Gemini
Enterprise-Ready
Gemini is rated Enterprise-Ready with a score of 89 out of 100. The vendor demonstrates strong security posture through independently verified ISO 27001 and SOC2 TYPE2 certifications, with audit reports available under NDA. A recent material change to the Terms of Service, involving 6 added and 88 removed passages, touches privacy, data sharing, retention, and content/IP licensing. Buyers should review the current Terms of Service to assess whether these changes affect their obligations or risk.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 9 legal/policy documents publicly tracked.
Ask This in Your Security Review 2 open items
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
- Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| GDPR | Stated by vendor | https://cloud.google.com/privacy/gdpr |
| HIPAA | Stated by vendor | https://cloud.google.com/security/compliance/hipaa |
| ISO 27001 | Stated by vendor | https://cloud.google.com/security/compliance/iso-27001 |
| SOC 2 | Stated by vendor | https://cloud.google.com/security/compliance/soc-2 |
| BAA Available (HIPAA) | Not publicly verified | — |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Data Processing Agreement (DPA) |
View document →
“Cloud Data Processing Addendum”vendor's exact wording |
https://cloud.google.com/terms/data-processing-addendum |
| Sub-processors (published list) | View document → | https://cloud.google.com/terms/google-subprocessors |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Gemini Apps (personal account): a subset of chats are reviewed by humans and used to improve Google's models unless you turn off Gemini Apps Activity; reviewed chats are retained up to 3 years.
cited →
Enterprise:
does not train
Workspace/Cloud Gemini (paid business licenses): prompts, outputs and your data are not used to train Google's models.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://cloud.google.com/security/compliance/offerings |
| SOC2 TYPE2 | Available via Trust Center | https://cloud.google.com/security/compliance/offerings |
Vendor-Claimed, Not Independently Verified treat as unconfirmed
| FEDRAMP LOW | Claimed — not independently verified | https://cloud.google.com/security/compliance |
| HITRUST | Claimed — not independently verified | https://cloud.google.com/security/compliance |
| ISO 27017 | Claimed — not independently verified | https://cloud.google.com/security/compliance |
| ISO 27018 | Claimed — not independently verified | https://cloud.google.com/security/compliance |
| ISO 27701 | Claimed — not independently verified | https://cloud.google.com/security/compliance |
| PCI DSS | Claimed — not independently verified | https://cloud.google.com/security/compliance |
| SOC1 | Claimed — not independently verified | https://cloud.google.com/security/compliance |
| SOC3 | Claimed — not independently verified | https://cloud.google.com/security/compliance |
Common compliance questions
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
5 legal & policy documents under change-monitoring since 2026-06-08. 3 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-24 | ToS Clause Change |
The Terms of Service changed — 6 added passages. Review the current version.
What this means: The Terms of Service text changed, but the edit doesn't clearly touch a tracked legal concern (it may be a heading, formatting, or minor wording change) — skim the current Terms of Service to confirm.
Show exact changed textIn plain terms — verify against the exact changed text below: The document was updated to specify that these terms do not apply to Starter Tier resources, and that the Starter Tier Additional Terms of Service govern the use of all resources in a Starter Tier project. @@ -45,4 +45,10 @@ Services Account, the terms below do not apply to you, and your offline terms govern your use of the applicable Services. +These terms do not apply to use of +Starter Tier +resources. The +Starter Tier Additional Terms of Service +govern use of all +resources in your Starter Tier project. These Google Cloud Terms of Service (together, the "Agreement") are entered into by Google and the entity |
| 2026-06-16 | Sub-processor Change |
12 new sub-processor(s) added: Accenture International Limited, BULL LTDA – LE 960833, Bristlecone Incorporated, Bull Advanced Computing Canada Inc., Bull GmbH,
What this means: A new third party may now process your data — check it against your DPA's approved sub-processor list and your notification rights.
|
| 2026-06-15 | ToS Clause Change |
The Terms of Service changed — 6 added, 88 removed passages. Review the current version.
What this means: This change to the Terms of Service touches your privacy, data sharing or retention and licensing or ownership of content/IP. Read 6 added and 88 removed passages in the current Terms of Service to see whether it affects your obligations or risk.
Show exact changed textIn plain terms — verify against the exact changed text below: The previous detailed Google Terms of Service, including its table of contents, introduction, service provider information for Google Ireland Limited, age requirements, and effective date of May 22, 2024, has been removed. This content is replaced with new text introducing 'Home', 'Stay organized with collections', 'Go @@ -1,696 +1,1385 @@-Google Terms of Service – Privacy & Terms – Google -Privacy & Terms -Privacy & Terms -Privacy & Terms -Overview -Privacy Policy +Home +Stay organized with collections +Save and categorize content based on your preferences. +Google Cloud Terms of Service -Technologies -FAQ -Google Account -Terms -Introduction -Your relationship with Google -Using Google services -Content in Google services -Software in Google services -In case of problems or disagreements -About these terms -EEA instructions on withdrawal -Updates -Definitions -List of services & service-specific additional terms -How Google handles government requests for user information -Google Terms of Service -Effective May 22, 2024 -| -Archived versions -| -Download PDF -Country version: -Germany -What’s covered in these terms -We know it’s tempting to skip these Terms of Service, but it’s important to establish what you can expect from us as you use Google -services -, and what we expect from you. -These Terms of Service reflect -the way Google’s business works -, the laws that apply to our company, and -certain things we’ve always believed to be true -. As a result, these Terms of Service help define Google’s relationship with you as you interact with our services. For example, these terms include the following topic headings: -What you can expect from us -, which describes how we provide and develop our services -What we expect from you -, which establishes certain rules for using our services -Content in Google services -, which describes the intellectual property rights to the content you find in our services — whether that content belongs to you, Google, or others -In case of problems or disagreements -, which describes other legal rights you have, and what to expect in case someone violates these terms -Understanding these terms is important because, to use our services, you must accept these terms. We encourage you to download these terms for future reference. We make these terms, and all previous versions, available at all times +New to Google Cloud? A quick overview of Google +Cloud’s online contracting can be found here . -Besides these terms, we also publish a -Privacy Policy -. Although it’s not part of these terms, we encourage you to read it to better understand how you can -update, manage, export, and delete your information -. -Terms -Service provider -In the European Economic Area (EEA) and Switzerland, Google -services -are provided by: -Google Ireland Limited -incorporated and operating under the laws of Ireland -(Registration Number: 368047 / VAT Number: IE6388047V) -Gordon House, Barrow Street -Dublin 4 -Ireland -Age requirements -If you’re under the -age required to manage your own Google Account -, you must have your parent or legal guardian’s permission to use a Google Account. Please have your parent or legal guardian read these terms with you. -If you’re a parent or legal guardian who has accepted these terms, and you allow your child to use the -services -, then to the extent permitted by applicable law, you’re responsible for your child’s activity on the services. -Some Google services have additional age requirements as described in their -service-specific additional terms and policies -. -Contents -Introduction -Your relationship with Google -Using Google services -Content in Google services -Software in Google services -In case of problems or disagreements -About these terms -EEA instructions on withdrawal -Your relationship with Google -These terms help define the relationship between you and Google. When we speak of “Google,” “we,” “us,” and “our,” we mean Google Ireland Limited and its -affiliates -. Broadly speaking, we give you permission to access and use our -services -if you agree to follow these terms, which reflect -how Google’s business works and how we earn money -. -What you can expect from us -Provide a broad range of useful services -We provide a broad range of services that are subject to these terms, |
Search the Legal Documents verbatim · cited
Search Gemini's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Gemini — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Gemini changes something that affects your risk. Built for procurement & security teams.