// Trust & Security Report
Google LLC
Gemini generative AI assistant. Available as: consumer app (gemini.google.com, free and paid tiers), Google Workspace integration, and Google Cloud / Vertex AI / Gemini Enterprise products. Enterprise tiers carry Google Cloud's full compliance program; the consumer app trains on user data by default and has a different data-handling posture.
Certifications held
8
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.cloud.google.com“The following table shows certifications for Gemini for Google Cloud. SOC1, SOC2, SOC3 are listed as Compliant: Yes. Note: applies to Gemini for Google Cloud / Vertex AI / Gemini Enterprise tiers, not the free consumer app at gemini.google.com.”
Verify on docs.cloud.google.com“The following table shows certifications for Gemini for Google Cloud. ISO 27001, ISO 27017, ISO 27018 and ISO 27701 are listed as Compliant: Yes. Applies to the Google Cloud / Vertex AI / Gemini Enterprise tiers.”
Verify on docs.cloud.google.com“The following table shows certifications for Gemini for Google Cloud. HIPAA is listed as Compliant: Yes. A HIPAA Business Associate Agreement (BAA) is available for covered Google Workspace and Google Cloud plans; no BAA is offered for the free consumer app.”
Verify on cloud.google.com“Google's 'Cloud Data Processing Addendum (Customers)' states it describes the parties' obligations under applicable privacy, data security, and data protection laws with respect to the processing of Customer Data, defines 'EU GDPR' as Regulation (EU) 2016/679, and states 'Google is a processor and Customer is a controller or processor.' Available to Google Cloud and Google Workspace customers; the free consumer app has no DPA.”
Verify on docs.cloud.google.com“The following table shows certifications for Gemini for Google Cloud. PCI-DSS v4.0.1 and PCI 3D Secure (PCI 3DS) v1.0 are listed as Compliant: Yes. Applies to the Google Cloud tier, not the consumer app.”
Verify on cloud.google.com“'Gemini in Workspace apps and the Gemini app are the first generative AI assistants for productivity and collaboration suites to have achieved FedRAMP High authorization.' FedRAMP High applies to Gemini for Government / Gemini Enterprise on Assured Workloads, not the standard consumer app.”
Verify on docs.cloud.google.com“The following table shows certifications for Gemini for Google Cloud. ISO 42001 is listed as Compliant: Yes. Applies to the Google Cloud / Gemini Enterprise tiers.”
Verify on docs.cloud.google.com“The following table shows certifications for Gemini for Google Cloud. CSA STAR is listed as Compliant: Yes (alongside BSI C5:2020, HITRUST CSF, FINMA, MTCS and OSPAR).”
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Consumer app: global Google infrastructure, no customer-selectable region. Enterprise tiers offer regional data residency (for example europe-west and in-country regions) and at-rest data residency commitments via Google Cloud / Workspace.
Training policy varies sharply by tier. Free/paid consumer app (gemini.google.com): Google uses activity to train generative AI models by default while 'Keep Activity' is on. Users can turn Keep Activity off, after which future chats 'won't be used to train our AI models, unless you choose to send Google feedback,' though chats are still saved for 72 hours and a subset of chats may be reviewed by human reviewers (disconnected from the account) to improve services. Enterprise tiers (Gemini for Google Cloud / Vertex AI / Gemini Enterprise / Gemini for Workspace) do NOT use customer prompts or data to train foundation models and are covered by Google's Cloud Data Processing Addendum.
// Security controls
Encryption at rest
Standard Google infrastructure encryption; consumer tier does not publish detailed specs
support.google.comHuman review practices
A subset of consumer chats is reviewed by human reviewers (including Google's trained service providers) to help improve services; chats are disconnected from the account before being sent to reviewers
support.google.comData retention
Consumer activity auto-deletes after 18 months by default; configurable to 3 or 36 months, or off. Temporary chats and chats saved while Keep Activity is off are retained for 72 hours. Human-reviewed conversations may be kept up to 3 years, disconnected from the account
support.google.comModel training
Enabled by default via Keep Activity on the consumer app. Can be disabled; disabling stops training but future chats are still retained 72 hours. Enterprise tiers do not train on customer data
support.google.com// Products & data scope
data: Global data centers, no regional residency option
No DPA, no BAA, trains on data by default (Keep Activity), subset of chats subject to human review. Not intended for confidential or regulated data.
data: Global data centers, no regional residency option
Same consumer data-handling posture as free tier; paid tier adds higher usage limits and advanced capabilities but no additional compliance guarantees.
data: Can enable regional data residency (for example europe-west, in-country regions); US regions also available
Covered by Google Cloud/Workspace compliance program: SOC 1/2/3, ISO 27001/27017/27018/27701, ISO 42001, HIPAA (with BAA), PCI-DSS, FedRAMP High, and the Cloud Data Processing Addendum for GDPR. Does not train on customer data.
data: Multiple regions: US, EU multi-region, Canada, India, Singapore with at-rest data residency commitments; FedRAMP High / IL4 via Assured Workloads
Full Google Cloud certification set: SOC 1/2/3, ISO 27001/27017/27018/27701, ISO 42001, HIPAA, PCI-DSS v4.0.1, FedRAMP High, CSA STAR, HITRUST CSF, BSI C5, plus the Cloud Data Processing Addendum. Does not train foundation models on customer data.
// What to watch
- TIER-DEPENDENT COMPLIANCE: 'Google Gemini' spans very different data-handling tiers. Enterprise tiers (Gemini for Google Cloud / Vertex AI / Gemini Enterprise / Workspace) carry Google Cloud's full certification program and do not train on customer data. The free/paid consumer app at gemini.google.com trains on user data by default and has no DPA or BAA.
- CONSUMER TRAINING BY DEFAULT: The consumer app uses chats to train Google's generative AI models while Keep Activity is on (the default). Users must actively turn Keep Activity off to stop training; a subset of chats may still be human-reviewed and chats are retained 72 hours after disabling.
- CONSUMER HUMAN REVIEW: Google states a subset of consumer chats is reviewed by human reviewers (disconnected from the account). Users are advised not to enter confidential information into the consumer app.
- CERTIFICATIONS ARE ENTERPRISE-TIER SCOPED: The SOC 2, ISO, ISO 42001, HIPAA, PCI-DSS, FedRAMP and CSA STAR statuses above are for Gemini for Google Cloud / Workspace / Vertex AI, per Google's own certifications page. They should not be read as applying to the free consumer app.
// At a glance
Pricing model
Freemium (consumer): Free tier + Gemini Pro/Ultra subscriptions; Enterprise: Per-seat or usage-based licensing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Google LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
docs.cloud.google.com