Control packages
Assured Workloads provides control packages to support the creation of compliant boundaries in Google Cloud. A control package is a set of controls that, when combined together, supports the regulatory baseline for a compliance statute or regulation. These controls include mechanisms to enforce data residency, data sovereignty, personnel access, and more.
Control packages are organized into control package families according to the type of controls they provide:
- Regional controls provide data residency with optional personnel controls and regional support.
- Sovereign controls provide data residency, personnel controls, regional support, and enhanced controls for data sovereignty such as Cloud External Key Manager (Cloud EKM), Cloud HSM, and Key Access Justifications. Additional partner-managed control packages are available through Sovereign Controls by Partners.
- Regulatory controls provide certified controls tailored to meet specific regulatory and compliance statute requirements.
This page provides more information about each control package and control package available in Assured Workloads, which are available in two pricing tiers: Free and Premium. See Assured Workloads pricing for more information about these tiers.
Regional controls
Control package | Description | Pricing tier |
---|---|---|
Australia Regions | The Australia Regions control package sets data location controls to support Australia-only regions. | Free |
Australia Regions with Assured Support | The Australia Regions with Assured Support control package sets data location controls to support Australia-only regions. Support access and technical support are set to personnel who are located in five specific countries (United States, Canada, Australia, New Zealand, and United Kingdom), regardless of whether support is provided by Google or a Subprocessor. | Premium |
Brazil Regions | The Brazil Regions control package sets data location controls to support Brazil-only regions. | Free |
Canada Regions | The Canada Regions control package sets data location controls to support Canada-only regions. | Free |
Canada Regions and Support | The Canada Regions and Support control package sets data location controls to support Canada-only regions. Support access controls for first-level and second-level support are set to personnel who are legally eligible to work in Canada and physically located within the country of Canada, regardless of whether support is provided by Google or a Subprocessor. | Premium |
Chile Regions | The Chile Regions control package sets data location controls to support Chile-only regions. | Free |
EU Regions | The EU Regions control package sets data location controls to support EU-only regions. | Free |
EU Regions and Support | The EU Regions and Support control package sets data location controls to support EU-only regions. Support access controls for first-level and second-level support are set to personnel who are EU personnel based in the EU, regardless of whether support is provided by Google or a Subprocessor. | Premium |
Hong Kong Regions | The Hong Kong Regions control package sets data location controls to support Hong Kong-only regions. | Free |
India Regions | The India Regions control package sets data location controls to support India-only regions. | Free |
Indonesia Regions | The Indonesia Regions control package sets data location controls to support Indonesia-only regions. | Free |
Israel Regions | The Israel Regions control package sets data location controls to support Israel-only regions. | Free |
Israel Regions and Support | The Israel Regions and Support control package sets data location controls to support Israel-only regions. Support access controls for first-level and second-level support are set to personnel who are either security-cleared Israeli Personnel located in Israel or US Persons who have completed enhanced background checks located in the US, regardless of whether support is provided by Google or a Subprocessor. | Premium |
Japan Regions | The Japan Regions control package sets data location controls to support Japan-only regions. | Premium |
Qatar Regions | The Qatar Regions control package sets data location controls to support Qatar-only regions. | Free |
Singapore Regions | The Singapore Regions control package sets data location controls to support Singapore-only regions. | Free |
South Africa Regions | The South Africa Regions control package sets data location controls to support South Africa-only regions. | Free |
South Korea Regions | The South Korea Regions control package sets data location controls to support South Korea-only regions. | Free |
Switzerland Regions | The Switzerland Regions control package sets data location controls to support Switzerland-only regions. | Free |
Taiwan Regions | The Taiwan Regions control package sets data location controls to support Taiwan-only regions. | Free |
UK Regions | The UK Regions control package sets data location controls to support UK-only regions. | Free |
US Regions | The US Regions control package sets data location controls to support US-only regions. | Free |
US Regions and Support | The US Regions and Support control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who are US Persons and are located in the US, regardless of whether support is provided by Google or a Subprocessor. | Premium |
Sovereign controls
See Sovereign Controls by Partners for additional partner-managed control packages.
Control package | Description | Pricing tier |
---|---|---|
Sovereign Controls for EU | The Sovereign Controls for EU control package sets data location
controls to support
EU-only regions.
Support access controls for first-level and second-level support are
set to personnel who are based in the EU, regardless of whether
support is provided by Google or a
Subprocessor, and provides data
residency and data sovereignty assurances for EU-based customers.
For more information, see Restrictions and limitations in Sovereign Controls for EU. |
Premium |
Sovereign Controls for Kingdom of Saudi Arabia (KSA) | The Sovereign Controls for Kingdom of Saudi Arabia control
package is restricted to customers with a billing address that is
located outside of KSA, whether for a business, residence, or a
domicile. This control package sets data location controls to
support the
me-central2 region.
For more information, see Restrictions and limitations in Sovereign Controls for Kingdom of Saudi Arabia (KSA). |
Premium |
Regulatory controls
Control package | Description | Pricing tier |
---|---|---|
Criminal Justice Information Systems (CJIS) | The CJIS control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed state-sponsored background checks and are located in the US, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to CJIS-adjudicated first-level and second-level support staff located in the US. Escorted session controls are also used to supervise and monitor support actions by non-adjudicated staff. See the CJIS compliance card for more information. | Premium |
FedRAMP High | The FedRAMP High control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks and are located in the US, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to FedRAMP-adjudicated first-level and second-level support staff located in the US. See the FedRAMP compliance card For more information. | Premium |
FedRAMP Moderate | The FedRAMP Moderate control package sets support access controls for first-level support personnel who have completed enhanced background checks, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to FedRAMP-adjudicated first-level support staff. See the FedRAMP compliance card for more information. | Free |
Healthcare and Life Sciences Controls | The Healthcare and Life Sciences Controls control package supports
data location controls restricted to
US-only regions.
Each in-scope service must meet the following requirements:
|
Free |
Healthcare and Life Sciences Controls with US Support | The Healthcare and Life Sciences Controls with US Support control
package supports data location controls restricted to
US-only regions.
Each in-scope service must meet the following requirements:
See Restrictions and limitations for Healthcare and Life Sciences Controls for more information. |
Premium |
Impact Level 2 (IL2) | The IL2 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks, are US Persons, and are located in the United States, regardless of whether support is provided by Google or a Subprocessor. See the United States Defense Information Systems compliance card for more information. | Premium |
Impact Level 4 (IL4) | The IL4 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks, are US Persons, and are located in the United States, regardless of whether support is provided by Google or a Subprocessor. See the United States Defense Information Systems compliance card for more information. | Premium |
Impact Level 5 (IL5) | The IL5 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed enhanced background checks, are US Persons, and are located in the United States, regardless of whether support is provided by Google or a Subprocessor. See the United States Defense Information Systems compliance card for more information. | Premium |
International Traffic in Arms Regulations (ITAR) | The ITAR control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who are US Persons, and are located in the US, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to US Persons for first-level and second-level support staff located in the US. For more information, see the following pages: | Premium |
IRS Publication 1075 | The IRS 1075 control package sets data location controls to support US-only regions. Support access controls for first-level and second-level support are set to personnel who have completed fingerprint-based CJIS background checks, state-level law enforcement checks, and citizenship verification, regardless of whether support is provided by Google or a Subprocessor. This means that Assured Workloads support cases are restricted to background checked first-level and second-level support staff located in the US. Escorted session controls are also used to supervise and monitor support actions by non-background checked staff. | Premium |
What's next
- Learn how to create an Assured Workloads folder
- Learn more about controlling access to data by personnel
- Learn which products are supported for each control package