Sensitive Data Protection pricing
This page provides pricing information for Sensitive Data Protection. Prices on this page are listed in US dollars (USD).
Sensitive Data Protection requires billing information for all accounts before you can start using the service. To sign up for billing, go to your project's billing page in the Google Cloud console.
Sensitive Data Protection charges for usage based on the following price sheet. At the end of each billing cycle, a bill is generated that lists the usage and charges for that cycle.
Prematurely canceling an ongoing operation still incurs costs for the portion of the operation that was completed.
Overview of Sensitive Data Protection pricing
Sensitive Data Protection pricing has three main components:
- Inspection and transformation pricing describes
the cost to inspect and transform data through jobs and through
contentmethods. - Discovery pricing describes the cost to generate high-level metrics and insights about your data.
- Risk analysis pricing describes the cost to analyze sensitive data to find properties that might increase the risk of subjects being identified.
Inspection and transformation pricing
Sensitive Data Protection provides a set of features for inspecting and transforming data. Across these scenarios, you pay only for what you use, with no upfront commitments.
Inspection and transformation of data in Google Cloud storage systems
The
projects.dlpJobs.create
method lets you create an inspection job that inspects for sensitive data in
certain Google Cloud storage systems. You are billed according to the
storage inspection job pricing.
If the inspection job is also configured to de-identify the findings, then you
are also billed according to the
storage transformation job pricing.
Storage inspection job pricing
Sensitive Data Protection storage jobs are billed based on bytes inspected according to the following schedule:
| Storage data inspected per month | Price per gigabyte (GB) |
|---|---|
| Up to 1 GB | Free |
| 1 GB to 50 terabytes (TB) | US$1.00 |
| Over 50 TB | US$0.75 |
| Over 500 TB | US$0.60 |
If you configure an inspection job to save findings to a
BigQuery table, the billing and quota usage for the
tabledata.insertAll
operation are applied to the project that contains the destination table.
For more information about inspecting content stored in Google Cloud, see Inspecting storage and databases for sensitive data.
Storage transformation job pricing
Sensitive Data Protection storage jobs are billed based on bytes transformed according to the following schedule:
| Storage data transformed per month | Price per gigabyte (GB) |
|---|---|
| Up to 1 GB | Free |
| 1 GB to 50 terabytes (TB) | US$1.00 |
| Over 50 TB | US$0.75 |
| Over 500 TB | US$0.60 |
If you choose to store the transformation details in a BigQuery table,
the billing and quota usage for the
tabledata.insertAll
operation are applied to the project that contains the destination table.
For more information about de-identifying content stored in Google Cloud, see De-identification of sensitive data in storage.
Inspection of data from any source
The projects.dlpJobs.create
method lets you create a hybrid job that
inspects for sensitive data from any source, including sources outside
Google Cloud. You are billed based on bytes inspected according to the
following schedule:
| Hybrid data inspected per month | Price per GB |
|---|---|
| Up to 1 GB | Free |
| Over 1 GB | US$3.00 |
| Over 1 TB | US$2.00 |
If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.
A minimum of 1 KB is billed per hybrid inspection request.
If you configure a hybrid inspection job to save findings to a
BigQuery table, the billing and quota usage for the
tabledata.insertAll
operation are applied to the project that contains the destination table.
For more information about inspecting data from any source, see Hybrid jobs and job triggers.
Inspection and transformation through content methods
The content methods are listed in the following table, along with notations of the types of charges each method may be billed for:
| API method | Content inspection | Content transformation |
|---|---|---|
projects.image.redact |
Yes | No |
projects.content.inspect |
Yes | No |
projects.content.deidentify |
Yes | Yes |
projects.content.reidentify |
Yes | Yes |
Content inspection method pricing
Sensitive Data Protection content method pricing is billed based on bytes inspected according to the following schedule:
| Content data inspected per month | Price per GB |
|---|---|
| Up to 1 GB | Free |
| Over 1 GB | US$3.00 |
| Over 1 TB | US$2.00 |
Content transformation method pricing
Sensitive Data Protection content method pricing is billed based on bytes transformed according to the following schedule:
| Content data transformed per month | Price per GB |
|---|---|
| Up to 1 GB | Free |
| Over 1 GB | US$2.00 |
| Over 1 TB | US$1.00 |
If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.
A minimum of 1 KB is billed per content inspect or transform request.
