// Trust & Security Report

    Google LLC (Firebase) logo

    Google LLC (Firebase)

    Firebase is Google's mobile and web app development platform (15+ products) including Firestore, Cloud Functions, Authentication, Cloud Storage, Realtime Database, Hosting, Analytics, Crashlytics, App Distribution, Remote Config, A/B Testing, Cloud Messaging, Performance Monitoring, ML Kit, and AI Logic.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    All Firebase services have successfully completed the ISO 27001 evaluation process. ISO 27001 Certification is available for review demonstrating compliance by Google with its obligations under Terms of Service.

    Verify on firebase.google.com
    SOC 2
    HELD

    All Firebase services have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process. Firebase's own trust page states 'SOC 2' generically and does not specify Type I versus Type II; the SOC 2 report is available under NDA via the Compliance Reports Manager (SOC 3 is publicly downloadable on firebase.google.com).

    Verify on firebase.google.com
    SOC 1
    HELD

    All Firebase services have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process.

    Verify on firebase.google.com
    ISO 27017
    HELD

    Some have also completed the ISO 27017 and ISO 27018 certification process for select Firebase services.

    Verify on firebase.google.com
    ISO 27018
    HELD

    Some have also completed the ISO 27017 and ISO 27018 certification process for select Firebase services.

    Verify on firebase.google.com
    GDPR
    HELD

    Firebase complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension as set forth by the US Department of Commerce regarding collection, use and retention of personal information from the EEA, Switzerland and the UK.

    Verify on firebase.google.com
    > Show 4 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation on Firebase's own trust page (firebase.google.com/support/privacy), which enumerates only ISO 27001, SOC 1/2/3, ISO 27017 and ISO 27018. PCI DSS is documented at the Google Cloud infrastructure level for the underlying Cloud Firestore and Cloud Functions services under a shared-responsibility model, but is not asserted by Firebase directly.

    source: firebase.google.com
    HIPAA
    NOT CONFIRMED

    Unless otherwise specified in writing by Google, Google does not intend use of the Services to create obligations under the Health Insurance Portability and Accountability Act, as amended ("HIPAA"), and makes no representations that the Services satisfy HIPAA requirements. If you are (or become) a "covered entity" or "business associate" as defined in HIPAA, you will not use the Services for any purpose or in any manner involving transmitting protected health information to Google unless you have received prior written consent to such use from Google. Some underlying services may be brought under a BAA at the Google Cloud level, but Firebase itself is not HIPAA-covered.

    source: firebase.google.com
    FedRAMP
    NOT CONFIRMED

    No public evidence that Firebase products are named in a FedRAMP authorization. Google Cloud maintains a FedRAMP High authorization covering a defined list of Google Cloud services, and Firebase products do not appear in that published scope on Google's own FedRAMP documentation.

    source: cloud.google.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification for Firebase. Google provides AI data governance controls but has not published ISO 42001 certification for Firebase services.

    source: firebase.google.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region and single-region options available: Europe (Belgium, Netherlands, Finland), North America (Iowa, Oklahoma, South Carolina, Northern Virginia, Oregon, Los Angeles, Toronto, Dallas), Asia (Mumbai, Singapore, Hong Kong, Taiwan, Tokyo, Seoul), Australia (Sydney, Melbourne), Africa (Johannesburg), Middle East (Doha, Dammam, Tel Aviv). Note: Region selection is permanent once set.

    Google explicitly does NOT train or improve underlying GenAI models (Gemini, Search, etc.) on customer data without permission. Firebase AI Logic (Gemini API) offers zero data retention option. Customer data remains under customer control.

