Compliance and security controls

This page provides a high-level view of the compliance certifications and security controls that are supported by Vertex AI Search. For Vertex AI Agents, see Dialogflow compliance and security controls.

Certifications

Vertex AI Search and the RAG APIs are compliant as follows:

Compliance certification Vertex AI Search Standard Edition Vertex AI Search Enterprise Edition RAG APIs*
HIPAA
ISO 27001, ISO 27017, ISO 27018, and ISO 27701
SOC 1, SOC 2, SOC 3

* The RAG APIs are ranking, grounded generation, and check grounding.

Vertex AI Search Pre-GA offerings are included in the Google Cloud Business Associate Agreement (BAA). If you will be using Vertex AI Search to store or process Protected Health Information in a manner subject to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and/or any amendments or regulations under HIPAA, you must enter into an appropriate BAA with Google. For more information, see HIPAA Compliance on Google Cloud.

Security controls

Vertex AI Search provides security horizontals. Some of the controls are in Preview. The CMEK controls are only available in the Enterprise Edition.

Security controls compliance Standard Edition Enterprise Edition
Data Residency (DRZ) ✔ US and EU multi-region APIs only ✔ US and EU multi-region APIs only
Customer-managed encryption keys (CMEK)
US and EU multi-region APIs only *
VPC Service Controls
Access Transparency ✔ US and EU multi-regions only ✔ US and EU multi-regions only

* Using external key manager (EKM) or hardware security module (HSM) with CMEK is in GA with allowlist.

The following table identifies which RAG APIs don't support the security controls.

Security controls compliance Ranking API Grounded generation API Check grounding API
Data Residency (DRZ) N/A N/A N/A
Customer-managed encryption keys (CMEK) N/A N/A N/A
VPC Service Controls
Access Transparency

What's next

Learn more about Google Cloud compliance.