Google Apps for Education – is it secure?

Google Apps for Education picture

Is Google Apps for Education secure? Google provides some answers


Google Apps for Education – is it secure? We look to see how secure Google Apps really is. 

Update: We’ve published another article (January 2014) that looks at how safe Google Apps is.

Google Apps for Education is a wonderful product providing a vast range of services for teachers and children, and all for free. But there is one question that many rightly have in the UK about Google Apps for Education – is it secure? When we mean secure, in short we mean first can others access the data, and secondly, does it meet data protection legislation. Security and Privacy.

Interestingly the SWGfL (South West Grid for Learning – a non-profit organisation that provides fibre broadband and various web services to schools in the South West), has written a short paper and asked Google (and Microsoft) about how secure the school’s data really is. You can download the full PDF document below [1], but here we have shared some of the responses from Google about their Google Apps for Education. In short, the data is fully secure and complies fully with the European Commission’s Data Protection Directive, but it’s an area we are going to keep a close eye on to make sure that Google, and other companies, keep their security and privacy issues a top priority.

Responses by Google to questions asked by SWGfL

Unless stated, the answers work for both standard and offline agreements. (All links open in a new tab/window)

Where is the data stored?

Google maintains a number of geographically distributed data centers across the US and abroad. Information on our data centers can be found at:

Google will store data in physically secure data centers, maintain data on Google-owned servers, and replicate Apps data across multiple systems within a single data center as well as back up data in a Google-owned secondary data center which will be in a different geographic disaster area from the first. Take a look data centre set up and security features to find out more.

Google Apps data is processed in accordance with the EU Directive and under the Safe Harbour Framework. We also have security certifications, such as the ISO 27001 and ISAE/SSAE certifications which prove the safety and security of our products. For more information take a look at the Google Apps security whitepaper and the Security FAQs

At the beginning of 2013 Google implemented new model contract clauses designed to act as an additional means of compliance with the European Commission’s Data Protection Directive for Google Apps customers who operate within Europe, find out more here

How often is the data backed up?

Google replicate Apps data across multiple systems within a single data center as well as back up data in a Google-owned secondary data center which will be in a different geographic disaster area from the first.

Does the email service provider have a clear process for recovering data?

If a user has moved a message to Trash it will remain there for 30 days before being permanently deleted. During this time, the user can recover emails from their Trash. After this time, the email will be permanently deleted. Once an administrator or end-user has permanently deleted any data in Google Apps, we delete it according to your Customer Agreement and our Privacy Policy. Data is irretrievable once an administrator deletes a user account. If you need to recover email messages, Google offers additional archiving products that can complement Google Apps for Business, Government and Education editions. An administrator can also suspend rather than delete a user to retain all data associated with that account, while also blocking access to this account. The Client’s data will reside in at least two Google data centers. Our Data Centers are redundant and can shift to a user’s secondary data center. To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, Google implemented comprehensive disaster recovery program at all of its data centers. This program includes multiple components to eliminate single point of- failure.

How does the email provider protect your privacy?

Who owns the data that you store on the email platform?

The customer is the owner of all content for their user accounts.

Data in the cloud, must be secure

Data in the cloud, must be secure.

Who has access to the data?

Access to data is strictly controlled. Authorised staff have background checks performed on them, and have their activity strictly monitored. They only receive access to data on a need-to-know basis, for example, a Gmail support agent will be able to access Gmail data if you contact the support team asking for assistance. Google Apps has received a satisfactory SAS 70 type II audit. This means that an independent auditor has examined the controls protecting the data in Google Apps (including logical security, privacy, Data Center security, etc) and provided assurance that these controls are in place and operating effectively.

Schools may wish to consider the extent to which applicable laws in the US – which apply to services operated by companies registered in the US, e.g. Microsoft and Google – affect the suitability of these services. For example the US Patriot Act provides a legal means through which law enforcement agencies can access data held within these services without necessarily needing the consent or even the knowledge of the customer. Whilst SWGfL doesn’t intend to put anyone off getting value from these beneficial services we feel it’s only right to share what we know about them.

Is personal information shared with anyone else?

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

  • We won’t share your data with others except as noted in our Privacy Policy.
  • We keep your data as long as you require us to keep it.
  • Finally, you should be able to take your data with you if you choose to use external services in conjunction with Google Apps or stop using our services altogether.

Google does not share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect our systems. These exceptions include requests by users that Google’s support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it’s necessary in order to protect the rights, property or safety of Google, its users and the public. Google complies with valid legal processes seeking account information, such as search warrants, court orders, or subpoenas. We attempt to notify users before turning over their data whenever possible and legally permissible.

What are the school obligations with regards use?

Schools are responsible for obtaining parental consent for the use of Google Apps for Education services. requires a school to obtain ‘verifiable parental consent’.

Normally, schools will incorporate this into their standard internet consent forms sent to parents each year. We would encourage schools to know and understand the security features that they can implement to protect younger users such as walled garden, turning on/off services by Org Unit, YouTube for Schools and objectionable content filters. Your school should familiarise itself with the general security features of Apps. Once the school has investigated all the child protection possibilities then they should be able to answer any parent’s questions and/or create their own information sites (like two schools have done here and here) which gives information to address the concerns of parents and the steps that they are taking to protect the children using Google Apps within the school. See some of Google’s suggested template letters for parents which should also help you understand how other schools deal with this.

Does the email provider share email addresses with third party advertisers? Or serve users with ads?


What steps does the email provider take to ensure that your information is secure?

How reliable is the email service?

We have a Service Level Agreement which guarantees that the services will be available 99.9% of the time. Google Apps has NO scheduled downtime, which is very unique. See our SLA here.

What level of support is offered as part of the service?

24/7 phone and email support for all Apps for Education customers. Only administrators of a domain can contact the support team, but a school can have multiple administrators. Administrators will have a unique pin number which they can use to contact the support team. See more here.

For more general information about Google Apps for Education please refer to the FAQ here





[1] These responses from Google were taken from a PDF file provided by SWGfL

No comments yet.

Leave a Reply