Console
    Contact Us Start free

    Data Boundary for IRS Publication 1075

    This page describes the set of controls that are applied on Data Boundary for IRS 1075 workloads in Assured Workloads. It provides detailed information about data residency , supported Google Cloud products and their API endpoints, and any applicable restrictions or limitations on those products. The following additional information applies to Data Boundary for IRS 1075:

    • Data residency: The Data Boundary for IRS 1075 control package sets data location controls to support US-only regions . See the Google Cloud-wide organization policy constraints section for more information.

    • Support: Technical support services for Data Boundary for IRS 1075 workloads are available with Enhanced or Premium Cloud Customer Care subscriptions. Data Boundary for IRS 1075 workloads support cases are routed to US Persons located in the US who have completed fingerprint-based CJIS background checks, state-level law enforcement checks, and citizenship verification. For more information, see Getting support .

    • Pricing: The Data Boundary for IRS 1075 control package is included in Assured Workloads' Premium tier , which incurs an 20% additional charge. See Assured Workloads pricing for more information.

    Prerequisites

    To remain compliant as a user of the Data Boundary for IRS 1075 control package, verify that you satisfy and adhere to the following prerequisites:

    • Create an Data Boundary for IRS 1075 folder using Assured Workloads and deploy your Data Boundary for IRS 1075 workloads only in that folder.
    • Only enable and use in-scope Data Boundary for IRS 1075 services for Data Boundary for IRS 1075 workloads.
    • Don't change the default organization policy constraint values unless you understand and are willing to accept the data residency risks that might occur.
    • Consider adopting the general security best practices provided in the Google Cloud security best practices center .
    • When accessing the Google Cloud console, you have the option of using the Jurisdictional Google Cloud console . You are not required to use the Jurisdictional Google Cloud console for Data Boundary for IRS 1075. It can be accessed at one of the following URLs:

    Supported products and API endpoints

    Unless otherwise noted, users can access all supported products through the Google Cloud console. Restrictions or limitations that affect the features of a supported product, including those that are enforced through organization policy constraint settings , are listed in the following table.

    If a product is not listed, that product is unsupported and has not met the control requirements for Data Boundary for IRS 1075. Unsupported products are not recommended for use without due diligence and a thorough understanding of your responsibilities in the shared responsibility model . Before using an unsupported product, ensure that you are aware of and are willing to accept any associated risks involved, such as negative impacts to data residency or data sovereignty.

