Compliance

Independent Audits of Infrastructure, Services, and Operations

Our customers and regulators expect independent verification of security, privacy and compliance controls. Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations. Google has annual audits for the following standards:

• SSAE16 / ISAE 3402 Type II:
• • SOC 1
  • SOC 2
  • SOC 3 public audit report
• ISO 27001, one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Cloud Platform. The ISO 27001 Certificate for Google Cloud Platform is here . Google has also earned the ISO 27001 certification for Google's shared Common Infrastructure. The ISO 27001 Certificate for Common Infrastructure is here .
• ISO 27017, Cloud Security, This is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services. Our ISO 27017 Certificate is here .
• ISO 27018, Cloud Privacy, This is an international standard of practice for protection of personally identifiable information (PII) in public clouds services. Our ISO 27018 Certificate is here .
• FedRAMP ATO for Google App Engine
• PCI DSS v3.2

Google’s third party audit approach is designed to be comprehensive in order to provide assurances of Google’s level of information security with regard to confidentiality, integrity and availability. Customers may use these third party audits to assess how Google’s products can meet their compliance and data-processing needs.

HIPAA

Google Cloud Platform will also support HIPAA covered customers by entering into a Business Associates Agreement. The Cloud Platform BAA currently covers Compute Engine, Cloud Storage, Cloud SQL for MySQL, Cloud Dataproc, Genomics, BigQuery, Container Engine, Container Registry, Cloud Dataflow, Cloud Bigtable, Cloud Pub/Sub, Cloud Translation API, Cloud Speech API, Stackdriver Logging, Stackdriver Error Reporting, Cloud Datalab, Google Cloud Machine Learning, Cloud Natural Language API, and Cloud Data Loss Prevention API. Learn more aboutHIPAA compliance.

CSA STAR

Google Cloud has completed the Cloud Security Alliance (CSA) STAR Self-Assessment. Learn morehere.

Google Cloud Platform and the EU Data Protection Directive

As part of Google’s rigorous privacy and compliance standards and commitment to our customers, Google Inc. iscertifiedunder the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. In addition, Google offers Cloud Platform customers EU model contract clauses as a method to meet the adequacy and security requirements of the EU Data Protection Directive. The European Union's data protection authorities have concluded that Google'smodel contract clausesmeet EU regulatory expectations, confirming that Google Cloud services provide sufficient commitments to frame international data flows from Europe to the rest of the world. For details on the approval of the Google Cloud from the Article 29 Working Party, please see the respective decisions forG Suiteand theGoogle Cloud Platform. Learn more aboutEU Data Protection.

Protection of Personal Information and My Number Data (Japan)

The Japanese government issues a unique number to every resident of Japan (both foreign and domestic). This number, also referred to as the Social Benefits or Tax Number, is protected by the “My Number Act”.

The responsibility to protect personal information and “My Number” data lies with our customers when using Google Cloud Platform. Google Cloud Platform products areISO 27001andISO 27018certified. These are international certifications related to practices to protect information (such as personal information and “My Number” data) and include appropriate access control measures.

FISC (Japan)

FISC (Center for Financial Industry Information Systems)is a public interest incorporated foundation tasked with conducting research related to technology, utilization, control, and threat/defense related to financial information systems in Japan. One of the key documents created by the organization is the "FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions". The document describes controls related to facilities, operations, and technical infrastructure.

Google has developed a guide to help customers understand how Google’s control environment aligns with the FISC guidelines. Most of the controls outlined in our guide are part of our third-party audited compliance programs, includingISO 27001,ISO 27017, andISO 27108certifications. View our response to the FISC controls:

• English
• Japanese

MPAA Best Practices Guidelines

TheMotion Picture Association of America (MPAA) has created a best practices guidelinefor cloud providers. Under a shared security model, customers using Google Cloud Platform can configure their cloud services to support these best practices. While not a formal certification, the control aspects of the guidelines map closely to Google’s existing third party audited core compliance programs, includingISO 27001,ISO 27017,ISO 27108, andCSA STARcertifications.This documentdetails the MPAA controls that Google Cloud Platform supports. Google contracts with a third party auditor to validate these controls on a regular basis.

Conclusion

The protection of your data is a primary design consideration for all of Google’s infrastructure, products and personnel operations. Our scale of operations and collaboration with the security research community enable Google to address vulnerabilities quickly or prevent them entirely.

We believe that Google can offer a level of protection that very few public cloud providers or private enterprise IT teams can match. Because protecting data is core to Google’s business, we can make extensive investments in security, resources and expertise at a scale that others cannot. Our investment frees you to focus on your business and innovation. Data protection is more than just security. Google’s strong contractual commitments make sure you maintain control over your data and how it is processed, including the assurance that your data is not used for advertising or any purpose other than to deliver Cloud Platform services.

For these reasons and more, over five million organizations across the globe, including 64 percent of the Fortune 500, trust Google with their most valuable asset: their information. Google will continue to invest in our platform to allow you to benefit from our services in a secure and transparent manner.