// Trust & Security Report

    Google (Google Cloud) logo

    Google (Google Cloud)

    Gemini for Google Cloud — Gemini Code Assist (Standard & Enterprise)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001
    HELD

    Gemini Code Assist Standard and Enterprise received the following certifications: International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, and ISO 27701

    Verify on docs.cloud.google.com
    ISO/IEC 27017
    HELD

    received the following certifications: International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, and ISO 27701

    Verify on docs.cloud.google.com
    ISO/IEC 27018
    HELD

    received the following certifications: ... ISO 27001, ISO 27017, ISO 27018, and ISO 27701

    Verify on docs.cloud.google.com
    ISO/IEC 27701
    HELD

    received the following certifications: ... ISO 27001, ISO 27017, ISO 27018, and ISO 27701

    Verify on docs.cloud.google.com
    SOC 1
    HELD

    SOC 1, SOC 2, and SOC 3

    Verify on docs.cloud.google.com
    SOC 2
    HELD

    SOC 1, SOC 2, and SOC 3

    Verify on docs.cloud.google.com
    SOC 3
    HELD

    SOC 1, SOC 2, and SOC 3

    Verify on docs.cloud.google.com
    HIPAA
    HELD

    Not asserted on the Gemini Code Assist security/privacy/compliance page. Google Cloud supports HIPAA broadly for covered services, but Gemini Code Assist's own certifications page lists only ISO 27001/27017/27018/27701 and SOC 1/2/3; HIPAA coverage for this specific product was not confirmed.

    Verify on docs.cloud.google.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Global Google Edge Network; processed at the data center closest to the request origin. Quote: 'regionality is not guaranteed.' Data residency / regional pinning is not offered for this product.

    Google does not train models on customer data without permission. Direct quote: 'Google doesn't use your data to train our models without your permission.' Prompts, responses, and IDE context are treated as Customer Data under the Cloud Data Processing Addendum, and the service is stateless: 'Because Gemini Code Assist Standard and Enterprise are stateless Google Cloud services, they don't store prompts and responses in Google Cloud.' Optional logging to a customer-controlled Cloud Logging bucket is available if the customer enables it. Note: the underlying Gemini LLMs are pre-trained on publicly available code and Google Cloud material, not on customer code. The Enterprise edition's 'code customization' augments responses with the customer's own private repos for that customer only.

    // Security controls

    Encryption in transit

    TLS by default for all connections to Google Front End (GFE). Quote: 'By default, this connection is protected using TLS.' Optional Cloud VPN / Cloud Interconnect for dedicated links.

    docs.cloud.google.com

    Encryption at rest

    Google Cloud default encryption at rest applies (when optional Cloud Logging storage is enabled).

    docs.cloud.google.com

    Network isolation

    VPC Service Controls (VPC-SC) and Private Google Access supported to define perimeters and mitigate data exfiltration.

    docs.cloud.google.com

    Identity & access

    IAM-based access control, Cloud Identity / Google Workspace / federated IdP, SSO and 2-step verification recommended.

    docs.cloud.google.com

    Audit logging

    Gemini for Google Cloud audit logging and Business AI Code audit logging available; usage monitoring via Cloud Logging.

    docs.cloud.google.com

    IP indemnification

    Generative AI Indemnified Service. Quote: 'Gemini Code Assist Standard and Enterprise is a Generative AI Indemnified Service.' Copyright indemnity for generated output per Service Specific Terms.

    docs.cloud.google.com

    Bug bounty

    Yes — self-run Google/Google Cloud Vulnerability Reward Program (VRP), not HackerOne/Bugcrowd. Dedicated Cloud VRP (top award $101,010) plus a Generative-AI-specific AI VRP covering Gemini integrations. $17M+ paid across Google VRP in 2025.

    bughunters.google.com

    Penetration testing

    Covered indirectly: continuous internal red-teaming/testing and third-party assessments are part of Google's ISO 27001 and SOC 2 programs; invite-only bugSWAT events run live adversarial testing (including AI features). Product-specific pentest report not separately published.

    bughunters.google.com

    // Products & data scope

    Gemini Code Assist StandardAI coding assistant (IDE)

    data: Prompts, responses, and IDE context handled as Customer Data; stateless, no storage by default. Enterprise-grade security, IP indemnification, source citations, VPC-SC.

    For teams/orgs with basic coding needs and strict data/compliance requirements. Covered by ISO/SOC certs.

    Gemini Code Assist EnterpriseAI coding assistant (IDE + Google Cloud services)

    data: Same Customer Data handling as Standard PLUS code customization: augments responses with the customer's own private repos (GitHub, GitLab, Bitbucket) scoped to that customer. Extended integrations (Apigee, Application Integration, BigQuery, Cloud Run, Firebase, Cloud Assist).

    For large enterprises wanting private-codebase-tailored suggestions across a broad Google Cloud stack.

    Gemini Code Assist for individuals / Gemini CLI (legacy free tiers)AI coding assistant (consumer / individual)

    data: DIFFERENT scope from Standard/Enterprise — individual/free and Google AI Pro/Ultra tiers historically had separate, more permissive data-use terms (data may be used to improve products unless opted out).

    DEPRECATED: Per vendor note, starting June 18, 2026 the Gemini Code Assist IDE extensions and Gemini CLI stopped serving the individual / Google AI Pro / Ultra tiers; affected users must migrate to Antigravity / Antigravity CLI. The enterprise data protections in this assessment apply to the Standard and Enterprise editions, not these consumer tiers.

    // What to watch

    • Product is being consolidated: vendor announced unification into 'Antigravity' platform; individual/free Gemini CLI tiers stopped serving June 18, 2026. Standard/Enterprise editions remain the assessed, supported products.
    • Data residency not guaranteed (regionality not guaranteed) — relevant for EU/regulated-data buyers.
    • Consumer/individual tiers have historically had different, more permissive data-use terms than Standard/Enterprise — do not conflate them.
    • HIPAA not asserted on the product's own compliance page; treat as unknown for this specific product.

    // At a glance

    Pricing model

    Paid subscription per seat (Standard and Enterprise editions); formerly a free individual tier (now deprecated/migrating to Antigravity).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Google (Google Cloud)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    cloud.google.com

    > Browse all vendor trust reports