This document describes the controls that support the security of Gemini Code Assist. These controls can also help you meet the privacy and regulatory requirements that apply to your business.
The security, privacy, and compliance for Google Cloud services is a shared responsibility. For example, Google secures the infrastructure that Google Cloud services run on, and provides you with tools such as access controls to let you manage who has access to your services and resources. For more information about how we secure the infrastructure, see the Google infrastructure security design overview.
Gemini Code Assist architecture
The following diagram shows the components of the Gemini Code Assist architecture.
The components include the following:
- In your on-premises environment, your application developers install a Cloud Code extension for Visual Studio or JetBrains. Developers can use this extension to interact with Gemini Code Assist.
- By default, the extension uses an encrypted TLS connection over the internet to connect from your on-premises environment to Google Cloud. To create a dedicated secured connection between your on-premises environment and Google Cloud, you can configure Cloud VPN or Cloud Interconnect.
- Within your Google Cloud environment, you can set up a VPC Service Controls service perimeter. VPC Service Controls lets you define security policies that prevent access to Google-managed services outside of a trusted perimeter, block access to data from untrusted locations, and mitigate data exfiltration risks.
- Your Google Cloud project where you enabled the Gemini Code Assist service. Gemini Code Assist uses the Gemini for Google Cloud API to process conversations. The Gemini for Google Cloud API doesn't have access to any of the other APIs or resources in your project.
Alternatively, if your organization uses Cloud Workstations, developers can install the Cloud Code extensions on their workstations. For more information, see Code with Gemini Code Assist.
Unlike most Google Cloud APIs, Gemini for Google Cloud API is an API that's developed for Google-provided clients only. This API enables these clients to access the stateless LLMs that power Gemini Code Assist. These LLM instances are shared by all Google customers who enable the Gemini for Google Cloud API.
Deployment security controls
This section describes some of the security controls for Gemini Code Assist on Google Cloud.
Authentication
Gemini Code Assist requires that your application developers authenticate to Google Cloud to verify their identity and access privileges. You must set up each developer with a user account that is managed by Cloud Identity, Google Workspace, or an identity provider that you've federated with Cloud Identity or Google Workspace. For more information, see Overview of identity and access management.
After you create the accounts, consider the following security best practices:
- Enable single sign-on when authenticating with external identity providers.
- Use 2-step verification to help protect users from stolen passwords.
- Enforce and monitor password requirements.
Access controls
You can use Identity and Access Management (IAM) to control application developer access to Gemini Code Assist. To manage IAM roles at scale, we recommend that you create a group for your application developers and grant the IAM roles or permissions that are required for Gemini Code Assist to that group. We don't recommend granting IAM roles to individual users because individual assignments can increase the complexity of managing and auditing roles.
When you assign roles to your application developer group, ensure that you abide by the principle of least privilege and other IAM security best practices.
Use the processes in your existing identity provider for group creation and membership. For more information about setting up IAM, see IAM overview.
For more information about the IAM roles that are required for Gemini Code Assist, see Set up Gemini Code Assist for a project. For information about the minimum permissions that your application developers require, see Advanced setup tasks.
To audit administrative and access activities, see Gemini for Google Cloud.
Network security
By default, Google applies protections to data in transit for all Google Cloud services, including Gemini Code Assist.
The main connection is the connection between your application developer workstations and Google Front End (GFE). GFE is our globally distributed system that routes traffic between the Google network and the outside world. Gemini Code Assist uses this connection to receive and respond to developer prompts. By default, this connection is protected using TLS. For more information about default network protections, see Encryption in transit.
If required by your organization, you can configure additional security controls to further protect traffic on the Google Cloud network and traffic between the Google Cloud network and your corporate network.
Consider the following:
- Use Cloud VPN or Cloud Interconnect to maximize security and reliability for the connection between your corporate network and Google Cloud. For more information, see Choosing a Network Connectivity product.
Use VPC Service Controls. VPC Service Controls lets you control the movement of data in Google services and set up context-based perimeter security. For more information on setting up VPC Service Controls, see Configure VPC Service Controls for Gemini.
In Google Cloud, consider Shared VPC as your network topology. Shared VPC provides centralized network configuration management while maintaining separation of environments. For more information about network topologies, see Decide the network design for your Google Cloud landing zone.
For more information about network security best practices, see Secure your network and Decide the network design for your Google Cloud landing zone.
Data protection and privacy
This section describes how Gemini Code Assist and the extensions protect your data and privacy.
Customer Data
Customer Data is defined in the Google Cloud Terms of Service. For information about how we process and protect Customer Data, see the Cloud Data Processing Addendum (Customers).
For example, Gemini Code Assist and the extensions transmit the following Customer Data:
- Prompt data, which includes developer queries
- Response data from Gemini Code Assist
- Additional context, such as the current conversation history, snippets of files that are open in the IDE, snippets of files that are stored adjacent to the open file, and cursor location in the current file
Because Gemini Code Assist is a stateless Google Cloud service, it doesn't store prompts and responses in Google Cloud. If required, you can set up Gemini Code Assist to store user input and responses in a Cloud Logging bucket. For more information, see View Gemini logs. To monitor Gemini Code Assist usage, see Monitor Gemini for Google Cloud usage.
For information about how Google Cloud encrypts data at rest, see Default encryption at rest.
Service Data
Service Data is defined in the Google Cloud Privacy Notice.
Examples of Service Data that is collected by Gemini Code Assist include the following:
- User analytics (data about the developer's actions)
- Telemetry data
- Google feedback
Telemetry data includes data that describes the technical operation of the product. Examples of telemetry data include the following:
- An event indicating that a request was made (but not the contents of the request)
- An event indicating that a response was received (but not the contents of the response)
- A user's reaction to the response (for example, whether the user accepted or rejected the response)
- The character count length of accepted suggestions
- A user's interaction with various UI elements
Gemini Code Assist engineers have access to telemetry data to help with continual product improvements.
You can customize the information that you choose to include in your Google feedback form (including a choice to share or withhold specific logs). To view your feedback history, see Your feedback reports.
Where data is processed
Gemini Code Assist uses the global Google Edge Network to receive data for processing. Typically, processing occurs at the data center that is closest to the request's geographic origin, but regionality is not guaranteed.
Data privacy
To help protect the privacy of your data, Gemini Code Assist conforms to Google's privacy commitment with generative AI technologies. This commitment includes items such as the following:
- Google doesn't use your data to train our models without your permission.
- We incorporate privacy principles in the development of Gemini Code Assist, such as those described in Common Privacy Principles.
For more information about our AI principles, see Google AI Principles.
Gemini Code Assist acts as a data processor for all Customer Data—for example when personalizing experiences and recommendations—troubleshooting issues, and maintaining the service. Google also acts as a data controller for information such as billing and account management and abuse detections. For more information, see Google Cloud Privacy Notice.
Certifications
Gemini Code Assist has received the following certifications:
- International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, and ISO 27701
- SOC 1, SOC 2, and SOC 3
For more information about Google Cloud compliance with different regulatory framework and certifications, see the compliance resource center.
Using Gemini Code Assist securely
In general, Google recommends using a secure software development lifecycle (SDLC) for developing applications, regardless of whether you're using AI coding assistance. For more information about SDLC best practices, see What is DevOps? Research and Solutions and SLSA.
Gemini Code Assist is a Generative AI Indemnified Service. If you are challenged on copyright grounds after using content generated by Gemini Code Assist, we assume certain responsibility for the potential legal risks involved. For full details about the indemnity, see our Service Specific Terms or read our blog post on this issue.
What's next
Learn about generative AI, privacy, and Google Cloud (PDF).