We protect your business’s data

Security of data comes first in everything we do. Security features are built into all of our products, services, and infrastructure to keep data protected at every layer.

We invest in teams and technology to continually improve that security, protecting not only our operations, but your business as well.

And because we believe that building a safer Internet is better for everyone, we share those security innovations with the world.

Defense in depth

We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers to the security protections of our hardware and software to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do.

Physical security to protect data integrity

We distribute data across multiple data centers, so that in the event of a fire or disaster, it can be automatically shifted to stable and protected locations. Each of those data centers is monitored and protected 24/7, and access is tightly controlled with measures like biometric identification and laser-based surveillance. View our data center locations.

Custom hardware with security at its core

Security starts in our hardware. We created processes to help ensure the security of our hardware, including vetting the vendors we work with, designing custom chips, and taking measures to identify and authenticate legitimate Google devices. This foundation allows us to deliver security at every level.

Encryption to keep data private and protected

Encryption brings an even higher level of security and privacy to our services. As the data you create moves between your device, Google services, and our data centers, it is protected by security technology like HTTPS and Transport Layer Security. We also encrypt email at rest and in transit by default, and encrypt identity cookies by default.

Processes for secure operations

We use security monitoring to protect users from malware We constantly monitor our applications and deploy patches through automated network analysis and proprietary technology. This lets us detect and respond to threats to protect products from spam, malware, viruses, and other forms of malicious code.

We actively scan to find vulnerabilities We scan for software vulnerabilities, using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration testing, quality assurance processes, software security reviews, and external audits.

We design with security in mind Our security and privacy experts work with development teams, reviewing code and ensuring products utilize strong security protections.

Strong controls to limit access to trusted personnel

We limit access to your business’s data to Google personnel who need it to do their jobs; for example, when a customer service agent assists you in managing your data. Strong access controls are enforced by organizational and technical safeguards. And when we work with third parties, like customer support vendors, to provide Google services, we conduct an assessment to ensure they provide the appropriate level of security and privacy needed to receive access to your business’s data.

Incident management to resolve threats quickly

Our security team works 24/7 to quickly detect and resolve potential security incidents. Our security incident management program is structured around industry best practices and tailored into our "Incident Management at Google (IMAG)" program, which is built around the unique aspects of Google and its infrastructure. We also test our incident response plans regularly, so that we always remained prepared.

We do not give governments “backdoor” access to your data

We respect the privacy of the data you store with Google. That is why we never give any government entity, U.S. or otherwise, “backdoor” access to your data or to our servers storing your data. When we receive requests for data from law enforcement agencies, our legal team rejects requests that are invalid and pushes back when requests are overly broad. And we work hard to inform businesses about these requests as soon as we can, barring emergency circumstances or where we are prohibited by the legal nature of the request. We are open about these data requests in our Transparency Report.

We help make the Internet safer for everyone

We have a long history of developing Internet security technology that benefits our own users and the online world as a whole. So when we create technology to keep our services safer, we find opportunities to share it for everyone’s benefit.

Expand all Collapse all
  • Safe Browsing

    We share our Safe Browsing technology to alert website owners when their sites have security flaws and offer tools to help fix the problem quickly. Today, Safe Browsing protects about half the world’s online population, identifying issues more than 50 million times a week.

  • Security innovation

    We proactively work to solve security problems in new ways and often publish security research to benefit the entire online community. For example, we developed Beyond Corp, which offers a new model for secure remote access to your corporate information. We have also helped set standards around stronger authentication by developing security keys with the FIDO Alliance.

  • Vulnerability research

    We conduct research to identify industry-wide vulnerabilities, alert the community, and where possible, provide solutions. We run Project Zero, a team of internet security experts dedicated to addressing vulnerabilities in critical software that supports the Internet. And our Vulnerability Rewards Program encourages external researchers to find and notify us of bugs in our code.

  • Project Shield

    Project Shield helps protect the free expression of news, human rights organizations, and election-monitoring sites by blocking DDoS attacks that attempt to take them offline. Built on Google’s infrastructure, Project Shield uses a multilayer defense system: We collect traffic metadata, cached content, and website configuration data to filter out harmful traffic that attempts to overwhelm a site. We hold on to this data for as long as you have an account with Project Shield, and you can delete your Project Shield account at any time. We also collect weblogs for sites proxying through Shield to improve defenses for all. Project Shield is certified under Privacy Shield.