Control packages

Assured Workloads provides control packages to support the creation of compliant boundaries in Google Cloud. A control package is a set of controls that, when combined together, supports the regulatory baseline for a compliance statute or regulation. These controls include mechanisms to enforce data residency, data sovereignty, personnel access, and more.

Control packages are organized into control package families according to the type of controls they provide:

  • Regional controls provide data residency with optional personnel controls and regional support.
  • Sovereign controls provide data residency, personnel controls, regional support, and enhanced controls for data sovereignty such as Cloud External Key Manager (Cloud EKM), Cloud HSM, and Key Access Justifications. Additional partner-managed control packages are available through Sovereign Controls by Partners.
  • Regulatory controls provide certified controls tailored to meet specific regulatory and compliance statute requirements.

This page provides more information about each control package and control package available in Assured Workloads, which are available in two pricing tiers: Free and Premium. See Assured Workloads pricing for more information about these tiers.

Regional controls

Control package Description Pricing tier
Australia Regions The Australia Regions control package sets data location controls to support Australia-only regions. Free
Australia Regions with Assured Support The Australia Regions with Assured Support control package sets data location controls to support Australia-only regions. Support access and technical support are set to personnel who are located in five specific countries (United States, Canada, Australia, New Zealand, and United Kingdom), regardless of whether support is provided by Google or a Subprocessor. Premium
Brazil Regions The Brazil Regions control package sets data location controls to support Brazil-only regions. Free
Canada Regions The Canada Regions control package sets data location controls to support Canada-only regions. Free
Canada Regions and Support The Canada Regions and Support control package sets data location controls to support Canada-only regions. Support access controls for first-level and second-level support are set to personnel who are legally eligible to work in Canada and physically located within the country of Canada, regardless of whether support is provided by Google or a Subprocessor. Premium
Chile Regions The Chile Regions control package sets data location controls to support Chile-only regions. Free
EU Regions The EU Regions control package sets data location controls to support EU-only regions. Free
EU Regions and Support The EU Regions and Support control package sets data location controls to support EU-only regions. Support access controls for first-level and second-level support are set to personnel who are EU personnel based in the EU, regardless of whether support is provided by Google or a Subprocessor. Premium
India Regions The India Regions control package sets data location controls to support India-only regions. Free
Indonesia Regions The Indonesia Regions control package sets data location controls to support Indonesia-only regions. Free
Israel Regions The Israel Regions control package sets data location controls to support Israel-only regions. Free
Israel Regions and Support The Israel Regions and Support control package sets data location controls to support Israel-only regions. Support access controls for first-level and second-level support are set to personnel who are either security-cleared Israeli Personnel located in Israel or US Persons who have completed enhanced background checks located in the US, regardless of whether support is provided by Google or a Subprocessor. Premium
Japan Regions The Japan Regions control package sets data location controls to support Japan-only regions. Premium
Singapore Regions The Singapore Regions control package sets data location controls to support Singapore-only regions. Free
South Korea Regions The South Korea Regions control package sets data location controls to support South Korea-only regions. Free
Switzerland Regions The Switzerland Regions control package sets data location controls to support Switzerland-only regions. Free
Taiwan Regions The Taiwan Regions control package sets data location controls to support Taiwan-only regions. Free
UK Regions The UK Regions control package sets data location controls to support UK-only regions. Free
US Regions The US Regions control package sets data location controls to support US-only regions. Free
US Regions and Support The US Regions and Support control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who are US Persons and are located in the US, regardless of whether support is provided by Google or a Subprocessor. Premium

Sovereign controls

See Sovereign Controls by Partners for additional partner-managed control packages.

Control package Description Pricing tier
Sovereign Controls for EU The Sovereign Controls for EU control package sets data location controls to support EU-only regions. Support access controls for first-level and second-level support are set to personnel who are based in the EU, regardless of whether support is provided by Google or a Subprocessor, and provides data residency and data sovereignty assurances for EU-based customers.

For more information, see Restrictions and limitations in Sovereign Controls for EU.
Premium
Sovereign Controls for Kingdom of Saudi Arabia (KSA) The Sovereign Controls for Kingdom of Saudi Arabia control package is restricted to customers with a billing address that is located outside of KSA, whether for a business, residence, or a domicile. This control package sets data location controls to support the me-central2 region.

For more information, see Restrictions and limitations in Sovereign Controls for Kingdom of Saudi Arabia (KSA).
Premium

Regulatory controls

Control package Description Pricing tier
Criminal Justice Information Systems (CJIS) The CJIS control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed state-sponsored background checks and are located in the US, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to CJIS-adjudicated first-level and second-level support staff located in the US. Escorted session controls are also used to supervise and monitor support actions by non-adjudicated staff. See the CJIS compliance card for more information. Premium
FedRAMP High The FedRAMP High control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks and are located in the US, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to FedRAMP-adjudicated first-level and second-level support staff located in the US. See the FedRAMP compliance card For more information. Premium
FedRAMP Moderate The FedRAMP Moderate control package sets support access controls for first-level support personnel who have completed enhanced background checks, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to FedRAMP-adjudicated first-level support staff. See the FedRAMP compliance card for more information. Free
Healthcare and Life Sciences Controls The Healthcare and Life Sciences Controls control package supports data location controls restricted to US-only regions. Each in-scope service must meet the following requirements: See Restrictions and limitations for Healthcare and Life Sciences Controls for more information. Free
Healthcare and Life Sciences Controls with US Support The Healthcare and Life Sciences Controls with US Support control package supports data location controls restricted to US-only regions. Each in-scope service must meet the following requirements: Support access controls for first-level and second-level support are set to personnel who are US Persons and are located in the US, regardless of whether support is provided by Google or a Subprocessor.

See Restrictions and limitations for Healthcare and Life Sciences Controls for more information.
Premium
Impact Level 2 (IL2) The IL2 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks, are US Persons, and are located in the United States, regardless of whether support is provided by Google or a Subprocessor. See the United States Defense Information Systems compliance card for more information. Premium
Impact Level 4 (IL4) The IL4 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks, are US Persons, and are located in the United States, regardless of whether support is provided by Google or a Subprocessor. See the United States Defense Information Systems compliance card for more information. Premium
Impact Level 5 (IL5) The IL5 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks, are US Persons, and are located in the United States, regardless of whether support is provided by Google or a Subprocessor. See the United States Defense Information Systems compliance card for more information. Premium
International Traffic in Arms Regulations (ITAR) The ITAR control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who are US Persons, and are located in the US, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to US Persons for first-level and second-level support staff located in the US. For more information, see the following pages: Premium
IRS Publication 1075 The IRS 1075 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed fingerprint-based CJIS background checks, state-level law enforcement checks, and citizenship verification, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to background checked first-level and second-level support staff located in the US. Escorted session controls are also used to supervise and monitor support actions by non-background checked staff. Premium

What's next