G Suite
Table of Contents
Hosting Security and Compliance
G Suite is hosted by Google’s own datacenters.
G Suite complies with a number of cybersecurity certifications, regulations, and assessments. Many of these programs require an independent agency to audit activities. You can find more explicit details about the agencies and methods used in Google’s documentation, sourced below.
G Suite currently is currently in compliance with the some of the following certifications/regulations:
- FERPA - “A US federal law that protects the privacy of students’ education records, including personally identifiable and directory information.” (Source)
- HIPAA - “A US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information.” (Source)
- ISO 9001:2015 - “an international standard that establishes the criteria for a quality management system.” (Source)
- ISO 27001:2013 - “The ISO/IEC 27000 family of standards outlines hundreds of controls and control mechanisms to help organizations of all types and sizes keep information assets secure.” (Source)
- PCI DSS - standard outlining guidelines for any entity that stores, processes, or transmit cardholder data. (Source)
- SOC 2 & 3 - “A standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud.” Please note that G Suite has only SOC 2 and SOC 3 reports. (Source)
Descriptions for the above programs are sourced from Microsoft’s compliance documentation. Google lists G Suite compliance programs on their security page, under the Compliance, EDiscovery, and Analytics heading.
G Suite Policies
Google provides an extensive document detailing all their security and compliance operations and policies. You can find it here: https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html
Security and Infrastructure
There is detailed summary of Google’s security operation procedures provided by the documentation.
Key Points
- Standard monitoring, vulnerability and incident management, and malware prevention are practiced as a part of operations.
- Data centers are secured and monitored to prevent data loss and trespassing.
- All data center equipment, including networking, is custom-built by Google and designed soley to provide Google services.
- Data is secured both at rest (backups, file storage, etc.) and in transit. Specific encryption details can be found at <a href=“https://cloud.google.com/security/encryption-in-transit"this guide.
- Data and content created in or uploaded to G Suite remains the property of the content owner, not Google. This data is not handled or scanned by Google.
- Data that is deleted from G Suite is removed permanently within 180 days.
- G Suite users can request or download their data from Google using provided tools and guides.
- There is no advertising in G Suite Core Services.