// Trust & Security Report

    Google Cloud (Looker Data Sciences Inc., acquired 2019) logo

    Google Cloud (Looker Data Sciences Inc., acquired 2019)

    Looker is a comprehensive business intelligence and analytics platform with enterprise and consumer tiers. Main products include Looker Core (semantic-layer BI platform with LookML modeling), Looker Studio (free web-based visualization tool), and embedded analytics APIs. Includes conversational analytics powered by Gemini, dashboard agents, and multi-cloud data integration.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    Looker achieves SOC 2 Type 1 Certification for Google Cloud...The SOC 2 Type 1 Report for the Looker Cloud Hosted Data Platform is complete and available for customers and prospects, with the assessment conducted by independent auditors, The Cadence Group.

    Verify on discuss.google.dev
    SOC 2 Type 2
    HELD

    Looker already maintains a SOC 2 Type 2 report for Looker Cloud instances hosted on Amazon Web Services (AWS).

    Verify on discuss.google.dev
    ISO 27001
    HELD

    Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving a number of Google products...The compliance with the ISO standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council.

    Verify on docs.cloud.google.com
    HIPAA
    HELD

    To support HIPAA compliance, Looker engages with a third-party to perform HIPAA Security Rule audits annually and maintains a Business Associate Agreement (BAA) available to execute as needed.

    Verify on cloud.google.com
    GDPR
    HELD

    Looker maintains a privacy program aligned with global privacy requirements, including the General Data Protection Regulation (GDPR). Google Cloud provides a Cloud Data Processing Addendum and Looker uses GDPR-compliant terminology where terms like 'personal data', 'data subject', 'processing', 'controller' and 'processor' have the meanings given in the GDPR.

    Verify on cloud.google.com
    FedRAMP
    HELD

    Looker is FedRAMP High authorized for U.S. public services.

    Verify on cloud.google.com
    PCI DSS
    HELD

    Looker is PCI Compliant. Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines for safeguarding credit card information.

    Verify on cloud.google.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region (configurable based on Google Cloud region selection)

    Customer data is never used to train Google's AI models. Conversational Analytics with Gemini ensures that data queried through Gemini in Looker stays within the customer's Google Cloud project and is governed by existing IAM access controls. Google does not use corporate data stored in Google Cloud to train or improve its AI systems.

    // Security controls

    Encryption in Transit

    TLS 1.2 used to encrypt network traffic between users' browsers and the Looker platform

    cloud.google.com

    Encryption at Rest

    AES 256-bit encryption to secure database connection credentials and cached data stored at rest

    cloud.google.com

    Access Controls

    Role-based access control (RBAC), Single Sign-On (SSO) with Google Cloud IAM integration, user authentication and authorization mechanisms

    cloud.google.com

    Audit Logging

    Comprehensive audit trail for data access and activity monitoring; robust audit logging capabilities for compliance investigations

    cloud.google.com

    Data Retention

    Customer data remains in cache for maximum 30 days; data removed from users is deleted within 30 days. Upon service termination, all Customer Data is deleted within maximum 180 days (subject to legal retention).

    cloud.google.com

    Data Deletion

    Customers can delete data during service term via Looker functionality. Recovery period of up to 30 days available before permanent deletion.

    cloud.google.com

    // Products & data scope

    Looker CoreEnterprise BI Platform

    data: All customer data; processes queries and semantic models via LookML

    Requires annual commitment. Three editions: Standard (small teams, <50 users), Enterprise (wide variety of internal BI use cases), and Embed (external analytics deployment). Each includes up to 100,000 query-based API calls/month (Enterprise) or 500,000 (Embed). Conversational Analytics with Gemini integration included. AI does not train on customer data.

    Looker Studio (formerly Data Studio)Free Visualization & Dashboard Tool

    data: Dashboard and report data; supports multiple data connectors

    Free tier available to all users. Premium Pro tier ($9-12/month per user). No SOC 2 Type 2 requirement but ISO 27001 certified. Lighter security/compliance footprint than Looker Core. Supports embedding and API connections.

    Looker Conversational Analytics APIAgentic BI API

    data: LookML explores; multi-turn conversational workflows

    Generally Available. Allows developers to build trusted conversational experiences backed by Looker Explores within customer-facing applications. Uses Gemini for natural language processing with full auditability and underlying SQL visibility.

    Looker Embedded AnalyticsEmbedded BI

    data: Embedded dashboards and custom data applications

    SDK and iframe implementations available. Supports low-code integration. Monitored under same compliance regime as Looker Core.

    // What to watch

    • Looker is a Google Cloud product (post-acquisition 2019), not an independent vendor. All compliance certifications are backed by Google Cloud's broader security infrastructure. Vendors comparing Looker should note that HIPAA and FedRAMP support require execution of a BAA or explicit authorization respectively, not automatic.
    • SOC 2 Type 1 vs Type 2 split by platform: Type 1 for GCP instances, Type 2 for AWS instances. Customers should verify their specific deployment target.
    • ISO 27001 certification explicitly confirmed for Looker Studio; for Looker Core, certification is available but detailed scope kept under NDA with Google. Recommend requesting NDA access if ISO 27001 specificity is required for procurement.
    • Looker's conversational analytics (Gemini integration) requires careful configuration to ensure HIPAA/FedRAMP compliance if handling regulated data. Default behavior does not train on customer data, but deployment-specific configuration is customer responsibility.
    • Data residency is tied to Google Cloud region selection. No explicit data localization guarantees beyond standard Google Cloud DPA terms. GDPR compliance depends on proper DPA execution and region selection (EU regions available).

    // At a glance

    Pricing model

    Looker Core: Platform pricing + per-user licensing (call sales, annual commitment). Looker Studio: Freemium (free tier for all; Pro $9-12/month per user).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Google Cloud (Looker Data Sciences Inc., acquired 2019)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    cloud.google.com

    > Browse all vendor trust reports