Certification & data privacy
At Google the safeguarding and security of client data is of paramount importance, therefore we have our security standards certified by official authorities. You can read more about our SAS 70 Type II certification, the US-EU and US-Swiss Safe Harbor agreements in this section of the Google Apps Trust-Website to answer questions about the implications of these security and data privacy mechanisms for your business. We have added further certifications here, where we go through the auditing procedures of our products.
Google Apps is SAS 70 Type II certified. What does this mean for my business?
An independent auditor has unreservedly issued Google Apps with an unqualified SAS 70 Type II certification. Google is proud to be able to provide the Google Apps administrators with the assurance that your data is certified and secure in the framework of the SAS 70 industry standard.
Service organisations such as Google are businesses that, in the course of offering the outsourcing of services, sometimes exert an influence over the control environment of our clients. It is therefore essential that these service organisations provide their clients with reliable declarations concerning control activities. SAS 70 is an auditing standard that has been approved by the American Institute of Certified Public Accountants (AICPA) and is implemented by auditing companies worldwide. The SAS 70 audit reports are recognised as affirmation of Section 404 of the Sarbanes-Oxley Act (SOX). SAS 70 deals with the internal control system of a business and the orderly operation of outsourced service processes, such as the services of data processing centres. The efficiency of internal control systems is audited in SAS 70 Type II. Google Apps clients may therefore also use the SAS 70 report for their auditing pursuant to the SOX, thus establishing that Google has implemented an internal control system that minimises the risk of accounting errors. Consequently, a separate SOX audit for Google Apps is not required. Google clients, who themselves or their parent companies are listed on US stock exchanges, thus profit from this simplification. A similar provision is also planned for Europe within the framework of the 8th EU Directive, also to be called EuroSOX.
Which Google Apps are SAS 70 certified?
SAS 70 Type II certification covers all messaging and collaboration services as well as Message Security. These include Google Mail, Google Talk, Google Calendar, Google Text and Tables (Texts, Tables and Presentations), Google Sites, iGoogle and the Control Panel. There is a separate SAS 70 certificate for Google Message Security, Google Web Security, Google Message Discovery and Google Message Filtering. The independent auditor has confirmed that Google Apps conforms to the security standard in the following aspects without exception: Logical Security; Data privacy measures ; Physical security for data processing centres; Incident and Availability Management; Development Management; Organisation and Management. You can find more information regarding SAS 70 on the official SAS 70 page
‟Google participates in the Safe Harbor Program of the European Union and the United States” - What does this mean for my business?
The Safe Harbor Program is a specific data privacy agreement between the European Union and the USA, enabling European businesses to transfer personal data legally in the USA.
The 95/46/EC Data privacy Directive strictly prohibits any transfer of personal data beyond the member states of the European Economic Area. Thus the country in which the data is transferred offers an appropriate data privacy level and therefore adequate personal data privacy. Since the USA has not originally established comprehensive legal regulations corresponding to the EU member states’ data privacy standards, the European Commission collaborated with the US Department of Trade to compile the framework for the Safe Harbor Program. The transfer of personal data to a US company is permitted, and deemed as adequately protected, within the framework of this structure. The prerequisite is that the US company is a signatory of the US/EU Safe Harbor Agreement. In 2000 the EU recognised that an adequate level of personal data privacy was provided by the Safe Harbor Program signatory companies. Google is a signatory of the Safe Harbor Program and is listed by the US Department of Trade. This ensures that Google is compelled to fully recognise the Safe Harbor principles, and to observe them. The Safe Harbor provisions require a signatory company to observe the seven principles that generally reflect the principles of European Law.
Regarding Switzerland, Google has signed the US–Swiss Safe Harbor Agreement and is also registered for Switzerland at the US Department of Trade.
What exactly are the implications of the Safe Harbor provisions for Google and Google Apps clients?
Google Inc. is a signatory to the US-EU and US–Swiss Safe Harbor provisions. This signifies that personal data may be transferred to Google Inc. in the USA since, from the standpoint of the European Commission, Google Inc. Guarantees an adequate protection of data and that this transfer is regarded as falling under the adequate protection of the personal data of the individuals involved.
Who owns the data that a company has placed in Google Apps?
Google is not the proprietor of data of a company that uses Google Apps. The company is the sole proprietor of data placed in the Google system. Therefore, the company alone is responsible for the content, management and possible disclosure of its own proprietary information on Google Apps.
Does the transfer of data from my organisation to Google Inc. conform to the EU Data privacy Directive?
Yes, by virtue of the Safe Harbor certification of Google Inc. and according to the EU Data privacy Directive, the transfer of data by your company to Google is legally permissible.
Who is de jure “responsible for processing”, who is the “processor”?
Google Ireland Limited is the de jure "processor" with regard to Google Apps in Europe. The client company is de jure "responsible for processing".
Which data privacy laws are in force when I, as a company, use Google Apps?
Pursuant to European legislation, the applicable data privacy laws are regulated in accordance with the location of the headquarters. This is the commissioning enterprise. If, for example, the headquarters of the commissioning enterprise are in Germany, then it shall be subject to German data privacy laws.
Are there any legal provisions that stipulate that a company’s data must be stored within its own country, the EU or EEA?
There are no legal conditions, barring the cases of isolated exceptions in specific industrial sectors (e.g. banking or special public authorities), that stipulate that a company’s data must remain within its borders. Generally, an organisation must decide whether it is subject to possible internal provisions in its use of Google Apps Conformity.