Google Apps for Business

0

Google Apps for Business is a cloud-based productivity suite that helps you and your team connect and get work done from anywhere on any device. Google is based in Mountain View, California USA and has been operating since 1998. You can contact real, live, support people 24/7 through their online portal or by phone. Google encrypts all data in transit between your computer and their servers, but they do not encrypt your data while it is on their servers (although they use some other sophisticated techniques to ensure its security). Google maintains data centres that are widely distributed all over the world in places like: the USA, Chile, Finland, Belgium, Ireland, Hong Kong, Singapore, & Taiwan. Their data centres are state-of-the-art and have been independently audited to stringent certifications that ensure your data is stored securely while still being easily available to you. These measures help Google maintain its expected availability of over 99.9% (Google services are expected to be inaccessible less than 0.1% of the time). Google allows you to import data into its various services or export from them should you wish to backup your data or migrate to another service. Also, Google thankfully declares “to put it simply, Google does not own your data.” Upon account termination, Google will continue allow you access to your data for “a commercially reasonable period of time” but may charge a fee for the privilege. After that period of time, Google does not physically delete your data—it is simply overwritten as Google reuses the space.

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name Google
Company Website http://google.com/
Company Phone Number Not available
Company Email Address google@google.com
Physical Address 1600 Amphitheatre Parkway
Mountain View, CA
USA

What services does this disclosure apply to?
Google Apps for Business:
Gmail
https://mail.google.com
Calendar
https://www.google.com/calendar/
Drive
https://drive.google.com

What country holds legal jurisdiction over the service(s)?
USA

How long has your company been operating?
Since September 1998.

How long has your company been providing the service(s) covered in this disclosure?
Not available

Is your company currently profitable?
Yes.
http://investor.google.com/financial/tables.html

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
Online support is avalible 24/7.
http://contact.googleapps.com

What channels are available for communication with clients?
Online, email, & phone support.
http://contact.googleapps.com

Which is your preferred channel for client communications?
Not available

Do you collect any information from client communications?
Not available

What is your standard response time for customer support inquires?
Not available

Do you proactively communicate information about future planned outages and maintenance to clients?
Not available

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Not available

Do you make incident reports available to clients after major incidents?
Not available

What is the expected uptime of the service?
The service has an expected uptime of greater than 99.9%
http://www.google.com/apps/intl/en/terms/sla.html

Has the service experienced any outages in the last 12 months?
Not available

Does the SLA guarantee service uptime?
The SLA guarantees that the services will be operational and available to the client at least 99.9% of the time in any calendar month.
“During the Term of the applicable Google Apps Agreement (the “Agreement”), the Google Apps Covered Services web interface will be operational and available to Customer at least 99.9% of the time in any calendar month (the “Google Apps SLA”). If Google does not meet the Google Apps SLA, and if Customer meets its obligations under this Google Apps SLA, Customer will be eligible to receive the Service Credits”
http://www.google.com/apps/intl/en/terms/sla.html

return to the top

Security

Are logs kept of client logins and locations?
Not available

Does your service support password/account recovery?
Administrators can reset all user passwords.

If you can’t access the Google Apps administrator control panel because you have forgotten the password for the administrator account, you can reset the password using an automated system. Google sends reset instructions to the secondary administrator email address registered in the Google Apps control panel.

If you don’t have access to the secondary administrator email address, you can verify your domain ownership and have the reset instructions sent to another email address that you specify. It can take up to 48 hours to complete the password reset using the domain verification method.
http://support.google.com/a/bin/answer.py?hl=en&answer=33561

Does the service monitor for any suspicious account activity?
We’ve alerted a number of users when it looked like something unusual was going on with their Google Account – for example, logins appearing to come from one country and occurring shortly after a login from another country. These users were shown a warning message in their Gmail inbox about this unusual access. We also occasionally make users change their passwords if we have reason to believe their account has been compromised.
http://www.google.com/intl/en/goodtoknow/protection/identity/

Does your service offer two-step or multi-factor authentication?
Google Apps offers an extra layer of security with two factor authentication, which greatly reduces the risk of hackers stealing usernames and passwords.
http://www.google.com/enterprise/apps/business/benefits.html

More information about 2-step verification can be found at:
http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744&topic=1099588&ctx=topic

Does your service offer login via other services?
Not available

Does your service secure all client data in transit?
SSL (Secure Sockets Layer)/TLS (Transport Layer Security) connectivity is available for all Google Apps customers and is enabled by default for new customers.

