// Trust & Security Report
Google (Google Cloud)
Gemini for Google Cloud — Gemini Code Assist (Standard & Enterprise)
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.cloud.google.com“Gemini Code Assist Standard and Enterprise received the following certifications: International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, and ISO 27701”
Verify on docs.cloud.google.com“received the following certifications: International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, and ISO 27701”
Verify on docs.cloud.google.com“received the following certifications: ... ISO 27001, ISO 27017, ISO 27018, and ISO 27701”
Verify on docs.cloud.google.com“received the following certifications: ... ISO 27001, ISO 27017, ISO 27018, and ISO 27701”
Verify on docs.cloud.google.com“Not asserted on the Gemini Code Assist security/privacy/compliance page. Google Cloud supports HIPAA broadly for covered services, but Gemini Code Assist's own certifications page lists only ISO 27001/27017/27018/27701 and SOC 1/2/3; HIPAA coverage for this specific product was not confirmed.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Global Google Edge Network; processed at the data center closest to the request origin. Quote: 'regionality is not guaranteed.' Data residency / regional pinning is not offered for this product.
Google does not train models on customer data without permission. Direct quote: 'Google doesn't use your data to train our models without your permission.' Prompts, responses, and IDE context are treated as Customer Data under the Cloud Data Processing Addendum, and the service is stateless: 'Because Gemini Code Assist Standard and Enterprise are stateless Google Cloud services, they don't store prompts and responses in Google Cloud.' Optional logging to a customer-controlled Cloud Logging bucket is available if the customer enables it. Note: the underlying Gemini LLMs are pre-trained on publicly available code and Google Cloud material, not on customer code. The Enterprise edition's 'code customization' augments responses with the customer's own private repos for that customer only.
// Security controls
Encryption in transit
TLS by default for all connections to Google Front End (GFE). Quote: 'By default, this connection is protected using TLS.' Optional Cloud VPN / Cloud Interconnect for dedicated links.
docs.cloud.google.comEncryption at rest
Google Cloud default encryption at rest applies (when optional Cloud Logging storage is enabled).
docs.cloud.google.comNetwork isolation
VPC Service Controls (VPC-SC) and Private Google Access supported to define perimeters and mitigate data exfiltration.
docs.cloud.google.comIdentity & access
IAM-based access control, Cloud Identity / Google Workspace / federated IdP, SSO and 2-step verification recommended.
docs.cloud.google.comAudit logging
Gemini for Google Cloud audit logging and Business AI Code audit logging available; usage monitoring via Cloud Logging.
docs.cloud.google.comIP indemnification
Generative AI Indemnified Service. Quote: 'Gemini Code Assist Standard and Enterprise is a Generative AI Indemnified Service.' Copyright indemnity for generated output per Service Specific Terms.
docs.cloud.google.comBug bounty
Yes — self-run Google/Google Cloud Vulnerability Reward Program (VRP), not HackerOne/Bugcrowd. Dedicated Cloud VRP (top award $101,010) plus a Generative-AI-specific AI VRP covering Gemini integrations. $17M+ paid across Google VRP in 2025.
bughunters.google.comPenetration testing
Covered indirectly: continuous internal red-teaming/testing and third-party assessments are part of Google's ISO 27001 and SOC 2 programs; invite-only bugSWAT events run live adversarial testing (including AI features). Product-specific pentest report not separately published.
bughunters.google.com// Products & data scope
data: Prompts, responses, and IDE context handled as Customer Data; stateless, no storage by default. Enterprise-grade security, IP indemnification, source citations, VPC-SC.
For teams/orgs with basic coding needs and strict data/compliance requirements. Covered by ISO/SOC certs.
data: Same Customer Data handling as Standard PLUS code customization: augments responses with the customer's own private repos (GitHub, GitLab, Bitbucket) scoped to that customer. Extended integrations (Apigee, Application Integration, BigQuery, Cloud Run, Firebase, Cloud Assist).
For large enterprises wanting private-codebase-tailored suggestions across a broad Google Cloud stack.
data: DIFFERENT scope from Standard/Enterprise — individual/free and Google AI Pro/Ultra tiers historically had separate, more permissive data-use terms (data may be used to improve products unless opted out).
DEPRECATED: Per vendor note, starting June 18, 2026 the Gemini Code Assist IDE extensions and Gemini CLI stopped serving the individual / Google AI Pro / Ultra tiers; affected users must migrate to Antigravity / Antigravity CLI. The enterprise data protections in this assessment apply to the Standard and Enterprise editions, not these consumer tiers.
// What to watch
- Product is being consolidated: vendor announced unification into 'Antigravity' platform; individual/free Gemini CLI tiers stopped serving June 18, 2026. Standard/Enterprise editions remain the assessed, supported products.
- Data residency not guaranteed (regionality not guaranteed) — relevant for EU/regulated-data buyers.
- Consumer/individual tiers have historically had different, more permissive data-use terms than Standard/Enterprise — do not conflate them.
- HIPAA not asserted on the product's own compliance page; treat as unknown for this specific product.
// At a glance
Pricing model
Paid subscription per seat (Standard and Enterprise editions); formerly a free individual tier (now deprecated/migrating to Antigravity).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Google (Google Cloud)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
cloud.google.com