Inspection and transformation: other charges and no-charge features
In addition to the billed charges directly incurred by
Sensitive Data Protection, requests that are configured to invoke other
Google Cloud products may result in their own billed charges. For
example, the
projects.content.inspect
method may incur Cloud Storage charges
if directed to inspect Cloud Storage objects.
Some methods can result in billed charges for either inspection, transformation, or
both depending on how they are configured. This is the case for the
projects.content.deidentify
and
projects.content.reidentify
methods when, for example, transformation is configured but inspection is not.
The same applies to transformation when only inspection is configured.
Simple redaction, which includes the
RedactConfig
and
ReplaceWithInfoTypeConfig
transformations, is not counted against the number of bytes transformed when
infoType inspection is also configured.
Inspection and transformation pricing examples
This section contains several example inspection and transformation usage scenarios, along with pricing calculations for each.
Scenario 1: Data inspection and transformation using content methods
Suppose you have just over 10 GB of structured (tabular) data. You stream it to the DLP API, instructing Sensitive Data Protection in the request to inspect for 50 different built-in infoType detectors, and to de-identify any matches it finds by using cryptographic tokenization transformation. After performing the de-identification operation, you note that Sensitive Data Protection has matched on and transformed around 20% of the data, or around 2 GB.
Pricing:
- Inspection: 10 GB of data × US$3.00 per GB = US$30.00
- Transformation: 2 GB × US$2.00 per GB = US$4.00
- Total: US$34.00
Scenario 2: Structured data transformation only using content methods
Suppose you have a 10 GB table and want to transform three columns
(user_id, email, phone_number) using
cryptographic
tokenization transformation. The three columns
represent about 30% of the table. Because you're specifying entire columns to
transform, no inspection is necessary.
Pricing:
- Inspection: 0 GB of data = US$0.00
- Transformation: 3 GB of data × US$2.00 per GB = US$6.00
- Total: US$6.00
Scenario 3: Unstructured data inspection and transformation with content methods
Suppose you have 10 GB of unstructured chat logs. You want to inspect and de-identify any infoType findings. To do so, you need to inspect the entire payload and then transform the findings. 20% of all the text are findings.
Pricing:
- Inspection: 10 GB of data × US$3.00 per GB = US$30.00
- Transformation: 2 GB of data × US$2.00 per GB = US$4.00
- Total: = US$34.00
Scenario 4: Storage repository inspection using storage jobs
Suppose you have 1,000 BigQuery tables that you want to inspect. Each table is around 1 GB, making the total size of the data 1 TB. Not wanting or needing to scan the entirety of every table, you've turned on sampling so that just 1,000 rows of each table are scanned. Each row is roughly 10 KB.
Pricing:
- Data to inspect: 1,000 tables × 1,000 rows per table × 10 KB per row = 10 GB total scanned
- Total: 10 GB × US$1.00 per GB = US$10.00
Scenario 5: Storage repository inspection and transformation using storage jobs
Suppose you have 5 GB of structured (tabular) and unstructured (freeform) text data in a Cloud Storage bucket. You create an inspection job that instructs Sensitive Data Protection to inspect for 25 different built-in infoType detectors and to de-identify any matches it finds by using cryptographic tokenization transformation. After performing the de-identification operation, you note that Sensitive Data Protection has matched on and transformed 25% of the data, or 1.25 GB.
Pricing:
- Inspection: 5 GB of data × US$1.00 per GB = US$5.00
- Transformation: 1.25 GB × US$1.00 per GB = US$1.25
- Total: US$6.25
Discovery pricing
This section describes the cost to generate data profiles. Data profiles are high-level metrics and insights about your data. For information about the types of data that the discovery service can profile, see Supported resources.
Sensitive Data Protection offers a choice of two pricing modes for the discovery service:
- Consumption pricing mode. In consumption pricing mode, you are charged for the number of bytes of data profiled.
Subscription pricing mode. In subscription mode, you choose how much compute capacity to reserve for discovery, measured in units. Your profiles are generated within that capacity, and you pay for that capacity continuously every second it's deployed. You have this capacity until you cancel your subscription.
There is no charge for bytes profiled in this pricing mode.
The subscription pricing mode offers predictable and consistent costs, regardless of your data growth.
By default, you are billed according to the consumption pricing mode.
