Google Cloud compliance
Our products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations, and audit reports to demonstrate compliance. We’ve also created resource documents and mappings for compliance support when formal certifications or attestations may not be required or applied.
- Google Cloud certifications and the compliance standards that we satisfy
- General information about regional and sector-specific regulations
- The latest industry news and best practices updates
- Documentation to aid your own reporting and compliance efforts
Certifications / attestations / reports
An independent third-party auditor has granted a formal certification, attestation, or audit report based on an assessment that affirms our compliance with these offerings.
Cloud Computing Compliance Controls Catalog (C5) | CSA STAR | Spain Esquema Nacional de Seguridad (ENS) | EU Cloud Code of Conduct | FedRAMP | FIPS 140-2 Validated | HDS | HITRUST CSF | Higher Education Cloud Vendor Assessment Tool (HECVAT) | Independent Security Evaluators (ISE) Audit | Information System Security Management and Assessment Program (ISMAP) | IRAP (Information Security Registered Assessors Program) | ISAE 3000 Type 2 Report (FINMA) | ISO/IEC 27001 | ISO/IEC 27017 | ISO/IEC 27018 | ISO/IEC 27701 | MTCS (Singapore) Tier 3 | OSPAR | PCI DSS | SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c) | SOC 1 | SOC 2 | SOC 3 | SWIPO Data Portability Code of Conduct | Thailand ETDA B.E. 2563 | TISAX | U.S. Defense Information Systems Agency Provisional Authorization
Laws / regulations
Cloud service providers can’t provide formal certification of our customers’ compliance with these laws and regulations. But we work hard, via our products, technical capabilities, guidance documents and legal commitments, to make the compliance process as easy as possible for your organization.
Argentina Personal Data Protection Law 25,326 | ACPR - Order of 3 November 2014 | Australian Privacy Principles (APPs) | BaFin Cloud Outsourcing Guidance | Bank of Italy - Circular 285 | California Consumer Privacy Act (CCPA) | COPPA (U.S.) | CSSF - Circular 17/654 | DNB Decree | ESMA - cloud outsourcing guidelines | EU Model Contract Clauses | FDIC Guidance for Managing Third Party Risk | FERPA (U.S.) | FG16/5 - FCA | FINMA Circular 2018/3 Outsourcing | FSC Insurance Outsourcing Directions | FSC Banking Outsourcing Regulations | GDPR | HIPAA | HKIA Outsourcing GL-14 | HKMA Outsourcing SA-2 | Hong Kong's Personal Data (Privacy) Ordinance (PDPO) | Indonesia Government Regulation No. 71 (GR 71) | KNF - Communication of 23 January 2020 | Korean FSC - IT Outsourcing Regulations | Lei Geral de Proteção de Dados (LGPD) | MaRisk AT 9 Outsourcing | My Number Act (Japan) | OJK Circular 21 of 2017 (SEOJK 21) | OJK Regulation No. 38 of 2016 (POJK 38) | OSFI B-10 Guideline | PHIPA | RBI Guidelines on Outsourcing | Singapore’s Personal Data Protection (PDPA) | South Africa POPI | SYSC 8 Outsourcing - FCA Handbook | The Personal Information Protection and Electronic Documents Act (PIPEDA)
Alignments / frameworks
Our products, technical capabilities, guidance documents, and legal commitments help our customers map to these frameworks and alignments. These offerings may not require formal certification or attestation, though we may rely on our certifications, attestations, and reports to help our customers map to these frameworks and alignments.
Association of Banks in Singapore (ABS) Guide | Australian Prudential Regulation Authority (APRA) Standards | CSV Guidelines (Japan) | Criminal Justice Information Services (CJIS) | CyberGRX | EBA Outsourcing Guidelines | EIOPA | FFIEC Outsourcing Handbook | Federal Reserve Guidance on Managing Outsourcing Risk | FISC (Japan) | Impact Level 4 (IL4) (Beta) | Know Your Third Party (KY3P) Report | UK’s Cloud Security Principles | MeitY - India | Monetary Authority of Singapore (MAS) Guidelines | MPA | NEN 7510 | NISC (Japan) | NIST 800-34 - Contingency Planning | NIST 800-53 | NIST 800-171 | NHS Digital Commercial Third-Party Information Governance Requirements | OCC Third Party Risk Management Guidance | Standardized Information Gathering (SIG) Questionnaire | Three Guidelines from Three Ministries (Japan) | GxP