The SOC3 public report is published to confirm that the security controls for this site have been examined by an independent accountant. It represents the practitioner’s report on management's assertion(s) that the entity's business being relied upon is in conformity with the applicable Trust Services Principle(s) and Criteria. The full SOC3 audit report is available for download here.
Google Cloud has earned the right to publish the report with respect to: Security, Availability, Processing Integrity, and Confidentiality.
The security principle refers to the protection of the system resources through logical and physical access control measures in order to support the achievement of management’s commitments and requirements related to security, availability, processing integrity, and confidentiality. Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or unauthorized removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information.
The availability principle refers to the accessibility of the system, products, or services as committed by contract, service-level agreement, or other agreements. This principle does not, in itself, set a minimum acceptable performance level for system availability. The availability principle does not address system functionality (the specific functions a system performs) and system usability (the ability of users to apply system functions to the performance of specific tasks or problems), but does address whether the system includes controls to support system accessibility for operation, monitoring, and maintenance.
The processing integrity principle refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether the system achieves its aim or the purpose for which it exists, and whether it performs its intended function in an unimpaired manner, free from unauthorized or inadvertent manipulation. Processing integrity does not automatically imply that the information received and stored by the system is complete, valid, accurate, current, and authorized. The risk that data contains errors introduced prior to its input in the system often cannot be addressed by system controls and detecting such errors is not usually the responsibility of the entity. Similarly, users outside the boundary of the system may be responsible for initiating processing. If such actions are not taken, the data may become invalid, inaccurate, or otherwise inappropriate.
The confidentiality principle addresses the system’s ability to protect information designated as confidential in accordance with the organization’s commitments and requirements through its final disposition and removal from the system. Information is confidential if the custodian of the information, either by law or regulation, commitment, or other agreement, is obligated to limit its access, use, and retention, and restrict its disclosure to a specified set of persons or organizations (including those that may otherwise have authorized access within the boundaries of the system). The need for information to be confidential may arise for many different reasons. For example, the information is proprietary information, information intended only for company personnel, personal information, or merely embarrassing information. Confidentiality is distinguished from privacy in that (i) privacy deals with personal information whereas, confidentiality refers to a broader range of information that is not restricted to personal information; and (ii) privacy addresses requirement for the treatment, processing, and handling of personal information.
Download the Audit Report, Management Assertions and Systems Description.
Have trouble opening PDFs? Download Acrobat Reader.