Discovery pricing comparison table
| Pricing mode | High-level pricing details |
|---|---|
| Consumption pricing mode | In this pricing mode, Sensitive Data Protection charges US$0.03 per GB of profiled data. Charges are capped and minimum charges apply depending on the type of data resource profiled. For more information, see Consumption pricing mode. |
| Subscription pricing mode | In this pricing mode, Sensitive Data Protection charges US$2,500 per subscription unit. For more information, see Subscription pricing mode. A default organization-level discovery subscription is included at no charge with the purchase of a Security Command Center Enterprise subscription. For more information, see Discovery pricing for Security Command Center customers on this page. |
Discovery: consumption pricing mode
The following sections describe how Sensitive Data Protection charges you for discovery operations if you don't purchase a discovery subscription for your organization or project.
Consumption pricing mode for BigQuery and BigLake discovery
- BigQuery: Sensitive Data Protection charges US$0.03 per GB of BigQuery data profiled. The billable bytes per table is equal to the table's size or 3 TB, whichever is lower.
- BigLake: Each BigLake table profiled—regardless of its actual size—is billed as a 300 GB table at US$0.03 per GB.
Consumption pricing mode for Cloud SQL discovery
Sensitive Data Protection charges US$0.03 per GB of Cloud SQL data profiled, with a minimum of US$0.01 for each table. The billable bytes per table is equal to the table's size or 3 TB, whichever is lower.
Consumption pricing mode for Cloud Storage discovery
Sensitive Data Protection charges US$0.03 per GB of data profiled. The charge for each bucket is capped at 3 TB of data. For example, if two buckets are profiled, the charges are capped at 6 TB of data.
You aren't charged for files that Sensitive Data Protection failed to scan, such as corrupt files and files that are password-protected. You are charged US$0.03 per GB for each bucket that is empty or that has no supported file types. For information about the supported file types, see File clusters.
When you profile Cloud Storage data, Cloud Storage charges apply regardless of your pricing mode. For more information, see Discovery for Cloud Storage on this page.
Consumption pricing mode for Vertex AI discovery
Sensitive Data Protection charges depend on where your training data is stored—Cloud Storage or BigQuery.
Training data in Cloud Storage
Sensitive Data Protection charges US$0.03 per GB of training data profiled. The charge for each dataset is capped at 3 TB of data. For example, if two datasets are profiled, the charges are capped at 6 TB worth of data.
You aren't charged for files that Sensitive Data Protection failed to scan, such as corrupt files and files that are password-protected. You are charged US$0.03 for each Vertex AI dataset that is empty or that has no supported training data. For information about the supported file types, see File clusters.
In addition, Cloud Storage charges apply. For more information, see Sensitive data discovery for Vertex AI.
Training data in BigQuery
Sensitive Data Protection charges US$0.03 per GB of training data profiled. The billable bytes per table is equal to the table's size or 3 TB, whichever is lower.
Consumption pricing mode examples
This section contains example usage scenarios related to data profiling, along with pricing calculations.
These examples are based on the default profiling frequency.
Scenario 1: Organization-wide data profiling
Suppose you have 10 TB of data across your entire organization. Each month, you add the following:
- 1 TB of data in new tables.
- 1 TB of data in new columns in existing tables. This amounts to 5 TB of data representing tables with schema changes.
Month 1: Profiles are created for all your data
| Data | Price |
|---|---|
| Starting data: 10 TB of data is profiled. 10,000 GB x US$0.03 |
US$300.00 |
| 1 TB of data is added as new tables (picked up daily) over the month.
Profiling is triggered shortly after the new tables
are added. 1,000 GB x US$0.03 |
US$30.00 |
| 5 TB of data representing tables with schema changes. Reprofiling is scheduled for the next month. | US$0 |
| Total | US$330.00 |
Month 2: Tables with schema changes are reprofiled
| Data | Price |
|---|---|
| Starting data: 12 TB total. 5 TB of data is set for reprofiling due to
tables with schema changes last month. When a table is set for reprofiling, the entire table is reprofiled. Charges are based on the total table size. 5,000 GB x US$0.03 |
US$150.00 |
| 1 TB of data is added as new tables (picked up daily) over the month.
Profiling is triggered shortly after the new tables are added. 1,000 GB x US$0.03 |
US$30.00 |
| 5 TB of data representing tables with schema changes. Reprofiling is scheduled for the next month. | US$0 |
| Total | US$180.00 |
Scenario 2: Organization-wide data profiling with static data schema
Suppose you have 5 TB of data across your entire organization. Each month, you add 1 TB of new data in new tables. Existing tables have no schema changes (no new columns), but do have additional rows.
