// Trust & Security Report

    Google Cloud (Alphabet Inc.) logo

    Google Cloud (Alphabet Inc.)

    Dialogflow: conversational AI platform with two product lines - Dialogflow CX (modern, Gemini-powered) and Dialogflow Essentials (legacy). Both support multilingual NLU, text and voice channels, omnichannel integration, and regional data residency. Dialogflow is composed of Google Cloud services (Speech-to-Text, Text-to-Speech, etc.).

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Google Cloud undergoes regular third-party audits to certify individual products against SOC 2 standards.

    Verify on cloud.google.com
    ISO 27001
    HELD

    The Google Cloud Services ISMS has received an accredited ISO/IEC 27001 certification after undergoing an audit by an independent third party.

    Verify on cloud.google.com
    ISO 27017
    HELD

    Google Cloud maintains certification including ISO/IEC 27017 (Cloud Privacy standards).

    Verify on cloud.google.com
    ISO 27018
    HELD

    Google Cloud maintains certification including ISO/IEC 27018 (Cloud Privacy standards).

    Verify on cloud.google.com
    ISO 27701
    HELD

    Google Cloud maintains certification including ISO/IEC 27701 (Privacy Information Management).

    Verify on cloud.google.com
    GDPR
    HELD

    Google will assist Customer in ensuring compliance with its obligations under Articles 32 to 34 of the GDPR, by implementing and maintaining Security Measures...Google's updated data processing agreements include audit rights for the benefit of customers who are subject to the GDPR.

    Verify on cloud.google.com
    HIPAA
    HELD

    Customers subject to HIPAA who want to utilize Google Cloud products in connection with Protected Health Information (PHI) must review and accept Google's Business Associate Agreement (BAA), and Google ensures covered products meet HIPAA requirements and align with ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 reports.

    Verify on cloud.google.com
    PCI DSS
    HELD

    Google Cloud is a Level 1 PCI DSS 4.0–compliant service provider, which means it can support PCI DSS compliance needs regardless of a company's merchant level. Dialogflow can be integrated with Google's Data Loss Prevention API to handle PCI and sensitive data.

    Verify on cloud.google.com
    FedRAMP High
    HELD

    Google Cloud maintains a comprehensive FedRAMP High P-ATO that covers more than 150 cloud services...Since Dialogflow inherits these certifications from Google Cloud's underlying infrastructure, it is covered under this broad FedRAMP authorization.

    Verify on cloud.google.com
    > Show 2 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification for Dialogflow or Google Cloud found.

    source: cloud.google.com
    CSA STAR AI
    NOT CONFIRMED

    No public evidence of CSA STAR AI certification for Dialogflow found.

    source: cloud.google.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Multi-region with regional residency control: Americas (US Iowa/South Carolina/Oregon, Montréal), Europe (Belgium, London, Frankfurt, Netherlands, Zurich), Asia-Pacific (Sydney, Tokyo, Mumbai, Singapore, Jakarta). AI/ML Data Location commitment available only in US and EU regions. Once region selected, cannot be changed without data export/restore.

    Dialogflow Essentials has opt-in data logging where Google may retain Customer Training Data indefinitely and train machine learning models. Quote: 'When data logging is enabled, customers provide Customer Training Data to Google to develop, improve, and model Google's machine learning technology.' Google receives a 'perpetual, irrevocable right to use, de-identify and copy the Customer Training Data.' Customers can disable data logging, but previously logged data is retained by Google. Data deletion requires manual form submission. Dialogflow CX does not have automatic data logging for model training.

