Compliance resource center
Google Cloud’s industry-leading security, third-party audits and certifications, documentation, and legal commitments help support your compliance.
Google Cloud compliance
Our products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations, and audit reports to demonstrate compliance. We’ve also created resource documents and mappings for compliance support when formal certifications or attestations may not be required or applied.
- Google Cloud certifications and the compliance standards that we satisfy
- General information about regional and sector-specific regulations
- The latest industry news and best practices updates
- Documentation to aid your own reporting and compliance efforts
Certifications / attestations / reports
An independent third-party auditor has granted a formal certification, attestation, or audit report based on an assessment that affirms our compliance with these offerings.
Australia Hosting Certification Framework - DTA HCF | Cloud Computing Compliance Controls Catalog (C5) | CSA | Spain Esquema Nacional de Seguridad (ENS) | EU Cloud Code of Conduct | FedRAMP | FIPS 140-2 Validated | GSMA SAS-SM | HDS | HITRUST CSF | Higher Education Cloud Vendor Assessment Tool (HECVAT) | Independent Security Evaluators (ISE) Audit | Information System Security Management and Assessment Program (ISMAP) | IRAP (Information Security Registered Assessors Program) | ISAE 3000 Type 2 Report (FINMA) | ISO 9001:2015 | ISO 22301:2019 | ISO 50001:2018 | ISO/IEC 27001 | ISO/IEC 27017 | ISO/IEC 27018 | ISO/IEC 27701 | JIIMA | K-ISMS (Korea) | Microfin | Minimum Acceptable Risk Standards for Exchanges (MARS-E) | MTCS (Singapore) Tier 3 | NCSC - Cyber Essentials Plus (UK) | OSPAR | PCI 3DS Core Security Standard | PCI DSS | SNI 27001 | StateRAMP | SOC 1 | SOC 2 | SOC 3 | SWIPO Data Portability Code of Conduct | ETDA (Thailand) | TISAX | TruSight | U.S. Defense Information Systems Agency Provisional Authorization | VPAT (WCAG, U.S. Section 508, EN 301 549)
Laws / regulations
Cloud service providers can’t provide formal certification of our customers’ compliance with these laws and regulations. But we work hard, via our products, technical capabilities, guidance documents and legal commitments, to make the compliance process as easy as possible for your organization.
ACPR (France) | Act on the Protection of Personal Information (Japan) | APRA Prudential Standard CPS 234 | PDPL (Argentina) | APPs (Australia) | BaFin Cloud Outsourcing Guidance | Banco de España | Banco de Portugal | Bank Negara (Malaysia) | Bank of Italy | Bank of Thailand (BOT) | BCRA (Argentina) | BRSA (Turkey) | BSP (Philippines) | BWG (Austria) | California Consumer Privacy Act (CCPA) | Central Bank of Brazil (Brazil) | Central Bank of Ireland (Ireland) | CNBV (Mexico) | CNSF (Mexico) | CMF (Chile) | COPPA (U.S.) | CSSF (Luxembourg) | De Nederlandsche Bank (the Netherlands) | DSA (Bangladesh) | ESMA (EU) | EU Standard Contractual Clauses | Export Administration Regulations (EAR) | FDIC (US) | FERPA (U.S.) | FG16/5 - FCA | FINMA (Switzerland) | Financial Superintendence of Colombia | FSA (Denmark) | FSC Insurance Outsourcing Directions | FSC Banking Outsourcing Regulations | GDPR | GLBA | GR 95/2018 guidelines | GxP | HIPAA | IA (Hong Kong) | HKMA (Hong Kong) | MAMPU (Malaysia) | PDPO (Hong Kong) | Indonesia Government Regulation No. 71 (GR 71) | IRDAI (India) | IRS 1075 | International Traffic in Arms Regulations (ITAR) | KNF (Poland) | FSC (Korea) | Lei Geral de Proteção de Dados (LGPD) | MaRisk AT 9 Outsourcing | MAS TRM Guidelines | NERC CIP | OIC (Thailand) |OJK Circular 21 of 2017 (SEOJK 21) | OJK Regulation No. 38 of 2016 (POJK 38) | OSFI (Canada) | PDPA (Malaysia) | PDPA (Philippines) | PDPA (Taiwan) | PDPA (Thailand) | PIPA (Korea) | PHIPA (Canada) | PRA (UK) | RBI (India) | Reserve Bank of New Zealand (New Zealand) | revFADP (Switzerland) | SEC (US) | Securities and Exchange Board of India (SEBI) | SFSA (Sweden) | PDPA (Singapore) | South Africa POPI | StateRAMP | State Bank of Vietnam | Superintendencia de Banca (Peru) | SYSC 8 Outsourcing - FCA Handbook | The Privacy Act (New Zealand) | PIPEDA (Canada) | VAG (Austria)
Alignments / frameworks
Our products, technical capabilities, guidance documents, and legal commitments help our customers map to these frameworks and alignments. These offerings may not require formal certification or attestation, though we may rely on our certifications, attestations, and reports to help our customers map to these frameworks and alignments.
APRA Prudential Standard CPS 231 | ABS (Singapore) | PMDA (Japan) | Criminal Justice Information Services (CJIS) | CyberGRX | EBA (EU) | EIOPA (EU) | FFIEC (US) | FED (US) | FISC (Japan) | ISO/IEC 27110 | Know Your Third Party (KY3P) Report | NCSC - Cloud Security (UK)| MeitY (India) | Monetary Authority of Singapore (MAS) Guidelines | MPA | MVSP | NEN (Netherlands) | NISC (Japan) | NIST 800-34 - Contingency Planning | NIST 800-53 | NIST 800-171 | NHS (UK) | OCC (US) | PiTuKri | Standardized Information Gathering (SIG) Questionnaire | StateRAMP | USDM Life Sciences | 2G3M (Japan)