Compliance resource center
Google Cloud’s industry-leading certifications, documentation, and third-party audits to help support your compliance.
Google Cloud compliance
As part of your migration to the cloud, you may need to validate our compliance documentation, certifications, and controls. Google Cloud creates and shares mappings of our industry leading security, privacy, and compliance controls to standards from around the world. We also regularly undergo independent verification—achieving certifications, attestations, and audit reports to help demonstrate compliance.
Learn about:
- Certifications and compliance standards that we satisfy
- Information about regional and sector-specific regulations
- Documentation to aid your own reporting and compliance efforts
Compliance offerings by region
We continually expand our coverage against the most important global standards.
Compliance offerings by industry
Featured papers
We regularly write about the topics most critical to our customers.
New! Insights into Middle East Telecom regulations
New! Telecoms Regulatory Themes in Latin America
Regulatory Themes in the U.S. Telecommunications Industry
Regulatory Considerations for US Financial Institutions Migrating to Google Cloud
Strengthening Operational Resilience in Financial Services by Migrating to Google Cloud
Compliance offerings by category
Auditor-validated certifications and attestations
An independent third-party auditor has granted a formal certification, attestation, or audit report based on an assessment that affirms our compliance with these offerings.
Global
Cloud Computing Compliance Controls Catalog (C5) | CSA | GSMA SAS-SM | Higher Education Cloud Vendor Assessment Tool (HECVAT) | ISO 9001:2015 | ISO 22301:2019 & BS EN ISO 22301:2019 | ISO 50001:2018 | ISO/IEC 27001 | ISO/IEC 27017 | ISO/IEC 27018 | ISO/IEC 27701 | PCI 3DS Core Security Standard | PCI DSS | SOC 1 | SOC 2 | SOC 3 | VPAT (WCAG, U.S. Section 508, EN 301 549)
The Americas
FedRAMP | FIPS 140-2 Validated | HITRUST CSF | Independent Security Evaluators (ISE) Audit | Minimum Acceptable Risk Standards for Exchanges (MARS-E) | StateRAMP | TruSight | U.S. Defense Information Systems Agency Provisional Authorization
EMEA
Spain Esquema Nacional de Seguridad (ENS) | EU Cloud Code of Conduct | HDS | ISAE 3000 Type 2 Report (FINMA) | Microfin | NCSC - Cyber Essentials Plus (UK) | Qatar National Information Assurance (NIA) | SWIPO Data Portability Code of Conduct | TISAX
Asia Pacific
Australia Hosting Certification Framework - DTA HCF | Information System Security Management and Assessment Program (ISMAP) | IRAP (Information Security Registered Assessors Program) | JIIMA | K-ISMS (Korea) | MTCS (Singapore) Tier 3 | OSPAR | SNI 27001 | ETDA (Thailand)
Laws and regulations
Cloud service providers can’t provide formal certification of our customers compliance with these laws and regulations. To help support our customers we review these laws and regulations and where possible provide guidance documents, mappings, and papers that outline our technical capabilities and legal commitments.
Global and North America
GxP | California Consumer Privacy Act (CCPA) | COPPA (U.S.) | Export Administration Regulations (EAR) | FERPA (U.S.) | FINRA (US) | HIPAA | IRS 1075 | International Traffic in Arms Regulations (ITAR) | GLBA | OSFI (Canada) | FG16/5 - FCA | NERC CIP | PHIPA (Canada) | StateRAMP | PIPEDA (Canada) | US Federal Banking Agencies
EMEA
ACPR (France) | BaFin Cloud Outsourcing Guidance | Banco de España | Banco de Portugal | Bank of Italy | BRSA (Turkey) | BSI Critical Infrastructure (KRITIS) |BWG (Austria) | Central Bank of Ireland (Ireland) | CSSF (Luxembourg) | De Nederlandsche Bank (the Netherlands) | EU DORA | EU Solvency II | EU Standard Contractual Clauses | FINMA (Switzerland) | FSA (Denmark) | GDPR | Israel’s Privacy Protection Authority | KNF (Poland) | MaRisk AT 9 Outsourcing | PRA (UK) | revFADP (Switzerland) | South Africa POPI | SFSA (Sweden) | VAG (Austria)| SYSC 8 Outsourcing - FCA Handbook | UK CHECK
Latin America
PDPL (Argentina) | BCRA (Argentina) | Central Bank of Brazil (Brazil) | CNBV (Mexico) | CNSF (Mexico) | CMF (Chile) | Superintendencia de Banca (Peru) | Financial Superintendence of Colombia | Lei Geral de Proteção de Dados (LGPD) | ASFI (Bolivia)
Asia Pacific
Act on the Protection of Personal Information (Japan) | APRA Prudential Standard CPS 234 | APPs (Australia) | APRA (Australia) | Bank Negara (Malaysia) | Bank of Thailand (BOT) | BSP (Philippines) | DSA (Bangladesh) | FSC Insurance Outsourcing Directions | FSC Banking Outsourcing Regulations | GR 95/2018 guidelines | IA (Hong Kong) | HKMA (Hong Kong) | MAMPU (Malaysia) | PDPO (Hong Kong) | Indonesia Government Regulation No. 71 (GR 71) | IRDAI (India) | FSC (Korea) | Korean Financial Supervisory Service (FSS) | MAS TRM Guidelines | OIC (Thailand) | OJK Circular 21 of 2017 (SEOJK 21) | OJK Regulation No. 38 of 2016 (POJK 38) | PDP Law (Indonesia) | PDPA (Malaysia) | PDPA (Philippines) | PDPA (Taiwan) | PDPA (Thailand) | PDPD (Vietnam) | PIPA (Korea) | RBI (India) | Reserve Bank of New Zealand (New Zealand) | Securities and Exchange Board of India (SEBI) | PDPA (Singapore) | State Bank of Vietnam | The Privacy Act (New Zealand)
Alignments and frameworks
Our products, technical capabilities, guidance documents, and legal commitments help our customers map to these frameworks and alignments. These offerings may not require formal certification or attestation, though we may rely on our certifications, attestations, and reports to help our customers map to these frameworks and alignments.
Global
BitSight | Center for Internet Security (CIS) Benchmarks | CyberGRX | ISO/IEC 27110 | Know Your Third Party (KY3P) Report | MVSP | Standardized Information Gathering (SIG) Questionnaire | USDM Life Sciences | Whistic
EMEA
EBA (EU) | European Cloud User Coalition (ECUC) | EIOPA (EU) | NCSC - Cloud Security (UK) | NEN (Netherlands) | NHS (UK) | PiTuKri | Qualifying license (Kingdom of Saudi Arabia)
North America
Criminal Justice Information Services (CJIS) | FFIEC (US) | MPA | NIST 800-53 | NIST 800-171 | NIST 800-34 - Contingency Planning | StateRAMP | US Federal Banking Agencies
Asia Pacific
ABS (Singapore) | PMDA (Japan) | FISC (Japan) | MeitY (India) | Monetary Authority of Singapore (MAS) Guidelines | NISC (Japan) | 2G3M (Japan)