Chrome Enterprise believes in building trust by giving our customers control, choice, and transparency. The Data Protection Commitments below describe how we protect the privacy of Chrome Enterprise customers and help them maintain compliance while using our products.
Your privacy is our priority
At Google, we know that privacy plays a critical role in earning and maintaining customer trust. That’s why Chrome Enterprise has developed industry-leading product capabilities that give you—our customers—control over your data and provide visibility into when and how your data is accessed.
We want to be clear about how we proactively protect your data and prioritize your privacy. We start from the fundamental premise that as a Chrome Enterprise customer, you own your customer data. We implement stringent security measures to safeguard your data and provide you with tools and features to control it on your terms. We similarly secure any service data generated through providing the services; service data itself is critical to help ensure security and availability.
Google makes these Chrome Enterprise Data Protection Commitments for Chrome Enterprise Core, and Chrome Enterprise Premium products to describe our overarching responsibility to protect your business when you use our enterprise solutions.
These commitments are backed by the strong privacy commitments we make available to you in the Chrome Data Processing Amendments, Cloud Data Processing Addendum, and/or the Google Privacy Policy.
Chrome Enterprise Data Protection Commitments
Below are the commitments made in regards to your organization’s usage of Chrome Enterprise’s cloud management offerings Core & Premium.
You control your data
Customer data is your data, not Google’s. We only process your data according to your agreement(s).
We never use your data for ads targeting/personalization
We do not process your customer data to create ads profiles or improve Google Ads products.
We are transparent about data collection and use
We’re committed to transparency, compliance with regulations like the GDPR, and privacy best practices.
We never sell your personal information
We never sell your personal information. Google also does not “share” your personal information as that term is defined in the California Consumer Privacy Act (CCPA).
Security and privacy are primary design criteria for all of our products
Prioritizing the privacy of our customers means protecting the data you trust us with. We build the strongest security technologies into our products.
Enabling Global Privacy Compliance
Chrome Enterprise is used by customers around the world, and our privacy capabilities are designed to meet their diverse needs.. We continuously review and work to comply with global regulations. Although each region has its own requirements, we find that most generally align to a few Common Privacy Principles, and we’ve made these central to the way we handle Chrome Enterprise customers’ data:
Open all | Close all
Data minimization
We only collect relevant personal data that is necessary for the functionality, quality, and safety of our services.
Storage limitation
Personal data is only retained for as long as strictly necessary.
Purpose limitation
Personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Integrity
Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Confidentiality
When possible, we primarily use pseudonymous identifiers to make sure data cannot be reasonably tied to any individual. We also continuously evaluate, de-identify, and anonymize our datasets whenever identifiers are no longer strictly necessary.
Data Subject Rights
We provide customers with the ability to access, rectify, restrict the processing of, or delete data that they and their users put into our systems.
Availability, Integrity and Resilience
Google designs the components of our platform to be highly redundant. Google’s data centers are geographically distributed to minimize the effects of regional disruptions on global products, such as natural disasters and local outages. In the event of hardware, software, or network failure, services are automatically and instantly shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss.
Equipment Testing and Security
Google utilizes barcodes and asset tags to track the status and location of data center equipment from acquisition to installation, retirement, and destruction. If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies, such as Full Disk Encryption (FDE) and drive locking, to protect data at rest.
Disaster Recovery Testing
Google conducts disaster recovery testing on an annual basis to provide a coordinated venue for infrastructure and application teams to test communication plans, fail-over scenarios, operational transition, and other emergency responses. All teams that participate in the disaster recovery exercise develop testing plans and post mortems which document the results and lessons learned from the tests.
Encryption
Chrome’s standard encryption practices are applied to the data we process and collect. Data in transit is protected by TLS/SSL certificates, while data at rest is
encrypted at various layers.
Access Controls
For Google employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Google’s security policies. Data centers housing Chrome Enterprise’s systems and infrastructure components are subject to physical access restrictions and equipped with 24x7 on-site security personnel, security guards, access badges, biometric identification mechanisms, physical locks and video cameras to monitor the interior and exterior of the facility.
Incident Management
Google has a dedicated security team responsible for security and privacy of customer data and managing security 24 hours a day and 7 days a week worldwide. Individuals from this team receive incident-related notifications and are responsible for helping resolve emergencies at all times. Incident response policies are in place and procedures for resolving critical incidents are documented. Information from these events is used to help prevent future incidents and can be used as examples for information security training. Google incident management processes and response workflows are documented. Google’s incident management processes are tested on a regular basis as part of our ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27001 and
SOC 2 programs to provide our customers and regulators with independent verification of our security, privacy, and compliance controls.
Vulnerability Management
We scan for software vulnerabilities using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration testing, quality assurance processes, software security reviews, and external audits. We also rely on the broader security research community.
Generative AI (GenAI) and Privacy
Chrome Enterprise has robust privacy commitments that outline how we protect user data and prioritize privacy. GenAI doesn’t change these commitments—it actually reaffirms their importance.
We are committed to preserving our customers' privacy with our Chrome Enterprise AI offerings and to supporting their privacy compliance journey.