†Vertex AI Search Pre-GA offerings are included in
the Google Cloud Business Associate Agreement (BAA). If you will be using
Vertex AI Search to store or process Protected Health Information in a
manner subject to the Health Insurance Portability and Accountability Act
(HIPAA) of 1996 and/or any amendments or regulations under HIPAA, you must enter
into an appropriate BAA with Google. For more information, seeHIPAA Compliance on Google Cloud.
Security controls
Vertex AI Search provides security horizontals. The CMEK controls are
only available in the Enterprise Edition.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eVertex AI Search, including both Standard and Enterprise Editions, along with the RAG APIs, are compliant with HIPAA, ISO 27001, 27017, 27018, 27701, SOC 1, SOC 2, and SOC 3 certifications.\u003c/p\u003e\n"],["\u003cp\u003eVertex AI Search offers security controls such as Data Residency (DRZ), VPC Service Controls, and Access Transparency in both Standard and Enterprise editions.\u003c/p\u003e\n"],["\u003cp\u003eThe Enterprise Edition of Vertex AI Search provides Customer-managed encryption keys (CMEK) for enhanced data security, specifically for US and EU multi-region APIs.\u003c/p\u003e\n"],["\u003cp\u003eThe RAG APIs, which include ranking, grounded generation, and check grounding, have VPC Service Controls and Access Transparency in place but do not have Data Residency or Customer-managed encryption keys.\u003c/p\u003e\n"],["\u003cp\u003eA Business Associate Agreement (BAA) with Google is necessary when utilizing Vertex AI Search for storing or processing Protected Health Information (PHI) under HIPAA regulations.\u003c/p\u003e\n"]]],[],null,["# Compliance and security controls\n\nThis page provides a high-level view of the compliance certifications and\nsecurity controls that are supported by Vertex AI Search.\n\nCertifications\n--------------\n\nVertex AI Search and the RAG APIs are compliant as follows:\n\n^\\*^ The RAG APIs are [ranking](/generative-ai-app-builder/docs/ranking), [grounded generation](/generative-ai-app-builder/docs/grounded-gen), and\n[check grounding](/generative-ai-app-builder/docs/check-grounding).\n\n^†^ Vertex AI Search Pre-GA offerings are included in\nthe Google Cloud Business Associate Agreement (BAA). If you will be using\nVertex AI Search to store or process Protected Health Information in a\nmanner subject to the Health Insurance Portability and Accountability Act\n(HIPAA) of 1996 and/or any amendments or regulations under HIPAA, you must enter\ninto an appropriate BAA with Google. For more information, see\n[HIPAA Compliance on Google Cloud](/security/compliance/hipaa).\n\nSecurity controls\n-----------------\n\nVertex AI Search provides security horizontals. The CMEK controls are\nonly available in the Enterprise Edition.\n\n^\\*^ Using external key manager (EKM) or hardware security module\n(HSM) with CMEK is in GA with allowlist.\n\nThe following table identifies security controls for RAG APIs.\n\nWhat's next\n-----------\n\nLearn more about [Google Cloud compliance](/security/compliance)."]]
