Tag Archives: Security and Compliance

Audit reports for data regions are now available in the Admin console

What’s changing 

Using the security investigation tool, admins can now access a new data set: policy compliance log events. Admins can use these logs to view a list of their Assured Controls users, their assigned data regions, and any advanced data region settings.

Policy compliance log events in the security investigation tool

Who’s impacted

Admins

Why it’s important

Policy compliance log events help admins quickly generate detailed reports of users assigned to specific data regions, which are critical for ensuring and providing data region settings are in line with internal policies and external regulatory guidelines. Querying these logs in the security investigation tool streamlines the auditing process, saving time and effort.

Getting started

Rollout pace

Availability

Available for Google Workspace:

Resources


Available in beta: Edit client-side encrypted Microsoft Word files with Google Docs

What’s changing 

Launching in beta, you can now view and edit client-side encrypted Microsoft Word files in Google Docs. Any changes made are saved in the original Word format. This update makes it easy for you to leverage Google Workspace with the tools and formats you already use while preserving confidentiality of your sensitive data with client-side encryption. 


Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.

In Google Docs, navigate to File > Open.



Additional details

Note that with this release:
  • You can only view and edit .docx Word file types. Additional Word file types are not supported.
  • The maximum file size is 20MB.
  • As we continue to improve Office editing in encrypted Google Docs, you may encounter incompatibilities for certain features. Some features may not be displayed and may not be editable, but will be preserved in the document and viewable in Microsoft Office.
  • Other features may be lost or altered in the latest version of the file when it is edited in Google Docs. You will see a notification within the document if editing will cause any features to be lost.


Getting started

Rollout pace

  • The feature will be available immediately once you're accepted into the beta.

Availability

Available to Google Workspace 
  • Enterprise Plus
  • Education Standard and Plus
  • Frontline Plus


Available in beta: Edit client-side encrypted Microsoft Word files with Google Docs

What’s changing 

Launching in beta, you can now view and edit client-side encrypted Microsoft Word files in Google Docs. Any changes made are saved in the original Word format. This update makes it easy for you to leverage Google Workspace with the tools and formats you already use while preserving confidentiality of your sensitive data with client-side encryption. 


Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.

In Google Docs, navigate to File > Open.



Additional details

Note that with this release:
  • You can only view and edit .docx Word file types. Additional Word file types are not supported.
  • The maximum file size is 20MB.
  • As we continue to improve Office editing in encrypted Google Docs, you may encounter incompatibilities for certain features. Some features may not be displayed and may not be editable, but will be preserved in the document and viewable in Microsoft Office.
  • Other features may be lost or altered in the latest version of the file when it is edited in Google Docs. You will see a notification within the document if editing will cause any features to be lost.


Getting started

Rollout pace

  • The feature will be available immediately once you're accepted into the beta.

Availability

Available to Google Workspace 
  • Enterprise Plus
  • Education Standard and Plus
  • Frontline Plus


Available in beta: Edit client-side encrypted Microsoft Word files with Google Docs

What’s changing 

Launching in beta, you can now view and edit client-side encrypted Microsoft Word files in Google Docs. Any changes made are saved in the original Word format. This update makes it easy for you to leverage Google Workspace with the tools and formats you already use while preserving confidentiality of your sensitive data with client-side encryption. 


Eligible Google Workspace admins can use this form to request access to the beta. We’ll share more specific instructions once you’re accepted into the beta.

In Google Docs, navigate to File > Open.



Additional details

Note that with this release:
  • You can only view and edit .docx Word file types. Additional Word file types are not supported.
  • The maximum file size is 20MB.
  • As we continue to improve Office editing in encrypted Google Docs, you may encounter incompatibilities for certain features. Some features may not be displayed and may not be editable, but will be preserved in the document and viewable in Microsoft Office.
  • Other features may be lost or altered in the latest version of the file when it is edited in Google Docs. You will see a notification within the document if editing will cause any features to be lost.


Getting started

Rollout pace

  • The feature will be available immediately once you're accepted into the beta.

