The Service and Organization Controls (SOC) 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) SSAE 18, which evaluates the service organization’s controls relevant to the Trust Services Criteria of security, availability, processing integrity, confidentiality, or privacy.
Looking for Google Cloud and Google Workspace SOC 2 reports? Customers can request the reports at their convenience via Compliance Reports Manager .
Google Cloud regularly undergoes third-party audits for our products, systems, and infrastructure related to this standard. The SOC 2 reports are generated by an objective third party attesting to a set of assertions made by Google Cloud about its controls that are in place to protect customer data. The audit firm’s evaluation includes comprehensive testing of the design and operating effectiveness of the controls within the audit period.
Customers may use the SOC 2 report to assess the risks arising from interactions with the assessed Google Cloud and Google Workspace systems throughout the period.
The core Google Cloud and Google Workspace SOC 2 Type II reports are issued semi-annually and can be downloaded via the Compliance Reports Manager . The coverage periods and issuance dates for these reports are:
We issue separate SOC 2 Type II reports for a small subset of Google Cloud products, including AppSheet, Backup and Disaster Recovery, Google Cloud VMware Engine, Bare Metal Solution, Apigee Edge, Actifio Heritage, StratoZone, Google Security Operations SOAR, Mandiant, and Looker (Google Cloud core). These reports are issued annually and customers can obtain these reports by contacting sales or support .
Bridge letters are attestations made by the management of the service provider, in this case, Google Cloud, and are intended to “bridge” the gap from the end date of the SOC report to the customer’s period end date. Bridge letters summarize material changes or issues identified within the internal control environment beyond the period end date of the most recent SOC report. Bridge letters are available for SOC 1 and SOC 2 reports.
Google Cloud creates monthly bridge letters with each letter designed to cover the period since the most recent SOC report. For example, Google Cloud issues a bridge letter in early January to cover the look-back period of November 1 to December 31, which extends the coverage period of the previously issued SOC report with a period end date of October 31.
SOC bridge letters for the core Google Cloud and Google Workspace SOC 2 reports are made available on Compliance Reports Manager for the periods ending March 31, June 30, September 30, and December 31 and can be downloaded directly. If a bridge letter covering a different period end date or product scope is required, please contact sales or support .
Google Cloud’s independent auditors are Ernst & Young LLP and Coalfire.
A SOC 2 Type I report covers the design of the service organization's controls at a specific point in time. A SOC 2 Type II report covers the design and operating effectiveness of the service organization's controls over a period of time. For example, a SOC 2 Type I may assess the service organization’s controls as of today, but a SOC 2 Type II assesses the service organization’s controls within the past six months. Google Cloud only issues SOC 2 Type II reports.
Below are Google Cloud services that are in scope for SOC 2.
Where we are simplifying the name of our service, we have also included its former name in parentheses.
AI Platform Deep Learning Container
AI Platform Neural Architecture Search (NAS)
AI Platform Training and Prediction
Anti-Money Laundering (AML) AI
BigQuery Data Transfer Service
Cloud External Key Manager (Cloud EKM)
Cloud Hardware Security Module (HSM)
Cloud Intrusion Detection System (IDS)
Cloud Key Management Service (KMS)
Cloud Life Sciences (formerly Google Genomics)
Cloud NAT (Network Address Translation)
Cloud Virtual Private Network (VPN)
Generative AI on Vertex AI (formerly Generative AI Support on Vertex AI)
GKE Enterprise Config Management
Google Cloud Identity-Aware Proxy
Google Cloud VMware Engine (GCVE)
Identity & Access Management (IAM)
Key Access Justifications (KAJ)
Managed Service for Microsoft Active Directory (AD)
Migrate to Virtual Machines (formerly Migrate for Compute Engine)
Notebooks (formerly AI Platform Notebooks)
Sensitive Data Protection (including Cloud Data Loss Prevention)
Threat Intelligence for Google Security Operations
Vertex AI Conversation (formerly Generative AI App Builder)
Vertex AI Platform (formerly Vertex AI)
Vertex AI Search (formerly Gen App Builder – Enterprise Search)
When Google Cloud administrators access your content, Access Transparency gives you near real-time logs of their actions.
Manage cryptographic keys for your cloud services the same way you do on-premises, to protect secrets and other sensitive data that you store in Google Cloud.
Delivers defense at scale against infrastructure and application DDoS attacks using Google’s global infrastructure and security systems.
Prevent and detect threats in virtual machines, networks, applications, and storage from one location, and act on them before they cause damage or loss.
Sensitive Data Protection (including Cloud Data Loss Prevention)
Provides fast, scalable classification and redaction for sensitive data elements like names, credit card numbers, Google Cloud credentials, and more.
Keeps sensitive data private by defining a security perimeter around Google Cloud resources like Cloud Storage buckets, Bigtable instances, and BigQuery datasets.
SOC 2 reports may be requested via the Compliance Reports Manager . Potential customers can contact sales for more information.
Start building on Google Cloud with $300 in free credits and 20+ always free products.