AI Vendor Security & Compliance Brief

Google Gemini for Workspace logo Google Gemini for Workspace

Independent due-diligence summary · every fact links to the vendor's official source
9 source-cited facts
0 independently verified certs
9 legal documents tracked
Generated 2026-07-03
89/100
AI Governance Readiness

Enterprise-Ready

This vendor is rated Enterprise-Ready with a score of 89 out of 100. Strong evidence includes confirmed SOC 2 Type 2 and ISO 27001 certifications, with audit reports available under NDA. A recent change involves the addition of Accenture Japan Ltd. as a sub-processor, meaning a new third party may now process your data. Buyers should check this against their Data Processing Agreement's approved sub-processor list and their notification rights.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 9 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 2 open items

  • Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
  • Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.

Compliance Posture vendor-stated · cited

FrameworkStatusSource
BAA Available (HIPAA) Stated by vendor https://support.google.com/cloud/answer/6329727
GDPR Stated by vendor https://cloud.google.com/privacy/gdpr
HIPAA Stated by vendor https://cloud.google.com/security/compliance/hipaa
ISO 27001 Stated by vendor https://cloud.google.com/security/compliance/iso-27001
SOC 2 Stated by vendor https://cloud.google.com/security/compliance/soc-2
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Data Processing Agreement (DPA) View document →
“Cloud Data Processing Addendum”vendor's exact wording
https://cloud.google.com/terms/data-processing-addendum
Sub-processors Accenture International Limited, Cognizant Worldwide Limited, EPAM Systems, Inc., Deloitte Consulting LLP, GlobalLogic Technologies Private Limited, GlobalLogic Inc., Infosys Limited, Tata Consultancy Services Limited, TELUS International Services Limited, Virtusa SuperholdCo Inc, Wipro LLC
“Google and its affiliates engage the third-party entities in the table below to perform limited activities in connection with the Google Workspace Core Services and Cloud Identity Services.”vendor's exact wording
https://workspace.google.com/terms/subprocessors/
Sub-processors (published list) View document → https://workspace.google.com/terms/subprocessors.html
Trains on Customer Data key clause
Free / Pro: trains on data The free consumer Gemini app trains on chats (human review) unless Gemini Apps Activity is turned off — this is NOT the Workspace product. cited →
Enterprise: does not train Google Workspace with Gemini: customer Workspace data, prompts and outputs are not used to train Google's models outside your domain. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Not applicable
No CVE/CPE software identity is mapped to this hosted service; known-vulnerability tracking does not apply to the service identity assessed here.
Vulnerability Disclosure Policy (security.txt) None found
Queried the authoritative source; no records.
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) None found
Queried the authoritative source; no records.

Certifications Available Under NDA / Trust Center attested · report gated

CertificationStatusTrust Center
ISO 27001 Available via Trust Center https://cloud.google.com/security/compliance/offerings
SOC2 TYPE2 Available via Trust Center https://cloud.google.com/security/compliance/offerings
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Vendor-Claimed, Not Independently Verified treat as unconfirmed

FEDRAMP LOW Claimed — not independently verified https://cloud.google.com/security/compliance
HITRUST Claimed — not independently verified https://cloud.google.com/security/compliance
ISO 27017 Claimed — not independently verified https://cloud.google.com/security/compliance
ISO 27018 Claimed — not independently verified https://cloud.google.com/security/compliance
ISO 27701 Claimed — not independently verified https://cloud.google.com/security/compliance
PCI DSS Claimed — not independently verified https://cloud.google.com/security/compliance
SOC1 Claimed — not independently verified https://cloud.google.com/security/compliance
SOC3 Claimed — not independently verified https://cloud.google.com/security/compliance
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Dpa https://cloud.google.com/terms/data-processing-addendum
Gdpr Compliance https://cloud.google.com/privacy/gdpr
Pricing https://workspace.google.com/pricing
Privacy https://policies.google.com/privacy
Security https://workspace.google.com/security/
Soc Report https://cloud.google.com/security/compliance/soc-2
Subprocessors https://workspace.google.com/terms/subprocessors/
Tos https://cloud.google.com/terms
Trust https://cloud.google.com/trust-center

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

4 legal & policy documents under change-monitoring since 2026-06-08. 5 tracked changes detected since baseline.

DpaPrivacySubprocessorsTos
DetectedChangeDetail
2026-06-26 ToS Clause Change The Privacy Policy changed — 11 added passages. Review the current version.
What this means: This change to the Privacy Policy touches your privacy, data sharing or retention. Read 11 added passages in the current Privacy Policy to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The word "Updates" was replaced with text introducing an "Ask Privacy Policy" tool, including a description, prompt suggestions, and a disclaimer that the tool is for navigational purposes only and not a substitute for the Privacy Policy.

@@ -25,4 +25,16 @@ Partners
 Updates
+Ask Privacy Policy
+Need help navigating Google's Privacy Policy?
+Explore a new way to navigate the Privacy Policy.
+prompt_suggestion
+Tell me about this page
+prompt_suggestion
+Explain why Google collects personal data
+prompt_suggestion
+Learn about my key privacy controls
+This tool is provided for navigational purposes only. It isn’t a substitute for the
+Privacy Policy
+.
 Google Privacy Policy
 When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.
2026-06-24 ToS Clause Change The Terms of Service changed — 6 added passages. Review the current version.
What this means: The Terms of Service text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Terms of Service to confirm.
Show exact changed text

In plain terms — verify against the exact changed text below: The document was updated to specify that these terms do not apply to Starter Tier resources, and that the Starter Tier Additional Terms of Service govern the use of all resources in a Starter Tier project.

@@ -45,4 +45,10 @@ Services Account, the terms below do not apply to you, and your
 offline terms govern your use of the applicable Services.
+These terms do not apply to use of
+Starter Tier
+resources. The
+Starter Tier Additional Terms of Service
+govern use of all
+resources in your Starter Tier project.
 These Google Cloud Terms of Service (together,
 the "Agreement") are entered into by Google and the entity
2026-06-18 Sub-processor Change 1 new sub-processor(s) added: Accenture Japan Ltd.
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
2026-06-16 Sub-processor Change 1 sub-processor(s) removed: Accenture Japan Ltd.
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
2026-06-15 Sub-processor Change 12 new sub-processor(s) added: Accenture International Limited, Cognizant Worldwide Limited, Deloitte Consulting LLP, EPAM Systems, GlobalLogic Inc., GlobalLogi
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.

View full Google Gemini for Workspace change history →

Fourth-Party Supply Chain deterministic · cited

Your data reaches these fourth parties through Google Gemini for Workspace. Source: vendor's published sub-processor list.

Google Gemini for Workspace Accenture International Limited Cognizant Worldwide Limited EPAM Systems, Inc. Deloitte Consulting LLP GlobalLogic Technologies Private Limited GlobalLogic Inc. Infosys Limited Tata Consultancy Services Limited TELUS International Services Limited Virtusa SuperholdCo Inc Wipro LLC
Sub-processor source →

If one of these fourth parties has a critical security event, you may be indirectly exposed even without a direct contract. Swanum flags this in your alerts.

Search the Legal Documents verbatim · cited

Search Google Gemini for Workspace's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor Google Gemini for Workspace — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Google Gemini for Workspace changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.