Availability

Available to Google Workspace 
  • Enterprise Plus
  • Education Standard and Plus
  • Frontline Plus


Granular OAuth consent in HTTP Google Workspace add-ons

What’s changing

Granular OAuth consent is rolling out over the next few weeks for Google Workspace add-ons built using HTTP endpoints. Granular consent gives users clear choices about the data they share with third-party applications.

This update is similar to an update made earlier this year with the introduction of granular OAuth consent in the Google Apps Script IDE: when someone installs or runs an HTTP Workspace add-on that supports granular consent, they will see a redesigned consent screen. Instead of being asked to authorize all requested permissions at once, users can selectively grant access to individual OAuth scopes.

For example, Google Workspace add-ons can extend to multiple Workspace apps, but users might only use an add-on for some of the apps it extends. With granular consent, users can choose to grant all permissions to an add-on or grant permissions as needed when they use the add-on in each app.

This screenshot shows the new OAuth consent screen, which lets the user provide consent for a subset of the requested OAuth scopes.


Additional details

Following is the timeline for developers supporting granular consent in HTTP Google Workspace add-ons:

  • New HTTP Google Workspace add-ons built after May 27, 2025 must support granular consent. 
  • Existing add-ons have until December 1, 2025 to add support for granular consent. 
  • After December 1, 2025, all HTTP Google Workspace add-ons must support granular consent.


After a user grants permission to a Google Workspace add-on that supports granular consent, the add-on might request OAuth consent again in the following cases:

  • The user, who has granted consent to a subset of the requested OAuth scopes, tries to run a part of the add-on that requires scopes that were not previously authorized.
  • The add–on is updated in such a way that it requires permission for additional scopes.
  • The user revoked access to the add-on from their Google Account settings.


This update does not apply to the following scenarios, for which granular consent may become available in the future:

  • When an admin initially installs an add-on
  • When an admin updates the permissions granted to an add-on from the Admin console
  • If a Google Workspace add-on is built in Apps Script

Getting Started

  • Admins: There are no changes to the admin controls for this feature.
  • Developers: For information about how to add support for granular consent to HTTP Workspace add-ons, refer to the developer documentation.
  • End users: This new consent screen will only be used for new OAuth scope grants. Pre-existing scope grants will not be affected, so no action is required by users on add-ons they’ve already authorized. 

Rollout pace


Availability


Pre-configure Gemini app conversation history admin settings before they take effect

What’s changing

Starting today, Workspace admins can pre-configure the new Gemini conversation history admin settings before they take effect for their Gemini app users (expected by the end of May 2025). By default, “Gemini conversation history” will be ON and ”Conversation retention” will be set to 18 months (inline with current behavior). 

Generative AI > Settings > Gemini app > Gemini conversation history


Who’s impacted

Admins and end users

Additional details

  • If "Gemini conversation history" is OFF, chats are saved in user accounts for up to 72 hours. This lets Google provide the service and process any feedback. This chat activity won’t appear in a user’s Gemini Apps Activity.
    • Regardless of whether the Gemini app history is on or off, content in chats adheres to enterprise privacy and security protections as described in the Google Workspace Terms of Service. You can also learn more in the Privacy Hub
    • If you turn the setting from ON to OFF, existing user conversation history from before the setting is turned OFF is stored for the length of time specified by the "Conversation retention" setting.
  • This update will not impact your current Gemini app service setting.
  • This update will not impact Gemini in Workspace apps (e.g., Gemini in Gmail).

Getting started

  • Admins: 
    • Review and update the "Gemini conversation history" settings before we enforce these settings (expected by the end of May 2025). Visit the Help Center to learn more about configuring Gemini app conversation history settings for your users.
    • If no changes are made, the default settings will apply: “Gemini conversation history” set to ON and "Conversation retention” set to 18 months. Activity older than 18 months will be automatically deleted.

  • End Users: 
    • Users cannot override the Gemini conversation history settings configured by their admin.
    • These admin settings will override any individual user changes previously made to their Gemini Apps Activity settings (gemini.google.com or Gemini mobile app).