    Supported product API endpoints Restrictions or limitations
    Access Context Manager
    		accesscontextmanager.googleapis.com
    		None
    Access Transparency
    		accessapproval.googleapis.com
    		None
    Agent Assist
    		dialogflow.googleapis.com
    		None
    AlloyDB for PostgreSQL
    		alloydb.googleapis.com
    		None
    Apigee
    		apigee.googleapis.com
    		None
    App Hub
    		apphub.googleapis.com
    		None
    Application Integration
    		integrations.googleapis.com
    		None
    Artifact Registry
    		artifactregistry.googleapis.com
    		None
    Backup for GKE
    		gkebackup.googleapis.com
    		None
    BigQuery
    		bigquery.googleapis.com
    bigquerydatapolicy.googleapis.com
    bigquerymigration.googleapis.com
    bigqueryreservation.googleapis.com
    bigquerystorage.googleapis.com
    		Affected features
    BigQuery Data Transfer Service
    		bigquerydatatransfer.googleapis.com
    		Affected features
    Bigtable
    		bigtable.googleapis.com
    bigtableadmin.googleapis.com
    		None
    Binary Authorization
    		binaryauthorization.googleapis.com
    		None
    Certificate Authority Service
    		privateca.googleapis.com
    		None
    Cloud Asset Inventory
    		cloudasset.googleapis.com
    		None
    Cloud Build
    		cloudbuild.googleapis.com
    		None
    Cloud Composer
    		composer.googleapis.com
    		None
    Google Cloud console
    		N/A
    		None
    Cloud DNS
    		dns.googleapis.com
    		None
    Cloud Data Fusion
    		datafusion.googleapis.com
    		None
    Cloud Deploy
    		clouddeploy.googleapis.com
    		None
    Cloud External Key Manager (Cloud EKM)
    		cloudkms.googleapis.com
    		None
    Cloud Run functions
    		cloudfunctions.googleapis.com
    		Organization policy constraints
    Cloud HSM
    		cloudkms.googleapis.com
    		None
    Cloud Healthcare API
    		healthcare.googleapis.com
    		None
    Cloud Interconnect
    		networkconnectivity.googleapis.com
    		Affected features
    Cloud Key Management Service (Cloud KMS)
    		cloudkms.googleapis.com
    		None
    Cloud Logging
    		logging.googleapis.com
    		Affected features
    Cloud Monitoring
    		monitoring.googleapis.com
    		Affected features
    Cloud NAT
    		networkconnectivity.googleapis.com
    		None
    Cloud OS Login API
    		oslogin.googleapis.com
    		None
    Cloud Router
    		networkconnectivity.googleapis.com
    		None
    Cloud Run
    		run.googleapis.com
    		Affected features
    Cloud SQL
    		sqladmin.googleapis.com
    		None
    Cloud Service Mesh
    		mesh.googleapis.com
    meshca.googleapis.com
    meshconfig.googleapis.com
    		None
    Cloud Storage
    		storage.googleapis.com
    		None
    Cloud Tasks
    		cloudtasks.googleapis.com
    		None
    Cloud VPN
    		compute.googleapis.com
    		Affected features
    Cloud Vision API
    		vision.googleapis.com
    		None
    Cloud Workstations
    		workstations.googleapis.com
    		None
    Compute Engine
    		compute.googleapis.com
    		Affected features and organization policy constraints
    Connect
    		gkeconnect.googleapis.com
    		None
    Dialogflow CX
    		dialogflow.googleapis.com
    		None
    Conversational Insights
    		contactcenterinsights.googleapis.com
    		None
    Sensitive Data Protection
    		dlp.googleapis.com
    		None
    Database Center
    		databasecenter.googleapis.com
    		None
    Dataflow
    		dataflow.googleapis.com
    datapipelines.googleapis.com
    		None
    Dataform
    		dataform.googleapis.com
    		None
    Dataplex Universal Catalog
    		dataplex.googleapis.com
    datalineage.googleapis.com
    		None
    Dataproc
    		dataproc-control.googleapis.com
    dataproc.googleapis.com
    		None
    Document AI
    		documentai.googleapis.com
    		None
    Essential Contacts
    		essentialcontacts.googleapis.com
    		None
    Eventarc
    		eventarc.googleapis.com
    		None
    External passthrough Network Load Balancer
    		compute.googleapis.com
    		None
    Filestore
    		file.googleapis.com
    		None
    Firebase Authentication
    		N/A
    		None
    Firestore
    		firestore.googleapis.com
    		None
    GKE Hub
    		gkehub.googleapis.com
    		None
    GKE Identity Service
    		anthosidentityservice.googleapis.com
    		None
    Generative AI on Vertex AI
    		aiplatform.googleapis.com
    		None
    Google Agentspace
    		discoveryengine.googleapis.com
    		None
    Google Cloud Armor
    		compute.googleapis.com
    networksecurity.googleapis.com
    		Affected features
    Google Cloud NetApp Volumes
    		netapp.googleapis.com
    		Affected features
    Google Kubernetes Engine (GKE)
    		container.googleapis.com
    containersecurity.googleapis.com
    		None
    Google Security Operations SIEM
    		chronicle.googleapis.com
    chronicleservicemanager.googleapis.com
    		None
    Google Security Operations SOAR
    		Not applicable
    		None
    Identity and Access Management (IAM)
    		iam.googleapis.com
    		None
    Identity-Aware Proxy (IAP)
    		iap.googleapis.com
    		None
    Infrastructure Manager
    		config.googleapis.com
    		None
    Integration Connectors
    		connectors.googleapis.com
    		None
    Internal passthrough Network Load Balancer
    		compute.googleapis.com
    		None
    Jurisdictional Google Cloud console
    		N/A
    		None
    Key Access Justifications
    		cloudekm.googleapis.com
    		None
    Looker (Google Cloud core)
    		looker.googleapis.com
    		None
    Memorystore for Redis
    		redis.googleapis.com
    		None
    Model Armor
    		modelarmor.googleapis.com
    		None
    Network Connectivity Center
    		networkconnectivity.googleapis.com
    		None
    Organization Policy Service
    		orgpolicy.googleapis.com
    		None
    Persistent Disk
    		compute.googleapis.com
    		None
    Pub/Sub
    		pubsub.googleapis.com
    		None
    Regional external Application Load Balancer
    		compute.googleapis.com
    		None
    Regional external proxy Network Load Balancer
    		compute.googleapis.com
    		None
    Regional internal Application Load Balancer
    		compute.googleapis.com
    		None
    Regional internal proxy Network Load Balancer
    		compute.googleapis.com
    		None
    Resource Manager
    		cloudresourcemanager.googleapis.com
    		None
    Secret Manager
    		secretmanager.googleapis.com
    		None
    Secure Source Manager
    		securesourcemanager.googleapis.com
    		None
    Spanner
    		spanner.googleapis.com
    		None
    Speech-to-Text
    		speech.googleapis.com
    		Affected features
    Storage Transfer Service
    		storagetransfer.googleapis.com
    		None
    Text-to-Speech
    		texttospeech.googleapis.com
    		None
    VPC Service Controls
    		accesscontextmanager.googleapis.com
    		None
    Vertex AI Batch prediction
    		aiplatform.googleapis.com
    		None
    Vertex AI Model Monitoring
    		aiplatform.googleapis.com
    		None
    Vertex AI Model Registry
    		aiplatform.googleapis.com
    		None
    Vertex AI Online prediction
    		aiplatform.googleapis.com
    		None
    Vertex AI Pipelines
    		aiplatform.googleapis.com
    		None
    Vertex AI Search
    		discoveryengine.googleapis.com
    		None
    Vertex AI Training
    		aiplatform.googleapis.com
    		None
    Vertex AI Workbench
    		aiplatform.googleapis.com
    		None
    Virtual Private Cloud (VPC)
    		compute.googleapis.com
    		None
    Web Risk
    		webrisk.googleapis.com
    		None
    Workforce Identity Federation
    		iam.googleapis.com
    sts.googleapis.com
    		None

