Google Apps data protections - verified by third parties

Posted by Eran Feigenbaum, Director of Security, Google Enterprise

Editors note: This post is part of a series that explores the top ten reasons why customers trust Google with their business data. A complete top ten list can be found here.

We believe our customers should have lots of visibility into how we protect the data that is stored in Google Apps. And while it’s one thing for us to tell you how we protect the data, as we do in our blog posts and security white paper, it’s also helpful when independent third parties perform inspections and audits.

Cloud computing companies use the the SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. These auditing standards are defined by the The American Institute of Certified Public Accountants (AICPA) and the the International Auditing and Assurance Standards Board (IAASB), respectively. These audit standards have replaced the SAS 70 Type II audit, which Google Apps first completed in 2008. In our audits, we specify the confidentiality, integrity and availability controls that our customers are most concerned about, which are then verified by our auditors. We recently announced that we’ve successfully completed the SSAE 16 and ISAE 3204 Type II audits for Google Apps, Postini services, Google Apps Script, Google Storage for Developers and Google App Engine.

Google Apps for Government has also received Federal Information Security Management Act (FISMA) certification from the U.S. Government. The FISMA certification includes a rigorous evaluation of the security processes and data protections in place in Google Apps for Government and is required by U.S. federal government customers, who must comply with FISMA by law.

Third party audits are only part of the security and compliance benefits of Google Apps. For more information visit our Google Apps security page.