AI Vendor Security & Compliance Brief

Gemini logo Gemini

Independent due-diligence summary · every fact links to the vendor's official source
8 source-cited facts
0 independently verified certs
10 legal documents tracked
Generated 2026-06-19
89/100
AI Governance Readiness

Enterprise-Ready

This vendor is rated Enterprise-Ready with a score of 89 out of 100. Strongest verified evidence includes confirmed SOC 2 Type 2 and ISO 27001 certifications, with audit reports available under NDA, and a commitment not to train on customer data. A material recent change is the addition of 12 new sub-processors, which means a new third party may now process your data. Buyers should check these new sub-processors against their Data Processing Agreement's approved list and notification rights.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.
+ Monitor this vendor ⤓ Security Review PDF ⤓ Vendor questionnaire (CSV)

Readiness Breakdown deterministic · evidence-only

  • Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 10 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 2 open items

  • Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
  • Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
GDPR Stated by vendor https://cloud.google.com/privacy/gdpr
HIPAA Stated by vendor https://cloud.google.com/security/compliance/hipaa
ISO 27001 Stated by vendor https://cloud.google.com/security/compliance/iso-27001
SOC 2 Stated by vendor https://cloud.google.com/security/compliance/soc-2
BAA Available (HIPAA) Not publicly verified
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Data Processing Agreement (DPA) View document →
“Cloud Data Processing Addendum”vendor's exact wording
 https://cloud.google.com/terms/data-processing-addendum
Sub-processors (published list) View document → https://cloud.google.com/terms/google-subprocessors
Trains on Customer Data key clause
Free / Pro: trains on data Gemini Apps (personal account): a subset of chats are reviewed by humans and used to improve Google's models unless you turn off Gemini Apps Activity; reviewed chats are retained up to 3 years. cited →
Enterprise: does not train Workspace/Cloud Gemini (paid business licenses): prompts, outputs and your data are not used to train Google's models. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Not applicable
No CVE/CPE software identity is mapped to this hosted service; known-vulnerability tracking does not apply to the service identity assessed here.
Vulnerability Disclosure Policy (security.txt) None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) None found
Queried the authoritative source; no records.

Certifications Available Under NDA / Trust Center attested · report gated

CertificationStatusTrust Center
ISO 27001 Available via Trust Center https://cloud.google.com/security/compliance/offerings
SOC2 TYPE2 Available via Trust Center https://cloud.google.com/security/compliance/offerings
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Vendor-Claimed, Not Independently Verified treat as unconfirmed

FEDRAMP LOW Claimed — not independently verified https://cloud.google.com/security/compliance
HITRUST Claimed — not independently verified https://cloud.google.com/security/compliance
ISO 27017 Claimed — not independently verified https://cloud.google.com/security/compliance
ISO 27018 Claimed — not independently verified https://cloud.google.com/security/compliance
ISO 27701 Claimed — not independently verified https://cloud.google.com/security/compliance
PCI DSS Claimed — not independently verified https://cloud.google.com/security/compliance
SOC1 Claimed — not independently verified https://cloud.google.com/security/compliance
SOC3 Claimed — not independently verified https://cloud.google.com/security/compliance
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Tracked Legal & Policy Documents

DocumentURL
Cookie https://policies.google.com/technologies/cookies?hl=en-US&utm_source=ucb
Dpa https://cloud.google.com/terms/data-processing-addendum
Gdpr Compliance https://cloud.google.com/privacy/gdpr
Pricing https://one.google.com/about/google-ai-plans/
Privacy https://policies.google.com/privacy
Security https://cloud.google.com/security/compliance
Soc Report https://gemini.google.com/soc
Subprocessors https://cloud.google.com/terms/subprocessors
Tos https://policies.google.com/terms
Trust https://cloud.google.com/trust-center

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

5 legal & policy documents under change-monitoring since 2026-06-08. 2 tracked changes detected since baseline.

