Set up Vault for your organization

    Note:Starting on November 1, 2025, Google Workspace admins must have a Google Vault license to continue using Google Vault.

    If your Google Workspace edition already includes a Google Vault license, your admins can use that license. If your edition doesn't include a Vault license, you can either upgrade to an edition that includes a Vault license, or you can purchase a Vault add-on license. Learn more about Vault licenses .

    To ensure continued access to Google Vault, please update the licenses for all your active Vault admins before November 1, 2025.

    Important: Vault doesn't preserve data until you complete these steps. Set up retention rules as described in Step 5 in order for Vault to retain your data.

    Set up requirements and recommendations

    • You must be a Google Workspace super administrator for your organization to complete the steps in this guide.

    • To be a Vault admin you must have a Google Workspace license that includes Google Vault. If your Google Workspace license does not include Vault, you will need to get a Google Vault add-on license. Learn more about Google Vault add-on.

    • Verify that your organization isn't managing email and chat message storage . If this feature is configured to automatically delete messages, it interferes with Vault retention rules. Sign in to the Admin console and change this setting to Do not delete email and chat messages automatically.

    • Consider enabling comprehensive message storage . Other Google products might send email on a user's behalf. This setting ensures that a copy of those messages is stored in the user's Gmail mailbox and is available to Vault. Learn more

    • Consider turning on Chat history for your organization. Retention rules and holds always apply to Chat spaces. However, they apply to direct messages only when history is turned on.

    • Consider turning on message archiving in Google Groups for Business for groups of interest. Vault can hold, retain, and search messages only in groups that have archiving turned on. However, group owners can change this setting for their groups. If a group owner turns archiving off, the messages from that group are still available in user mailboxes.

    Step 1. If needed, buy Vault licenses

    Vault is included with most Google Workspace editions, but it's an add-on for some. You can buy and assign licenses to everyone (full-organization licensing) or to only a subset of people (partial-organization licensing).

    1. Buy Vault licenses for your organization . You need a Vault license for every user that you want to be able to retain and search data for. You also need a Vault license for every Vault admin. Consult with people in your organization who understand its business and legal requirements to decide who needs a Vault license.

    2. Assign Vault licenses to users and admins.

    Step 2. Control who can sign in to Vault

    To allow users to sign in to Vault, turn on Vault for all or selected users. Learn how

    Note:

    • This setting has no effect on which accounts can be retained, held, and searched by Vault. All user accounts with Google Workspace and a  Vault license  can be retained, held, and searched.

    • This setting has no effect on which accounts can change retention rules, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.

    • If you turn on Vault for everyone in your organization, the Vault icon appears in everyone’s list of apps. If your organization has set up organizational units, we recommend you restrict access to organizational units that have Vault privileges.

    Step 3. (Optional) Grant Vault privileges to authorized users

    Grant privileges to users who you want to create retention rules, place holds, or perform investigations. At first, only super admins with a Vault license can use Vault features. Learn how

    Step 4. Sign in to Vault

    If you recently purchased Vault or started the 30-day trial, we recommend that you wait 30–60 minutes before you sign in to Vault. If you sign in immediately after purchase, you might not be able to access all of Vault.

    1. Go to https://vault.google.com .

    2. Sign in with your Google Workspace username and password.

    Other authorized users in your organization can sign in to Vault the same way after you give them access.

    Step 5. Set your organization's default retention rules

    Set retention rules to control how long data is retained before it's allowed to be purged from user accounts and all Google systems. We recommend that you consult your organization's legal team when you set up retention rules.

    Before you begin, learn how retention works . The following steps describe how to set default retention rules, but you can set custom retention rules instead.

    To keep data that matches specific conditions for a set time, create a custom retention rule. To keep all service data for all licensed accounts for a set time, create a default retention rule.

    1. In Vault, click Retention. If Retentionisn't listed, ask a Google Workspace super administrator to give you Vault privileges ("Manage retention policies").
    2. On the Default rulestab, click a service, such as Drive or Gmail.

    3. Choose how long to keep messages or files:

      • To permanently retain data, select Indefinitely.
      • To retain data for a set time, select Retention periodand enter the number of days, from 1 to 36,500. The retention period is calculated based on the following start times:
        • Gmail, Groups, and Chat messages—days from when the message was sent or received.
        • Drive—days from when the file was either created or last modified.
        • Voice—days from when the data was sent or received.

    4. If you set a retention period, choose what to do with data after the retention period expires:

      • To purge only the data that users have already deleted, choose the first option.
      • To purge all data, choose the second option. This rule can purge data that users expect to keep, such as messages in their Gmail inbox or files in Drive.
      Vault immediately allows services to purge data that exceeds the retention period when you submit a new rule. This can include data users expect to keep. Do not continue to the next step until you're sure the rule is configured correctly.

    5. Click Create. If you set a retention period, Vault asks you to confirm you understand the effects of this retention rule. Check the boxes and click Acceptto create the rule.

    6. Repeat this process for all services you want to set default retention rules for.

    Step 6. (Optional) Set up Multi-party approval for Vault exports

    Vault admins have access to highly sensitive domain-wide data. To ensure that data exports are managed correctly and only performed by authorized users, you can enable Multi-party approval (MPA) for all Vault exports in your organization.

    How does MPA for Vault exports work?

    1. An admin performs a search and tries to start an export.
    2. A notification is sent to a second admin in your organization that another admin has made an export request.
    3. The second admin reviews the request in the Admin console and if everything looks good, they approve it.
    4. After the request is approved the data export starts.
    5. The first admin is then able to check the status and download the export.

    Turn on or off MPA for Vault exports

    You must be signed in as a  super administrator  for this task.
    1. Sign in with a super administrator account to the Google Admin console.

      If you aren’t using a super administrator account, you can’t complete these steps.

    2. In the Admin console, go to Menu  Security > Authentication > Multi-party approval settings .
      .
    3. Click Multi-party approval for Vault settings.
    4. To turn on MPA for Vault exports, check the Create Exportbox and then click Save.

      Note:Changes made to the Vault create export setting in the Admin console will only create an MPA request when MPA is also turned on for the organization. Learn more about MPA for sensitive actions .

    5. To turn off MPA for Vault exports, uncheck the Google Vault: create exportbox and then click Save.

    How do I approve a Vault data export request?

    If you are the requester or the approver of an MPA Vault export request, you can view pending or past requests on the MPA approval page.

    Open the Requests submittedtab, then click a request to display a details page for that request. On the request details page, requesters can cancel their request, and approvers can approve or deny the request.

    Google Vault is now set up! Vault preserves your organization's data as specified in the retention rules you configured.

    Important notes:

    • What happens after you set default retention rules:Unless a custom rule or hold applies, data is preserved according to the default retention rule.
    • What happens when a user deletes a message or file:The message or file is removed from that user's account. However, when the default retention rule or a custom rule applies, the message or file is still available in Vault for the remainder of the retention period. Deleted messages and files retained by Vault don't count against the user's storage quota.

    Was this helpful?

    How can we improve it?
    true
    Enable Dark Mode
    Search
    Clear search
    Close search
    Google apps
    Main menu
    13583924455610192412
    true
    Search Help Center
    false
    true
    true
    true
    true
    true
    96539
    false
    false
    false
    false
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: