// Trust & Security Report
Google Cloud (Alphabet Inc.)
Dialogflow: conversational AI platform with two product lines - Dialogflow CX (modern, Gemini-powered) and Dialogflow Essentials (legacy). Both support multilingual NLU, text and voice channels, omnichannel integration, and regional data residency. Dialogflow is composed of Google Cloud services (Speech-to-Text, Text-to-Speech, etc.).
Certifications held
9
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on cloud.google.com“Google Cloud undergoes regular third-party audits to certify individual products against SOC 2 standards.”
Verify on cloud.google.com“The Google Cloud Services ISMS has received an accredited ISO/IEC 27001 certification after undergoing an audit by an independent third party.”
Verify on cloud.google.com“Google Cloud maintains certification including ISO/IEC 27017 (Cloud Privacy standards).”
Verify on cloud.google.com“Google Cloud maintains certification including ISO/IEC 27018 (Cloud Privacy standards).”
Verify on cloud.google.com“Google Cloud maintains certification including ISO/IEC 27701 (Privacy Information Management).”
Verify on cloud.google.com“Google will assist Customer in ensuring compliance with its obligations under Articles 32 to 34 of the GDPR, by implementing and maintaining Security Measures...Google's updated data processing agreements include audit rights for the benefit of customers who are subject to the GDPR.”
Verify on cloud.google.com“Customers subject to HIPAA who want to utilize Google Cloud products in connection with Protected Health Information (PHI) must review and accept Google's Business Associate Agreement (BAA), and Google ensures covered products meet HIPAA requirements and align with ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 reports.”
Verify on cloud.google.com“Google Cloud is a Level 1 PCI DSS 4.0–compliant service provider, which means it can support PCI DSS compliance needs regardless of a company's merchant level. Dialogflow can be integrated with Google's Data Loss Prevention API to handle PCI and sensitive data.”
Verify on cloud.google.com“Google Cloud maintains a comprehensive FedRAMP High P-ATO that covers more than 150 cloud services...Since Dialogflow inherits these certifications from Google Cloud's underlying infrastructure, it is covered under this broad FedRAMP authorization.”
> Show 2 unconfirmed / not-held certifications
source: cloud.google.comNo public evidence of ISO/IEC 42001 certification for Dialogflow or Google Cloud found.
source: cloud.google.comNo public evidence of CSA STAR AI certification for Dialogflow found.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Multi-region with regional residency control: Americas (US Iowa/South Carolina/Oregon, Montréal), Europe (Belgium, London, Frankfurt, Netherlands, Zurich), Asia-Pacific (Sydney, Tokyo, Mumbai, Singapore, Jakarta). AI/ML Data Location commitment available only in US and EU regions. Once region selected, cannot be changed without data export/restore.
Dialogflow Essentials has opt-in data logging where Google may retain Customer Training Data indefinitely and train machine learning models. Quote: 'When data logging is enabled, customers provide Customer Training Data to Google to develop, improve, and model Google's machine learning technology.' Google receives a 'perpetual, irrevocable right to use, de-identify and copy the Customer Training Data.' Customers can disable data logging, but previously logged data is retained by Google. Data deletion requires manual form submission. Dialogflow CX does not have automatic data logging for model training.
// Security controls
Customer-managed encryption keys (CMEK)
Available for Dialogflow CX and Dialogflow ES
docs.cloud.google.comVPC Service Controls
Available for network-level isolation and security perimeter
docs.cloud.google.comData Loss Prevention (DLP) integration
Integrated with Google Cloud DLP to detect, mask, and redact PII, PCI data, and sensitive information. No incremental costs for DLP use in Dialogflow CX.
cloud.google.comData redaction and retention controls
Security settings allow configuration of data redaction strategy, scope, and retention window. Changes take up to 1 hour to implement.
docs.cloud.google.comAccess Transparency logs
Available for monitoring authorized personnel access to customer data
docs.cloud.google.comCloud audit logging
Organizations can log all conversations to BigQuery, control data location and access via IAM
docs.cloud.google.comExternal penetration testing
Google employs external penetration testing by certified testers
docs.cloud.google.comEnd-user authentication
Dialogflow does not authenticate end-users directly; customers and third-party integrations are responsible for end-user credential management and access controls
docs.cloud.google.com// Products & data scope
data: Text conversations, voice audio, user interactions stored in project region; ML processing may occur outside region for generative features
Modern product line powered by Gemini. Supports 40+ languages, omnichannel (web, mobile, voice, email, social), multimodal (text, audio, images). Default: no data logging for training. Optional: regional data residency (US/EU/APAC). Includes visual builder, prebuilt templates, agent evaluation, tracing. Session-based pricing ($0.50/voice or chat per session with limits).
data: Text conversations, audio speech data. Opt-in data logging stores indefinitely for model training. Non-logged data encrypted at rest in region.
Legacy product line. Supports speech-to-text, text-to-speech, intent recognition. Optional enhanced speech models require opt-in data logging where Google trains on customer data. Data deletion requires manual form submission. Smaller team/startup focus. If HIPAA-covered: must not enable data logging.
// What to watch
- CRITICAL FEATURE DIFFERENCE: Dialogflow Essentials has opt-in data logging where Google trains on customer data indefinitely. This is a major privacy/compliance consideration for regulated industries. Dialogflow CX does not have automatic data logging.
- HIPAA CONCERN: HIPAA-covered entities must NOT enable data logging in Dialogflow Essentials and must sign Google's Business Associate Agreement (BAA). Documentation states: 'Customers must not have a HIPAA Business Associate Agreement (BAA) covering Protected Health Information' to enable data logging—meaning if you have a BAA, you cannot use data logging.
- DATA DELETION: Dialogflow Essentials data logging includes 'indefinite retention' by default. Customers wanting to delete training data must submit a manual form request; this is not automatic or self-service.
- AI/ML PROCESSING EXCEPTION: Even with regional data residency selected, Dialogflow CX's generative AI features (powered by Gemini) may process data outside the selected region. AI/ML Data Location commitment is limited to US and EU only.
- NO CHILDREN'S DATA: Data logging terms explicitly prohibit data from websites/apps directed at children under 13.
- INHERITED CERTS: All Dialogflow certifications are inherited from Google Cloud's certifications—Dialogflow documentation states 'Dialogflow is comprised of other Google Cloud services, such as Speech-to-Text and Text-to-Speech, and any certifications, security controls, and government authorizations cover Dialogflow in its entirety.' No vendor-specific audit.
- NO AI GOVERNANCE CERTS: No ISO/IEC 42001 (AI Governance) or CSA STAR AI certifications found; may be relevant for AI-regulated sectors.
- MULTI-VENDOR INTEGRATION RISK: Data passed through third-party integrations and webhooks may be handled per those providers' privacy policies—outside Dialogflow's control.
// At a glance
Pricing model
Session-based usage pricing (Dialogflow CX: $0.50/voice or chat session with limits). Pay-as-you-go, no upfront commitment.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Google Cloud (Alphabet Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
cloud.google.com