    Restrictions and limitations

    The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Data Boundary for IRS 1075 folders. Other applicable organization policy constraints —even if not set by default— can provide additional defense-in-depth to further protect your organization's Google Cloud resources.

    Google Cloud-wide

    Affected Google Cloud-wide features

    Feature
    Description
    Google Cloud console
    To access the Google Cloud console when using the Data Boundary for IRS 1075 control package, you have the option of using the Jurisdictional Google Cloud console. The Jurisdictional Google Cloud console is not required for Data Boundary for IRS 1075, and can be accessed using one of the following URLs:
    For more information, see the Jurisdictional Google Cloud console page.

    Google Cloud-wide organization policy constraints

    The following organization policy constraints apply across Google Cloud.

    Organization policy constraint
    Description
    gcp.resourceLocations
    Set to the following locations in the allowedValues list:
    • us-locations
    • us-central1
    • us-central2
    • us-east1
    • us-east4
    • us-east5
    • us-south1
    • us-west1
    • us-west2
    • us-west3
    • us-west4
    This value restricts creation of new resources to the selected values. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See Resource locations supported services for a list of resources that can restricted by the Resource Locations organization policy constraint, as some resources may be out of scope and unrestrictable.

    Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary.
    gcp.restrictNonCmekServices
    Set to a list of all in-scope API service names , including:
    • bigquerydatatransfer.googleapis.com
    Some features may be affected for each of the services listed above.

    Each listed service requires Customer-managed encryption keys (CMEK) . CMEK allows that at-rest data is encrypted with a key managed by you, not Google's default encryption mechanisms.

    Changing this value by removing one or more in-scope services from the list may undermine data sovereignty, because new at-rest data will be automatically encrypted using Google's own keys instead of yours. Existing at-rest data will remain encrypted by the key you provided.
    gcp.restrictServiceUsage
    Set to allow all supported products and API endpoints .

    Determines which services can be used by restricting runtime access to their resources. For more information, see Restricting resource usage .
    gcp.restrictTLSVersion
    Set to deny the following TLS versions:
    • TLS_1_0
    • TLS_1_1
    See the Restrict TLS versions page for more information.

    BigQuery

    Affected BigQuery features

    Feature
    Description
    Enabling BigQuery on a new folder
    BigQuery is supported, but it isn't automatically enabled when you create a new Assured Workloads folder due to an internal configuration process. This process normally finishes in ten minutes, but can take much longer in some circumstances. To check whether the process is finished and to enable BigQuery, complete following steps:
    1. In the Google Cloud console, go to the Assured Workloads page.

      Go to Assured Workloads

    2. Select your new Assured Workloads folder from the list.
    3. On the Folder Details page in the Allowed services section, click Review Available Updates .
    4. In the Allowed services pane, review the services to be added to the Resource Usage Restriction organization policy for the folder. If BigQuery services are listed, click Allow Services to add them.

      If BigQuery services are not listed, wait for the internal process to complete. If the services are not listed within 12 hours of folder creation, contact Cloud Customer Care .

    After the enablement process is completed, you can use BigQuery in your Assured Workloads folder.

    Gemini in BigQuery is not supported by Assured Workloads.

    Unsupported features
    The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is your responsibility not to use them in BigQuery for Assured Workloads.
    BigQuery CLI
    The BigQuery CLI is supported.