Month 1: Profiles are created for all your data
| Data | Price |
|---|---|
| Starting data: 5 TB of data is profiled. 5,000 GB x US$0.03 |
US$150.00 |
| 1 TB of data is added as new tables (picked up daily) over the month.
Profiling is triggered shortly after the new tables are added. 1,000 GB x US$0.03 |
US$30.00 |
| Total | US$180.00 |
Month 2: Only new tables are profiled
| Data | Price |
|---|---|
| Static data: 6 TB. Because existing tables remain unchanged, a new scan is not triggered. | US$0 |
| 1 TB of data is added as new tables (picked up daily) over the month. 1,000 GB x US$0.03 |
US$30.00 |
| Total | US$30.00 |
Discovery: subscription pricing mode
A subscription unit is a reservation of compute capacity that Sensitive Data Protection uses to generate a profile.
Sensitive Data Protection charges US$2,500 per subscription unit.
Data resources profiled per subscription unit
The throughput of profile generation depends on the complexity and type of the data to be profiled. Determining factors include the following:
- Presence of large custom dictionaries (not recommended for profiling).
- Table type. A BigLake table uses five times the capacity of a non-BigLake table.
To estimate the amount of data that can be profiled for each subscription unit, refer to the following table. Multiply the token—10,000—by the multiplier, and then multiply that by the number of subscription units that you want to purchase.
| Resource | Token | Multiplier | Estimated number of profiles per subscription unit |
|---|---|---|---|
| Standard table1 | 10,000 | 1 | 10,000 |
| BigLake table | 10,000 | 0.2 | 2,000 |
| File store2 | 10,000 | 0.05 | 500 |
| Vertex AI dataset using BigQuery training data | 10,000 | 1 | 10,000 |
| Vertex AI dataset using Cloud Storage training data3 | 10,000 | 0.05 | 500 |
1 BigQuery or Cloud SQL tables.
2 Sensitive Data Protection uses the term file store to refer to a file storage bucket. File stores that are empty or that have no supported file types still consume capacity. For such a file store, you consume the equivalent capacity of .05 file stores.
3 Vertex AI datasets that are empty or that don't reference supported file types still consume capacity. For such a dataset, you consume the equivalent capacity of .05 datasets.
For information about charges from other products or services that are directly related to Sensitive Data Protection discovery operations, see the following:
Discovery for Cloud Storage data: See Discovery for Cloud Storage on this page.
Discovery for Vertex AI data: See Sensitive data discovery for Vertex AI.
Discovery for Amazon S3 data: See Sensitive data discovery for Amazon S3.
All discovery types: See Pricing for exporting data profiles on this page.
Subscription scope
The scope of a subscription is either an organization or a project. An organization-level subscription doesn't apply to a project-level scan configuration.
Subscription term
The first month of the subscription is a month term. After the initial month, you are billed on a monthly basis, and you can cancel or edit the subscription at any time.
- You can't delete or reduce units of a monthly subscription during the first month.
- After the first month, you can delete or change subscription units at any time, and you will be charged only for the minutes your subscription was active.
- If you don't cancel the subscription, you continue to be charged.
Example
Suppose you purchased a subscription unit at 6:00:00 on October 5. The following apply:
- You start being charged at that moment.
- You can't cancel or reduce your subscription until 6:00:00 on November 4.
- If you cancel at 7:10:10 on November 5, you will be charged for the month plus one day, one hour, ten minutes, and ten seconds (from 6:00:00 on October 5 to 7:10:10 on November 5).
Expiration of a subscription term
At the conclusion of the subscription's initial term, billing will continue from month to month and the subscription will remain in place.
Purchase a subscription
In the Google Cloud console, go to the Subscriptions page.
Select the project or organization that you want to purchase a subscription for.
If you purchase an organization-level subscription, that subscription doesn't apply when you create a project-level scan configuration. Similarly, if you purchase a project-level subscription, the subscription applies only to the project.
Next to Pricing mode, click Switch to subscriptions.
Follow the prompts to complete the purchase.
Monitoring utilization
Capacity is distributed evenly among the resources to be profiled. The maximum number of profiles that can be generated per day depends on the number of subscription units that you purchased.
In the API/Service Details page for Sensitive Data Protection, you can view how much capacity you have used for your subscription.
In this example, the customer has purchased a subscription of size 1. They have the capacity to profile approximately 333 standard tables or 66 BigLake tables or 16 file stores a day. These numbers aren't hard per-day limits. As resources become available throughout the month's subscriptions, you may see some fluctuations in use.
