecting.
  • Data loss prevention tools in Google Cloud Platform and G Suite provide quick discovery and classification of more than 40 sensitive data types, like PII and financial data.

We contribute to industry best practices to make compliance easier for everyone

We collaborate with the European Digital Advertising Alliance, the Network Advertising Initiative, the U.S. Digital Advertising Alliance, Digital Advertising Alliance Canada, the Australian Digital Advertising Alliance, and the Trustworthy Accountability Group. We also support industry-wide initiatives such as the Coalition for Better Ads.

We provide easy access to documentation

Google Cloud Platform customers can access information on sub-processors, or reach out to get more specific answers. G Suite customers can access the Admin Console for data center locations, information on sub-processors, and our privacy and security certifications.

Our commitment to GDPR

We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.

Expand all Collapse all

  • Updated terms

    Where we act as a processor of personal data, we will update our agreements to reflect the obligations of controllers and processors and offer data-processing agreements where required in time for May 2018, including for AdWords Customer Match, AdWords Store sales (direct upload), DoubleClick Digital Marketing (including DoubleClick Bid Manager, DoubleClick Campaign Manager, DoubleClick Search), Google Analytics Suite (including Google Analytics, Tag Manager, Optimize, Data Studio, Attribution, Audience Center, Google Analytics for Firebase), Google Cloud Platform, and G Suite products and Managed Google Play. Additionally, for online advertising products where Google and the customer each act as independent controllers of personal data, we will update our agreements or make available controller-controller data protection terms. This includes AdWords (including Shopping and Hotel Ads, but not AdWords features where we act as a processor of personal data) and Google Customer Reviews.

  • CMO checklist

    As a marketer we know you need to select products that are compliant and use personal data in ways that are compliant. We are committed to complying with the GDPR and would encourage you to check in on compliance plans within your own organisation. Key areas to think about:

    • How does your organisation ensure user transparency and control around data use?
    • Are you sure that your organisation has the right consents in place where these are needed under the GDPR?
    • Does your organisation have the right systems to record user preferences and consents?
    • How will you show to regulators and partners that you meet the principles of the GDPR and are an accountable organisation?

  • Robust safeguards

    We are well placed to meet the security requirements of the GDPR. Our services are backed by robust, state-of-the-art technical and organizational safeguards, dedicated security and privacy teams, and our program is reviewed annually by third-party auditors.

  • Incident response

    We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current and any updated agreements with you. We maintain and continue to invest in advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help you identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay and with all available information.

  • User transparency

    We will continue to enhance transparency about how data is used in our Ads products. Google asks EU users for permission to use data to personalize ads and provides transparency into how the data is used in real time via “Why This Ad?” We provide detailed explanations on how we use data on privacy.google.com. We also provide transparency to users on what data Google holds about them via My Account and My Activity. Users can use Ads Settings to control the use of data for ads personalization and for all ads shown by Google, including on our DoubleClick products.

  • International transfers

    We continue to offer a range of international data-transfer mechanisms and we are certified under the EU - U.S. and Swiss - U.S. Privacy Shield frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organisations guarantee to provide a level of protection in line with EU data protection law. Google’s annual renewal of its certification to the EU - U.S. Privacy Shield was approved by the Department of Commerce on 25 September 2017, and Google’s certification to the Swiss - U.S. Privacy Shield was approved on 18 April 2017. We also offer EU-approved Model Contract Clauses for some services.

    We will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.

  • Privacy practices

    We already have processes to build privacy into our products from the very earliest stages, and we are further evolving our practices, including Data Protection Impact Assessments, to meet the GDPR’s requirements around Privacy by Design and Privacy by Default.

    Learn more about how Google is committed to GDPR compliance across G Suite and Google Cloud Platform services.