Two of the most common topics of questions regarding Google in general, and Google Apps specifically, are security and privacy. We take both topics very seriously and truly believe that our offerings are a great option for customers on both fronts. Our business is built on our users' trust: trust in our ability to properly secure their data and our commitment respect the privacy of the information they place in our systems by not giving that information to others or using it inappropriately.
For the full Security & Privacy FAQs as they relate to Google Apps, visit this site.
Google Apps is also governed by a detailed Privacy Policy, which ensures we will not inappropriately share or use personal information placed in our systems.
- The Google Apps Terms of Service contractually ensures that your institution (or students, faculty, and staff) are the sole owners of their data.
- Because customers own the data they put into Google Apps, we believe it should be easy for your users to move their data in and out of our systems.
- The controls, processes and policies that protect user data in our systems have obtained a SAS 70 Type II attestation and will continue to seek similar attestation.
- Google complies with applicable US privacy law, and the Google Apps Terms of Service can specifically detail our obligations and compliance with FERPA (Family Educational Rights and Privacy Act) regulations.
- Google is registered with the US-EU Safe Harbor agreement, which helps ensure that our data protection compliance meets European Union standards for educational institutions.
Here are some of the most common security and privacy questions:
Who owns the data that organizations put into Google Apps?
To put it simply, Google does not own your data. We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that's between the two of you), but we know it doesn't belong to us!
The data you put into our systems is yours, and we believe it should stay that way. We think that means three key things.
- We won't share your data with others except as noted in our Privacy Policy.
- We keep your data as long as you require us to keep it.
- Finally, you should be able to take your data with you if you choose to use external services in conjunction with Google Apps or stop using our services altogether.
Where is my organization's data stored?
Your data will be stored in Google's network of data centers. Google maintains a number of geographically distributed data centers, the locations of which are kept discreet for security purposes. Google's computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.
Access to data centers is very limited to only authorized select Google employees personnel.
Is my organizations data safe from your other customers when it is running on the same servers?
Yes. Data is virtually protected as if it were on its own server. Unauthorized parties cannot access your data. Your competitors cannot access your data, and vice versa. In fact, all user accounts are protected via this virtual lock and key that ensures that one user cannot see another user's data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.
Google Apps has received a satisfactory SAS 70 Type II audit. This means that an independent auditor has examined the controls protecting the data in Google Apps (including logical security, privacy, Data Center security, etc) and provided reasonable assurance that these controls are in place and operating effectively.
What does a Google Apps SAS70 Type II audit mean to me?
An independent third party auditor issued Google Apps an unqualified SAS70 Type II attestation. Google is proud to provide Google Apps administrators the peace of mind knowing that their data is secure under the SAS70 auditing industry standard.
The independent third party auditor verified that Google Apps has the following controls and protocols in place:
- Logical security: Controls provide reasonable assurance that logical access to Google Apps production systems and data is restricted to authorized individuals
- Privacy: Controls provide reasonable assurance that Google has implemented policies and procedures addressing the privacy of customer data related to Google Apps
- Data center physical security: Controls provide reasonable assurance that data centers that house Google Apps data and corporate offices are protected
- Incident management and availability: Controls provide reasonable assurance that Google Apps systems are redundant and incidents are properly reported, responded to, and recorded
- Change management: Controls provide reasonable assurance that development of and changes to Google Apps undergo testing and independent code review prior to release into production
- Organization and administration: Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact Google Apps
Can my organization use our own authentication system to provide user access to Google Apps?
Google Apps integrates with standard web single sign-on systems using the SAML 2.0 standard. Organizations can do the integration themselves, or work with a Google partner to accomplish this.
