Independent Audits of Infrastructure, Services, and Operations
Our customers and regulators expect independent verification of security, privacy and compliance controls. Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations.
Google has annual audits for the following standards:
- SSAE16 / ISAE 3402 Type II:
- ISO 27001, one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Cloud Platform. The ISO 27001 Certificate for Google Cloud Platform is here. Google has also earned the ISO 27001 certification for Google's shared Common Infrastructure. The ISO 27001 Certificate for Common Infrastructure is here.
- ISO 27017, Cloud Security, This is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services.
Our ISO 27017 Certificate is here.
- ISO 27018, Cloud Privacy, This is an international standard of practice for protection of personally identifiable information (PII) in public clouds services.
Our ISO 27018 Certificate is here.
- FedRamp ATO for Google App Engine
- PCI DSS v3.1
Google’s third party audit approach is designed to be comprehensive in order to provide assurances of Google’s level of information security with regard to confidentiality, integrity and availability. Customers may use these third party audits to assess how Google’s products can meet their compliance and data-processing needs.
Google Cloud Platform will also support HIPAA covered customers by entering into a Business Associates Agreement. The Cloud Platform BAA currently covers Compute Engine, Cloud Storage, Cloud SQL for MySQL, Cloud Dataproc, Genomics, BigQuery, Container Engine, Container Registry, Cloud Dataflow, Cloud Bigtable, Cloud Pub/Sub, Cloud Translation API, and Cloud Speech API. Learn more about HIPAA compliance.
Google Cloud has completed the Cloud Security Alliance (CSA) STAR Self-Assessment. Learn more here.
Google Cloud Platform and the EU Data Protection Directive
As part of Google’s rigorous privacy and compliance standards and commitment to our customers, Google Inc. is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. In addition, Google offers Cloud Platform customers EU model contract clauses as a method to meet the adequacy and security requirements of the EU Data Protection Directive.
The European Union's data protection authorities have concluded that Google's model contract clauses meet EU regulatory expectations, confirming that Google Cloud services provide sufficient commitments to frame international data
flows from Europe to the rest of the world. For details on the approval of the Google Cloud from the Article 29 Working Party, please see the respective decisions for G Suite and the Google Cloud Platform.
Learn more about EU Data Protection.
MPAA Best Practices Guidelines
Picture Association of America (MPAA) has created a best practices guideline
for cloud providers. Under a shared security model, customers using Google Cloud
Platform can configure their cloud services to support these best practices.
While not a formal certification, the control aspects of the guidelines map closely
to Google’s existing third party audited core compliance programs, including
ISO 27108, and
CSA STAR certifications.
This document details the MPAA
controls that Google Cloud Platform supports. Google contracts with a third party
auditor to validate these controls on a regular basis.