CookieDpaPrivacySubprocessorsTos
DetectedChangeDetail
2026-06-16 Sub-processor Change 12 new sub-processor(s) added: Accenture International Limited, BULL LTDA – LE 960833, Bristlecone Incorporated, Bull Advanced Computing Canada Inc., Bull GmbH,
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
2026-06-15 ToS Clause Change The Terms of Service changed — 6 added, 88 removed passages. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and licensing or ownership of content/IP. Read 6 added and 88 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The previous detailed Google Terms of Service, including its table of contents, introduction, service provider information for Google Ireland Limited, age requirements, and effective date of May 22, 2024, has been removed. This content is replaced with new text introducing 'Home', 'Stay organized with collections', 'Go

@@ -1,696 +1,1385 @@-Google Terms of Service – Privacy & Terms – Google
-Privacy & Terms
-Privacy & Terms
-Privacy & Terms
-Overview
-Privacy Policy
+Home
+Stay organized with collections
+Save and categorize content based on your preferences.
+Google Cloud
 Terms of Service
-Technologies
-FAQ
-Google Account
-Terms
-Introduction
-Your relationship with Google
-Using Google services
-Content in Google services
-Software in Google services
-In case of problems or disagreements
-About these terms
-EEA instructions on withdrawal
-Updates
-Definitions
-List of services & service-specific additional terms
-How Google handles government requests for user information
-Google Terms of Service
-Effective May 22, 2024
-|
-Archived versions
-|
-Download PDF
-Country version:
-Germany
-What’s covered in these terms
-We know it’s tempting to skip these Terms of Service, but it’s important to establish what you can expect from us as you use Google
-services
-, and what we expect from you.
-These Terms of Service reflect
-the way Google’s business works
-, the laws that apply to our company, and
-certain things we’ve always believed to be true
-. As a result, these Terms of Service help define Google’s relationship with you as you interact with our services. For example, these terms include the following topic headings:
-What you can expect from us
-, which describes how we provide and develop our services
-What we expect from you
-, which establishes certain rules for using our services
-Content in Google services
-, which describes the intellectual property rights to the content you find in our services — whether that content belongs to you, Google, or others
-In case of problems or disagreements
-, which describes other legal rights you have, and what to expect in case someone violates these terms
-Understanding these terms is important because, to use our services, you must accept these terms. We encourage you to download these terms for future reference. We make these terms, and all previous versions, available at all times
+New to Google Cloud? A quick overview of Google
+Cloud’s online contracting can be found
 here
 .
-Besides these terms, we also publish a
-Privacy Policy
-. Although it’s not part of these terms, we encourage you to read it to better understand how you can
-update, manage, export, and delete your information
-.
-Terms
-Service provider
-In the European Economic Area (EEA) and Switzerland, Google
-services
-are provided by:
-Google Ireland Limited
-incorporated and operating under the laws of Ireland
-(Registration Number: 368047 / VAT Number: IE6388047V)
-Gordon House, Barrow Street
-Dublin 4
-Ireland
-Age requirements
-If you’re under the
-age required to manage your own Google Account
-, you must have your parent or legal guardian’s permission to use a Google Account. Please have your parent or legal guardian read these terms with you.
-If you’re a parent or legal guardian who has accepted these terms, and you allow your child to use the
-services
-, then to the extent permitted by applicable law, you’re responsible for your child’s activity on the services.
-Some Google services have additional age requirements as described in their
-service-specific additional terms and policies
-.
-Contents
-Introduction
-Your relationship with Google
-Using Google services
-Content in Google services
-Software in Google services
-In case of problems or disagreements
-About these terms
-EEA instructions on withdrawal
-Your relationship with Google
-These terms help define the relationship between you and Google. When we speak of “Google,” “we,” “us,” and “our,” we mean Google Ireland Limited and its
-affiliates
-. Broadly speaking, we give you permission to access and use our
-services
-if you agree to follow these terms, which reflect
-how Google’s business works and how we earn money
-.
-What you can expect from us
-Provide a broad range of useful services
-We provide a broad range of services that are subject to these terms,

Ask the Legal Documents grounded · cited

Ask a question about Gemini's captured Terms, DPA, Privacy Policy or sub-processor list. Answers are read only from the actual document text and always shown with the exact clause. If the documents don't cover it, we say so — we never guess.

The summary only restates the clauses below it and is verified against them — the verbatim clause is always the source of truth.

Monitor Gemini — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Gemini changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.