// Trust & Security Report

    Google LLC logo

    Google LLC

    Gemini generative AI assistant. Available as: consumer app (gemini.google.com, free and paid tiers), Google Workspace integration, and Google Cloud / Vertex AI / Gemini Enterprise products. Enterprise tiers carry Google Cloud's full compliance program; the consumer app trains on user data by default and has a different data-handling posture.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 (Type 1/2)
    HELD

    The following table shows certifications for Gemini for Google Cloud. SOC1, SOC2, SOC3 are listed as Compliant: Yes. Note: applies to Gemini for Google Cloud / Vertex AI / Gemini Enterprise tiers, not the free consumer app at gemini.google.com.

    Verify on docs.cloud.google.com
    ISO 27001
    HELD

    The following table shows certifications for Gemini for Google Cloud. ISO 27001, ISO 27017, ISO 27018 and ISO 27701 are listed as Compliant: Yes. Applies to the Google Cloud / Vertex AI / Gemini Enterprise tiers.

    Verify on docs.cloud.google.com
    HIPAA
    HELD

    The following table shows certifications for Gemini for Google Cloud. HIPAA is listed as Compliant: Yes. A HIPAA Business Associate Agreement (BAA) is available for covered Google Workspace and Google Cloud plans; no BAA is offered for the free consumer app.

    Verify on docs.cloud.google.com
    GDPR (Data Processor Agreement)
    HELD

    Google's 'Cloud Data Processing Addendum (Customers)' states it describes the parties' obligations under applicable privacy, data security, and data protection laws with respect to the processing of Customer Data, defines 'EU GDPR' as Regulation (EU) 2016/679, and states 'Google is a processor and Customer is a controller or processor.' Available to Google Cloud and Google Workspace customers; the free consumer app has no DPA.

    Verify on cloud.google.com
    PCI-DSS
    HELD

    The following table shows certifications for Gemini for Google Cloud. PCI-DSS v4.0.1 and PCI 3D Secure (PCI 3DS) v1.0 are listed as Compliant: Yes. Applies to the Google Cloud tier, not the consumer app.

    Verify on docs.cloud.google.com
    FedRAMP
    HELD

    'Gemini in Workspace apps and the Gemini app are the first generative AI assistants for productivity and collaboration suites to have achieved FedRAMP High authorization.' FedRAMP High applies to Gemini for Government / Gemini Enterprise on Assured Workloads, not the standard consumer app.

    Verify on cloud.google.com
    ISO 42001 (AI Management Systems)
    HELD

    The following table shows certifications for Gemini for Google Cloud. ISO 42001 is listed as Compliant: Yes. Applies to the Google Cloud / Gemini Enterprise tiers.

    Verify on docs.cloud.google.com
    CSA STAR
    HELD

    The following table shows certifications for Gemini for Google Cloud. CSA STAR is listed as Compliant: Yes (alongside BSI C5:2020, HITRUST CSF, FINMA, MTCS and OSPAR).

    Verify on docs.cloud.google.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Consumer app: global Google infrastructure, no customer-selectable region. Enterprise tiers offer regional data residency (for example europe-west and in-country regions) and at-rest data residency commitments via Google Cloud / Workspace.

    Training policy varies sharply by tier. Free/paid consumer app (gemini.google.com): Google uses activity to train generative AI models by default while 'Keep Activity' is on. Users can turn Keep Activity off, after which future chats 'won't be used to train our AI models, unless you choose to send Google feedback,' though chats are still saved for 72 hours and a subset of chats may be reviewed by human reviewers (disconnected from the account) to improve services. Enterprise tiers (Gemini for Google Cloud / Vertex AI / Gemini Enterprise / Gemini for Workspace) do NOT use customer prompts or data to train foundation models and are covered by Google's Cloud Data Processing Addendum.

    // Security controls

    Encryption in transit

    HTTPS/TLS standard for web and API

    support.google.com

    Encryption at rest

    Standard Google infrastructure encryption; consumer tier does not publish detailed specs

    support.google.com

    Human review practices

    A subset of consumer chats is reviewed by human reviewers (including Google's trained service providers) to help improve services; chats are disconnected from the account before being sent to reviewers

    support.google.com

    Data retention

    Consumer activity auto-deletes after 18 months by default; configurable to 3 or 36 months, or off. Temporary chats and chats saved while Keep Activity is off are retained for 72 hours. Human-reviewed conversations may be kept up to 3 years, disconnected from the account

    support.google.com

    Model training

    Enabled by default via Keep Activity on the consumer app. Can be disabled; disabling stops training but future chats are still retained 72 hours. Enterprise tiers do not train on customer data

    support.google.com

    // Products & data scope

    Gemini (consumer, free tier)Generative AI Assistant

    data: Global data centers, no regional residency option

    No DPA, no BAA, trains on data by default (Keep Activity), subset of chats subject to human review. Not intended for confidential or regulated data.

    Gemini (consumer, Gemini Pro/Ultra paid)Generative AI Assistant

    data: Global data centers, no regional residency option

    Same consumer data-handling posture as free tier; paid tier adds higher usage limits and advanced capabilities but no additional compliance guarantees.

    Gemini for Google WorkspaceEnterprise AI Assistant

    data: Can enable regional data residency (for example europe-west, in-country regions); US regions also available

    Covered by Google Cloud/Workspace compliance program: SOC 1/2/3, ISO 27001/27017/27018/27701, ISO 42001, HIPAA (with BAA), PCI-DSS, FedRAMP High, and the Cloud Data Processing Addendum for GDPR. Does not train on customer data.

    Gemini for Google Cloud / Vertex AI / Gemini EnterpriseEnterprise AI Platform

    data: Multiple regions: US, EU multi-region, Canada, India, Singapore with at-rest data residency commitments; FedRAMP High / IL4 via Assured Workloads

    Full Google Cloud certification set: SOC 1/2/3, ISO 27001/27017/27018/27701, ISO 42001, HIPAA, PCI-DSS v4.0.1, FedRAMP High, CSA STAR, HITRUST CSF, BSI C5, plus the Cloud Data Processing Addendum. Does not train foundation models on customer data.

    // What to watch

    • TIER-DEPENDENT COMPLIANCE: 'Google Gemini' spans very different data-handling tiers. Enterprise tiers (Gemini for Google Cloud / Vertex AI / Gemini Enterprise / Workspace) carry Google Cloud's full certification program and do not train on customer data. The free/paid consumer app at gemini.google.com trains on user data by default and has no DPA or BAA.
    • CONSUMER TRAINING BY DEFAULT: The consumer app uses chats to train Google's generative AI models while Keep Activity is on (the default). Users must actively turn Keep Activity off to stop training; a subset of chats may still be human-reviewed and chats are retained 72 hours after disabling.
    • CONSUMER HUMAN REVIEW: Google states a subset of consumer chats is reviewed by human reviewers (disconnected from the account). Users are advised not to enter confidential information into the consumer app.
    • CERTIFICATIONS ARE ENTERPRISE-TIER SCOPED: The SOC 2, ISO, ISO 42001, HIPAA, PCI-DSS, FedRAMP and CSA STAR statuses above are for Gemini for Google Cloud / Workspace / Vertex AI, per Google's own certifications page. They should not be read as applying to the free consumer app.

    // At a glance

    Pricing model

    Freemium (consumer): Free tier + Gemini Pro/Ultra subscriptions; Enterprise: Per-seat or usage-based licensing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Google LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    docs.cloud.google.com

    > Browse all vendor trust reports