    Google Cloud SDK
    You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, run gcloud --version and then gcloud components update to update to the newest version.
    Administrator controls
    BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through the Assured Workloads monitoring dashboard .
    Loading data
    BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Data Boundary for IRS 1075 workloads.
    Third-party transfers
    BigQuery does not verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service.
    Non-compliant BQML models
    Externally-trained BQML models are not supported.
    Query jobs
    Query jobs should only be created within Assured Workloads folders.
    Queries on datasets in other projects
    BigQuery does not prevent Assured Workloads datasets from being queried from non-Assured Workloads projects. You should ensure that any query that has a read or a join on Assured Workloads data be placed in an Assured Workloads folder. You can specify a fully-qualified table name for their query result using projectname.dataset.table in the BigQuery CLI.
    Cloud Logging
    BigQuery utilizes Cloud Logging for some of your log data. You should disable your _default logging buckets or restrict _default buckets to in-scope regions to maintain compliance using the following command:

    gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink

    See Regionalize your logs for more information.

    Compute Engine

    Affected Compute Engine features

    Feature Description
    Suspending and resuming a VM instance This feature is disabled.

    Suspending and resuming a VM instance requires persistent disk storage, and persistent disk storage used for storing the suspended VM state cannot currently be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
    Local SSDs This feature is disabled.

    You will be unable to create an instance with Local SSDs because they currently cannot be encrypted by using CMEK. See the gcp.restrictNonCmekServices organization policy constraint in the section above to understand the data sovereignty and data residency implications of enabling this feature.
    Guest environment It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. See Guest environment for specific information about each package's contents, source code, and more.

    These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint.

    See the Building a custom image page for more information.
    OS policies in VM Manager Inline scripts and binary output files within the OS policy files are not encrypted using customer-managed encryption keys (CMEK). Therefore, don't include any sensitive information in these files. Alternatively, consider storing these scripts and output files in Cloud Storage buckets. For more information, see Example OS policies .

    If you want to restrict the creation or modification of OS policy resources that use inline scripts or binary output files, enable the constraints/osconfig.restrictInlineScriptAndOutputFileUsage organization policy constraint.

    For more information, see Constraints for OS Config .

    Compute Engine organization policy constraints

    Organization policy constraint Description
    compute.disableGlobalCloudArmorPolicy Set to True .

    Disables the creation of new global Google Cloud Armor security policies , and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect.
    compute.disableGlobalLoadBalancing Set to True .

    Disables creation of global load balancing products.

    Changing this value may affect your workload's data residency or data sovereignty.
    compute.restrictNonConfidentialComputing

    		(Optional) Value is not set. Set this value to provide additional defense-in-depth. See the Confidential VM documentation for more information.
    compute.trustedImageProjects

    		(Optional) Value is not set. Set this value to provide additional defense-in-depth.

    Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents.

    Cloud Run functions

    Cloud Run functions organization policy constraints

    Organization policy constraint
    Description
    cloudfunctions.restrictAllowedGenerations
    Set to deny the following Cloud Run functions generation that can be used to create new Cloud Run functions resources:
    • 1stGen
    See Restrict new deployments by product version for more information.

    Cloud Interconnect

    Affected Cloud Interconnect features

    Feature Description
    High-availability (HA) VPN You must enable high-availability (HA) VPN functionality when using Cloud Interconnect with Cloud VPN. Additionally, you must adhere to the encryption and regionalization requirements listed in the Affected Cloud VPN features section.

    Cloud KMS

    Cloud KMS organization policy constraints

    Organization policy constraint Description

    Cloud Logging

    Affected Cloud Logging features

    Feature Description
    Log sinks Filters shouldn't contain Customer Data.

    Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data.
    Live tailing log entries Filters shouldn't contain Customer Data.

    A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data.

    Cloud Monitoring

    Affected Cloud Monitoring features

    Feature Description
    Synthetic Monitor This feature is disabled.
    Uptime checks This feature is disabled.

    Cloud Run

    Affected Cloud Run features

    Feature
    Description
    Unsupported features
    The following Cloud Run features aren't supported:

    Speech-to-Text

    Affected Speech-to-Text features

    Feature Description
    Custom Speech-to-Text models It is your responsibility not to use Custom Speech-to-Text models because they are not compliant with Data Boundary for IRS 1075.

    Cloud VPN

    Affected Cloud VPN features

    Feature Description
    VPN endpoints You must use only Cloud VPN endpoints that are located in an in-scope region . Ensure that your VPN gateway is configured for use in an in-scope region only.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: