SOC 3

Google Cloud regularly undergoes third-party audits for our products, systems, and infrastructure related to this standard. The SOC 3 reports are generated by an objective third party attesting to a set of assertions made by Google Cloud about its controls that are in place to protect customer data. The audit firm’s evaluation includes comprehensive testing of the design and operating effectiveness of the controls within the audit period. 

Customers may use the SOC 3 report to assess the risks arising from interactions with the assessed Google Cloud and Google Workspace systems throughout the period.

The core Google Cloud and Google Workspace SOC 3 reports are issued semi-annually and can be downloaded via the Compliance Reports Manager. The coverage periods and issuance dates for these reports are:

• First half of the year
• Coverage period: May 1 - April 30
• Estimated issuance: mid-June
• Second half of the year 
• Coverage period: November 1 - October 31
• Estimated issuance: mid-December

We issue separate SOC 3 reports for a small subset of Google Cloud products, including AppSheet, Backup and Disaster Recovery, Google Cloud VMware Engine, Bare Metal Solution, Google Security Operations SOAR, and Looker (Google Cloud core). These reports are issued annually and customers can obtain these reports by contacting sales or support.

Google Cloud does not issue bridge letters for SOC 3. If a bridge letter is needed, please refer to the bridge letters that are issued for the related SOC 2 report.