SSL/TLS is a protocol that provides secure communications on the internet for such things as web browsing, email, instant messaging and other data transfers. If you enable HTTPS (Hypertext Transfer Protocol Secure) connections, Google will force HTTPS when your users access most services in Google Apps. HTTPS varies by service and is available for Gmail, Google Calendar, Google Docs, Google Sites, and Chat.
http://support.google.com/a/bin/answer.py?hl=en&answer=60762

Does your service secure client data at rest?
No.

Does your service allow clients to collaborate with 3rd parties?
Not available

Does your primary system reside in a data center with a security certification?
An independent third party auditor issued Google Apps an unqualified SSAE 16 and ISAE 3402 Type II audit opinion.
An independent third party auditor issued Google Apps an unqualified SAS70 Type II certification.
http://support.google.com/a/bin/answer.py?hl=en&answer=60762

For more information:
http://www.google.com/about/datacenters/inside/data-security.html

Does your backup/disaster recovery system reside in a data center with a security certification?
An independent third party auditor issued Google Apps an unqualified SSAE 16 and ISAE 3402 Type II audit opinion.
An independent third party auditor issued Google Apps an unqualified SAS70 Type II certification.
http://support.google.com/a/bin/answer.py?hl=en&answer=60762

For more information:
http://www.google.com/about/datacenters/inside/data-security.html

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
To put it simply, Google does not own your data. We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that’s between the two of you), but we know it doesn’t belong to us!

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

We won’t share your data with others except as noted in our Privacy Policy.
We keep your data as long as you require us to keep it.
Finally, you should be able to take your data with you if you choose to use external services in conjunction with Google Apps or stop using our services altogether.

http://support.google.com/a/bin/answer.py?hl=en&answer=60762

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
Yes.

Does client use of your service generate any metadata or other statistical information?
In order to provide some of the core features in Google Apps products, our automated systems will scan and index some user data. For example:

Email is scanned so we can perform spam filtering and virus detection.
Priority Inbox, a Gmail feature, scans email message to identify which messages are considered important and which are considered not important.
If you are using Google Apps (free edition), email is scanned so we can display contextually relevant advertising in some circumstances. Note that there is no ad-related scanning or processing in Google Apps for Education or Business with ads disabled.
Some user data, such as documents and email messages, are scanned and indexed so your users can privately search for information in their own Google Apps accounts.
In other words, we scan or index user content in Google Apps in order to provide features that will directly benefit users, or to help us maintain the safety and security of our systems. Google Apps data is not part of the general google.com index, except when your users choose to publish information publicly,

It’s important to note that our scanning and indexing procedures are 100% automated and involve no human interaction. For complete information, see our detailed Privacy Policy, Privacy Principles, and our Google Apps Terms of Service

http://support.google.com/a/bin/answer.py?hl=en&answer=60762

return to the top

Data Location

Where are the primary systems that host client data located?
Your data will be stored in Google’s network of data centers. Google maintains a number of geographically distributed data centers (see location information). Google’s computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.
http://support.google.com/a/bin/answer.py?hl=en&answer=60762

For more information visit:
http://www.google.com/about/datacenters/inside/locations/index.html

Where are the backup/disaster recovery systems that host client data located?
Your data will be stored in Google’s network of data centers. Google maintains a number of geographically distributed data centers (see location information). Google’s computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.
http://support.google.com/a/bin/answer.py?hl=en&answer=60762

For more information visit:
http://www.google.com/about/datacenters/inside/locations/index.html

Are there any other systems that host client data on behalf of your service?
No.

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
Not available

Can the client freely download their data from the service during the contract period?
Yes. If you’ve decided to use another solution for your organization’s email, calendars, documents, and sites, don’t forget to migrate your data to your new solution before deleting your Google Apps account.

