Risk and compliance - vendor due diligence

This page collects resources to help facilitate the completion of vendor risk assessments. We provide up-to-date information mapped to industry frameworks and compliance regimes so you can establish and maintain trust in the security measures Google Cloud puts in place.

Giving you tools to verify Google Cloud’s security

We’ve compiled resources to help answer questions we frequently receive from customers when performing vendor due diligence in the areas of risk and security. Responses fall into two categories: “Trust,” containing Google’s self-attestations and vendor security questionnaires, and “Trust but verify,” containing resources that are independently validated by third-party audits.

These resources provide:

  • Familiarity: Answers are aligned to cloud-savvy and industry-standard frameworks
  • Speed: On-demand reports deliver quicker knowledge of risk posture and shared responsibility without conducting an individual audit
  • Standardization: Standardized reports can be used by interested parties across your entire organization
Graphic with computer, magnifying glass, and check


Security/risk self-assessments

A security/risk self-assessment is a complimentary offering that documents a provider's security controls to help customers assess the security of the service.


Graphic with a clipboard and check

Trust but verify: third-party reports

Third-party audit reports

Third-party audit reports, like SOC 2 and CSA STAR (SOC 2+) are generated by auditors independent of the customer-supplier relationship. Reports evaluate security, availability, processing integrity, confidentiality, and privacy of an organization’s information systems. 

Access our publicly available audit reports, certificates, and more in our Compliance Reports Manager.

SOC and CSA STAR icons

Third-party risk management platform assessments

Third-party risk management platform (TPRM) assessments help customers gain a holistic understanding of the security posture of a specific vendor and their vendor ecosystem.

  • IHS Markit KY3P assessments, including:
    • Desktop assessment: includes a thorough remote validation of evidence across a full spectrum of Google Cloud controls 
    • Enhanced desktop assessment: a more comprehensive review of our controls to help satisfy the evidence verification provided by a data center visit
  • CyberGRX risk assessment: CyberGRX assessments lay out the cyber security posture of a third-party vendor. They help identify both inherent and residual risks so customers can quickly and confidently act to resolve and mitigate them.
IHS Markit and CyberGRX icon