Google Cloud regularly undergoes third-party audits for our products, systems, and infrastructure related to this standard. The SOC 3 reports are generated by an objective third party attesting to a set of assertions made by Google Cloud about its controls that are in place to protect customer data. The audit firm’s evaluation includes comprehensive testing of the design and operating effectiveness of the controls within the audit period. 

Customers may use the SOC 3 report to assess the risks arising from interactions with the assessed Google Cloud and Google Workspace systems throughout the period.

The core Google Cloud and Google Workspace SOC 3 reports are issued quarterly and can be downloaded via the Compliance Reports Manager. The coverage periods and issuance dates for these reports are:

• First quarter of the year
• Coverage period: February 1 XX - January 31 X1
• Estimated issuance: late April
• Second quarter of the year 
• Coverage period: May 1 XX - April 30 X1
• Estimated issuance: late June
• Third quarter of the year
• Coverage period: August 1 XX - July 31 X1
• Estimated issuance: late September
• Fourth quarter Second half of the year
• Coverage period: November 1 XX - October 31 X1
• Estimated issuance: late December

We issue separate SOC 3 reports for a small subset of Google Cloud products, including Actifio Heritage, Apigee Edge, AppSheet, Bare Metal Solution, Bare Metal HSM, BigQuery Omni, Google Cloud NetApp Volumes, Google Cloud VMware Engine, Stratozone, and Mandiant. These reports are issued semi-annually or annually and customers can obtain these reports by contacting sales or support.

Google Cloud does not issue bridge letters for SOC 3. If a bridge letter is needed, please refer to the bridge letters that are issued for the related SOC 2 report. 

FAQs

Services in scope