    // Security controls

    Encryption at rest

    Yes - Google Cloud default encryption for all data at rest

    cloud.google.com

    Encryption in transit

    Yes - TLS encryption for all data in transit

    cloud.google.com

    Customer-managed encryption keys (CMEK)

    Available for Dialogflow CX and Dialogflow ES

    docs.cloud.google.com

    VPC Service Controls

    Available for network-level isolation and security perimeter

    docs.cloud.google.com

    Data Loss Prevention (DLP) integration

    Integrated with Google Cloud DLP to detect, mask, and redact PII, PCI data, and sensitive information. No incremental costs for DLP use in Dialogflow CX.

    cloud.google.com

    Data redaction and retention controls

    Security settings allow configuration of data redaction strategy, scope, and retention window. Changes take up to 1 hour to implement.

    docs.cloud.google.com

    Access Transparency logs

    Available for monitoring authorized personnel access to customer data

    docs.cloud.google.com

    Cloud audit logging

    Organizations can log all conversations to BigQuery, control data location and access via IAM

    docs.cloud.google.com

    External penetration testing

    Google employs external penetration testing by certified testers

    docs.cloud.google.com

    End-user authentication

    Dialogflow does not authenticate end-users directly; customers and third-party integrations are responsible for end-user credential management and access controls

    docs.cloud.google.com

    // Products & data scope

    Dialogflow CXConversational AI / Chatbots

    data: Text conversations, voice audio, user interactions stored in project region; ML processing may occur outside region for generative features

    Modern product line powered by Gemini. Supports 40+ languages, omnichannel (web, mobile, voice, email, social), multimodal (text, audio, images). Default: no data logging for training. Optional: regional data residency (US/EU/APAC). Includes visual builder, prebuilt templates, agent evaluation, tracing. Session-based pricing ($0.50/voice or chat per session with limits).

    Dialogflow EssentialsConversational AI / Chatbots

    data: Text conversations, audio speech data. Opt-in data logging stores indefinitely for model training. Non-logged data encrypted at rest in region.

    Legacy product line. Supports speech-to-text, text-to-speech, intent recognition. Optional enhanced speech models require opt-in data logging where Google trains on customer data. Data deletion requires manual form submission. Smaller team/startup focus. If HIPAA-covered: must not enable data logging.

    // What to watch

    • CRITICAL FEATURE DIFFERENCE: Dialogflow Essentials has opt-in data logging where Google trains on customer data indefinitely. This is a major privacy/compliance consideration for regulated industries. Dialogflow CX does not have automatic data logging.
    • HIPAA CONCERN: HIPAA-covered entities must NOT enable data logging in Dialogflow Essentials and must sign Google's Business Associate Agreement (BAA). Documentation states: 'Customers must not have a HIPAA Business Associate Agreement (BAA) covering Protected Health Information' to enable data logging—meaning if you have a BAA, you cannot use data logging.
    • DATA DELETION: Dialogflow Essentials data logging includes 'indefinite retention' by default. Customers wanting to delete training data must submit a manual form request; this is not automatic or self-service.
    • AI/ML PROCESSING EXCEPTION: Even with regional data residency selected, Dialogflow CX's generative AI features (powered by Gemini) may process data outside the selected region. AI/ML Data Location commitment is limited to US and EU only.
    • NO CHILDREN'S DATA: Data logging terms explicitly prohibit data from websites/apps directed at children under 13.
    • INHERITED CERTS: All Dialogflow certifications are inherited from Google Cloud's certifications—Dialogflow documentation states 'Dialogflow is comprised of other Google Cloud services, such as Speech-to-Text and Text-to-Speech, and any certifications, security controls, and government authorizations cover Dialogflow in its entirety.' No vendor-specific audit.
    • NO AI GOVERNANCE CERTS: No ISO/IEC 42001 (AI Governance) or CSA STAR AI certifications found; may be relevant for AI-regulated sectors.
    • MULTI-VENDOR INTEGRATION RISK: Data passed through third-party integrations and webhooks may be handled per those providers' privacy policies—outside Dialogflow's control.

    // At a glance

    Pricing model

    Session-based usage pricing (Dialogflow CX: $0.50/voice or chat session with limits). Pay-as-you-go, no upfront commitment.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Google Cloud (Alphabet Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    cloud.google.com

    > Browse all vendor trust reports