Under-provisioned capacity
When deciding how many subscription units to purchase, you can choose to under-provision your capacity. For example, you can purchase one subscription unit even if your total current table count exceeds 10,000. However, if you under-provision capacity, the profiling frequency that you set in your scan configuration might not be followed.
If the amount of data to be profiled exceeds your allotted capacity, Sensitive Data Protection places the data resources to be profiled in an internal queue and profiles them as capacity becomes available throughout the month. You can't control which data resources are profiled first.
Error handling
In some cases, profiles might be generated with errors and still consume capacity. The following are a few scenarios where this issue can occur; this isn't an exhaustive list.
- The data resources to be profiled are within VPC Service Controls boundaries.
- The service agent is missing Identity and Access Management permissions.
- Configuration changes were made in the to discovery scan configuration or inspection templates.
These errors can still consume your capacity because the system still performs work to attempt to generate profiles. You will get a partial profile with information about why Sensitive Data Protection could not generate the full profile.
Discovery for Cloud Storage
In addition to Sensitive Data Protection charges, you also incur Cloud Storage charges when you profile Cloud Storage data. This section describes that types of Cloud Storage charges that you can incur.
Class A and Class B operations
You are charged for the Class A and Class B operations that Sensitive Data Protection performs in the process of profiling your buckets. Sensitive Data Protection uses the following operations:
- Class A:
storage.objects.list - Class B:
storage.buckets.getandstorage.buckets.getIamPolicy
For information about how much Cloud Storage charges for Class A and Class B operations, see Operation charges in the Cloud Storage documentation.
Retrieval fees
For objects that have a non-Standard storage class, you are charged for retrieval fees. For information about how much Cloud Storage charges for data retrieval, see Retrieval fees in the Cloud Storage documentation.
Discovery: BigQuery billing and quota consumption
The process of profiling BigQuery data doesn't incur BigQuery charges or consume BigQuery quota. However, standard BigQuery charges and quotas apply when you export the data profiles to a BigQuery table.
Discovery: pricing for exporting data profiles
The following table shows billing and quota consumption for your usage of other Google Cloud services when you export data profiles to those services. You configure exporting by turning on certain actions in your discovery scan configuration.
| Action | Quota consumption | Charges |
|---|---|---|
| Publish to Google Security Operations | Not applicable | Depending on your contract, Google SecOps may charge for data ingestion or storage. Contact your Google Cloud account manager for more information. |
| Publish to Security Command Center | Not applicable | Security Command Center charges may apply, depending on your service tier.1 |
| Save data profile copies to BigQuery | Consumes BigQuery quota in the service agent container2 or the project to be profiled3. | Standard BigQuery charges apply. The charges are applied to the service agent container2 or the project to be profiled3 |
| Publish to Pub/Sub | Consumes Pub/Sub quota in the service agent container2 or the project to be profiled3 | Standard Pub/Sub charges apply. The charges are applied to the service agent container2 or the project to be profiled3 |
| Send to Dataplex as tags | Not applicable | Dataplex metadata storage charges and API charges apply. |
1Sensitive Data Protection works with Security Command Center in all service tiers.
2When you profile data at the organization or folder level, charges and quota consumption are applied to the service agent container.
3When you profile data at the project level, charges and quota consumption are applied to the project to be profiled.
Discovery pricing for Security Command Center customers
For Security Command Center customers, your use of the Sensitive Data Protection discovery service is charged depending on your Security Command Center service tier:
Security Command Center Enterprise customers: You have a discovery subscription at no charge from Sensitive Data Protection. Your discovery capacity is dynamically allocated based on your processing needs.
Security Command Center Premium and Standard customers: Sensitive Data Protection charges apply based on your chosen discovery pricing mode.
Risk analysis
Risk analysis uses resources in BigQuery and charges appear as BigQuery usage. Sensitive Data Protection does not add any additional charges for risk analysis.
Risk analysis jobs are created using the
projects.dlpJobs.create
method with the following configuration objects:
Controlling costs
Depending on the quantity of information that you instruct the Sensitive Data Protection to scan, it is possible for costs to become prohibitively high. To learn several methods that you can use to keep costs down while also ensuring that you're using the Sensitive Data Protection to scan the exact data that you intend to, see Keeping Sensitive Data Protection costs under control.
What's next
- Read the Sensitive Data Protection documentation.
- Get started with Sensitive Data Protection.
- Learn about Sensitive Data Protection solutions and use cases.