    // Security controls

    Encryption in Transit

    HTTPS (SSL/TLS) with ephemeral elliptic curve Diffie-Hellman key exchange signed with RSA and ECDSA

    firebase.google.com

    Encryption at Rest

    Several Firebase services encrypt data at rest in addition to transit encryption

    firebase.google.com

    Data Isolation

    Logically isolates customer data in multi-tenant environment on Google-owned servers

    firebase.google.com

    Access Control

    Only employees with Google Sign-In and 2-factor authentication can access personal data

    firebase.google.com

    Data Processing

    Google processes customer data solely for providing Firebase Services in accordance with Data Processing and Security Terms

    firebase.google.com

    Compliance Reports

    Compliance reports (ISO 27001, SOC 2, etc.) available through Compliance Reports Manager for customers to verify compliance

    cloud.google.com

    // Products & data scope

    Cloud FirestoreDatabase

    data: Real-time NoSQL database with multi-region and regional options

    SOC 2, ISO 27001 (Firebase trust page). PCI DSS applies at the Google Cloud infrastructure level under shared responsibility, not asserted by Firebase directly. HIPAA available only via GCP with BAA, not through Firebase. Configurable data residency.

    Cloud FunctionsCompute

    data: Serverless compute platform

    SOC 2, ISO 27001 (Firebase trust page). PCI DSS applies at the Google Cloud infrastructure level under shared responsibility, not asserted by Firebase directly. HIPAA available only via GCP with BAA, not through Firebase.

    AuthenticationIdentity

    data: User authentication and identity management

    SOC 2, ISO 27001 (Firebase trust page). HIPAA available only via GCP with BAA, not through Firebase.

    Cloud StorageStorage

    data: Object storage for unstructured data

    SOC 2, ISO 27001 (Firebase trust page). PCI DSS applies at the Google Cloud infrastructure level under shared responsibility, not asserted by Firebase directly. HIPAA available only via GCP with BAA, not through Firebase.

    Realtime DatabaseDatabase

    data: Real-time NoSQL database

    Has separate Firebase terms (not pure GCP). Data residency options: US, Europe, Asia-Pacific.

    Firebase HostingHosting

    data: Static and dynamic web hosting

    ISO 27001, SOC 2, SOC 3 certified. Covered under Firebase terms.

    Firebase AnalyticsAnalytics

    data: App usage analytics and events

    Has separate Firebase terms, not governed by GCP Terms. Certification coverage may differ.

    Firebase CrashlyticsMonitoring

    data: Crash reporting and error tracking

    ISO 27001 certified. Covered under Firebase terms.

    Firebase AI LogicAI/ML

    data: Access to Gemini API and Vertex AI models

    Zero data retention option available. Does NOT train models on customer data. Supports enterprise AI features.

    Firebase Remote ConfigConfig Management

    data: Dynamic feature and configuration management

    ISO 27001 certified. Covered under Firebase terms.

    // What to watch

    • HIPAA misleading claim: Firebase marketing emphasizes 'security' and 'backed by Google', but HIPAA support is limited to GCP products accessed with BAA, NOT Firebase console. This creates identity/scope confusion.
    • Product-level certification gaps: Analytics and Realtime Database have separate Firebase terms (not GCP), so certification coverage differs from GCP services. Documentation does not clearly specify which products fall under which certification scope.
    • FedRAMP absent for Firebase: While Google Cloud is FedRAMP High authorized, Firebase is NOT specifically listed. Customers seeking FedRAMP should use Google Cloud directly, not Firebase.
    • No ISO 42001 (AI governance): Firebase offers Gemini integration but has not published ISO 42001 certification. AI governance relies on general Data Privacy Frameworks rather than dedicated AI standards.
    • Region lock-in: Firestore region selection is permanent after provisioning - no migration path documented. Impacts compliance portability.
    • Over-claim risk: Firebase homepage states 'trusted by millions' and 'backed by Google' but does not clearly delineate which certs apply to which products. Small vendors or teams may assume all Firebase products carry all certifications.

    // At a glance

    Pricing model

    Freemium with pay-as-you-go for production use. $300 free credit for new accounts.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Google LLC (Firebase)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    firebase.google.com

    > Browse all vendor trust reports