For more detailed information, visit:
http://support.google.com/a/bin/answer.py?hl=en&answer=100458

Can the client easily import/upload their data from a competing service provider into your service?
Not available

Does your services include an API to access client data?
Not available

Following termination of the service, will the client be able to access their data?
If this Agreement terminates, then: (i) the rights granted by one party to the other will cease immediately (except as set forth in this Section); (ii) Google will provide Customer access to, and the ability to export, the Customer Data for a commercially reasonable period of time at Google’s then-current rates for the applicable Services; (iii) after a commercially reasonable period of time, Google will delete Customer Data by removing pointers to it on Google’s active servers and overwriting it over time; and (iv) upon request each party will promptly use commercially reasonable efforts to return or destroy all other Confidential Information of the other party. If a Customer on an annual plan terminates the Agreement prior to the conclusion of its annual plan, Google will bill Customer, and Customer is responsible for paying Google, for the remaining unpaid amount of Customer’s annual commitment.
11.2 Effects of Termination.
http://www.google.com/apps/intl/en/terms/premier_terms.html

Following termination of the service, is all client data deleted?
If this Agreement terminates, then: (i) the rights granted by one party to the other will cease immediately (except as set forth in this Section); (ii) Google will provide Customer access to, and the ability to export, the Customer Data for a commercially reasonable period of time at Google’s then-current rates for the applicable Services; (iii) after a commercially reasonable period of time, Google will delete Customer Data by removing pointers to it on Google’s active servers and overwriting it over time; and (iv) upon request each party will promptly use commercially reasonable efforts to return or destroy all other Confidential Information of the other party. If a Customer on an annual plan terminates the Agreement prior to the conclusion of its annual plan, Google will bill Customer, and Customer is responsible for paying Google, for the remaining unpaid amount of Customer’s annual commitment.
11.2 Effects of Termination.
http://www.google.com/apps/intl/en/terms/premier_terms.html

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
For more information refer to the “Information Security” portion of the Privacy Policy
http://www.google.com/intl/en/policies/privacy/

Does your company use client data or information for any business function (other than the provision of the service)?
We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.
We may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services. If other users already have your email, or other information that identifies you, we may show them your publicly visible Google Profile information, such as your name and photo.
When you contact Google, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.

We use information collected from cookies and other technologies, like pixel tags, to improve your user experience and the overall quality of our services. For example, by saving your language preferences, we’ll be able to have our services appear in the language you prefer. When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know. We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.

We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.
Google processes personal information on our servers in many countries around the world. We may process your personal information on a server located outside the country where you live.

http://www.google.com/intl/en/policies/privacy/

Does your company use client data or information to generate revenue (other than the provision of the service)?
Not available

Do you access client data in any additional circumstance not yet specified in this disclosure?
Not available

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
Not available

Do you notify clients if their data has been lost or compromised?
Not available

return to the top

Backup and Maintenance

Does your service support data versioning?
Google Docs, Sheets, and Slides have a revision history pane that allows you to view at a glance all changes made to a document by each collaborator. While it may not work exactly like a track changes tool, the revision history tool lets you view and revert to earlier versions of your document, spreadsheet, presentation, or drawing and see which collaborators made edits to any of these versions.
http://support.google.com/drive/bin/answer.py?hl=en&answer=190843

How often are service/client data backups performed?
All Google systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across Google’s clustered active servers, so, in the case of a machine failure, data will still be accessible through another system. We also replicate data to secondary data centers to ensure safety from data center failures.
http://support.google.com/a/bin/answer.py?hl=en&answer=60762

What method is used to perform service/client data backups?
Internal system redundancy.

How long is backup data retained for?
We believe that you should have control over your data. Google maintains multiple backup copies of users’ content so that we can recover data and restore accounts in case of errors or system failure. When you ask us to delete messages and content, we make reasonable efforts to remove deleted information from our systems within a commercially reasonable amount of time
http://support.google.com/a/bin/answer.py?hl=en&answer=60762

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.