Document AI Security & Compliance
How does Google protect and ensure the security of the data I send to Document AI?
Please refer to the Google Cloud Security page which describes the security measures in place for Google Cloud Services.
What security horizontals does Document AI support?
Document AI supports the following security horizontals:
- Data Residency
- VPC Service Controls (VPC-SC)
- Access Transparency
- Customer-managed encryption keys (CMEK)
What compliance does Document AI offer?
Google Cloud undergoes regular independent third-party audits to verify alignment with security, privacy, and compliance controls. Google Cloud has regular audits for standards such as ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, and PCI DSS.
You can read more about Google Cloud compliance on the Compliance resource center
Is Document AI HIPAA compliant?
Document AI is HIPAA compliant.
Does Google use customer data to improve the model(s)?
No. Google does not use any of your content (such as documents and predictions) for any purpose except to provide you with the Document AI service.
Currently, Google does not use the content you send to train and improve our Document AI features such as its machine perception models.
For more information, see this blog post: Sharing our data privacy commitments for the AI era
Will Google share the document I send to Document AI?
We will not make the document that you send available to the public, or share it with anyone else, except as necessary to provide the Document AI service. For example, sometimes, we may need to use a third-party vendor to help us provide some aspect of our services, such as storage or transmission of data, who will be under appropriate security and confidentiality contractual obligations. We will not share the document that you send with any other parties, or make it public, for any other purpose.
Will the document I send to Document AI, the results or other information about the request itself, be stored on Google servers? If so, how long and where is the information kept, and do I have access to it?
When you send a document to Document AI, we must store that document for a short period of time in order to perform the analysis and return the results to you. For batch operations, the stored document is typically deleted right after the processing is done, with a failsafe Time to live (TTL) from a few hours to up to 7 days. For online (immediate response) operations, the document data is processed in memory and not persisted to disk. Google also temporarily logs some metadata about your Document AI API requests (such as the time the request was received and the size of the request) to improve our service and combat abuse.
Does Google claim ownership of the content I send in the request to Document AI
Google does not claim any ownership in any of the content (including documents and predictions) that you transmit to Document AI.
What is considered Personally Identifiable Information (PII) that needs to be redacted on documents before being shared with Google?
For document sharing purposes, PII is any information defined as Personal Data under applicable laws. Customers must redact the documents prior to sharing them with Google.
Examples of PII include but are not limited to:
- Date of Birth
- Names of individuals
- Personal Address
- E-mail Address of individuals
- Telephone Number(s) of individuals
- Drivers License Number
- National ID number
- Drivers License Number
- Employer Identification Number
- Bank Account Information - Account IDs, Routing Numbers, SWIFT IDs, etc. of third parties
- Payment Card Numbers
- Usernames, ID Numbers of third parties
- Passport Number
- Marital Status
- Number of Allowances/Exemptions
- Dependent Names
- Vehicle Identifiers (VIN, License Plates, etc.)
- Any other unique identifying number, characteristic or code of an individual that could identify an individual consumer, family, or device over time or across services.
Can I resell the Document AI API?
No, you are not permitted to resell Document AI service.
You can still integrate Document AI into applications of independent value.