Rollout pace


We will publish a separate Workspace Updates blog post once we begin to enforce these settings, which is expected by the end of May 2025.


Availability

  • Available for all Google Workspace users with access to the Gemini app.

Resources


Enhance Your Organization’s Security with Out-of-Domain File Warnings in Google Workspace

What’s changing

Today we’re launching Out-of-Domain file-level warnings, now publicly available to all Google Workspace users. Specifically, a badge will be displayed on Google Docs, Sheets, and Slides files when the file is owned by or shared with someone outside of your domain. You'll also see a pop-up with more details and the option to report the externally owned file for abuse. 

An image showing a Google Doc with the word "External" displayed in a small yellow badge next to the document title. The badge has been clicked, and a pop-up window appears with more information stating that “This document is owned by someone outside your organization. Be cautious about sharing sensitive information
Image of "External" badge displayed in Google Docs


This feature helps users identify potentially risky files and avoid phishing scams when working with files shared from outside your organization.


Additional details

  • Known Limitations:
    • For externally shared content, the badge will not be displayed if any internal Google Groups have access to the document, even if these groups have external members.
    • If any service accounts have access to the document, the External badge will be displayed, even if the service account is owned internally.


Getting started

Screenshot of the Google Workspace Admin console, navigated to Sharing settings. At the bottom of the page, a new section labeled "Highlight external files" is highlighted. The checkbox is checked, and the description reads: "Mark external files shared or owned externally as “external” to flag that content may be viewable outside your organization.
 Image of the Google Workspace Admin console, Sharing settings, showing the "Highlight external files" option enabled


Rollout pace


Availability

  • Available for all Google Workspace customers, as well as Cloud Identity customers

Resources

Data classifications labels for Gmail are now generally available

What’s changing 

In 2024 we introduced data classification labels for email in open beta, and since then we’ve introduced several feature enhancements including: 

Beginning today, we are pleased to announce that data classification labels are generally available, giving admins yet another way to enhance their security posture.



Who’s impacted

Admins and end users

Why it matters 

Data breaches are increasingly common and costly across all organizations, including enterprises, public sectors, and government institutions. By extending data classification labels to Gmail, Google Workspace offers admins a more comprehensive and integrated system for protecting sensitive information. 


Admins can create custom labels or leverage existing Drive labels within Gmail, enabling classification of emails based on department, document type, sensitivity, and more. This allows for the creation of targeted data protection rules, such as blocking the sending of internal-labeled emails to external recipients or automatically applying a confidential label to messages containing sensitive financial data. 


The instant application of auto-classification and DLP rules in Gmail provides immediate feedback to users, educating them on data protection policies and allowing them to rectify issues before emails are sent, ultimately minimizing data breaches and improving overall data security. 


Finally,availability on mobile devices provides a comprehensive experience, ensuring data is protected and labeled across all user devices, whether users are sharing and accessing information from desktop devices or from mobile devices on-the-go.


Additional details

To further enhance the data classification labels experience, instant application of DLP rules and actions triggered by classification labels will soon be generally available on mobile devices. We anticipate that this functionality will be available in May – we’ll share an update once we have more information.


Getting started

  • Admins: 
    • If you've been using classification labels since the open beta period, there are no changes to your experience.
    • If you’re new to Gmail classification labels, they can be enabled at the domain, group level, or individual user level. You also have the option to enable existing classification labels used in Drive for use in Gmail. The Label Manager tool can be accessed by going to Security > Access and data control or admin.google.com/ac/dc/labels in the Admin console.  Visit the Help Center to learn more about getting started with classification labels, Gmail DLP & automatic classification labels, and preventing data leaks in email and attachments.

The Label Manager tool can be accessed in the Admin console  by going to Security > Access and data control



  • End users: Depending on the data loss prevention rules configured by your admin, you may see a dialog letting you know that your message cannot be shared and how to fix your message so it can safely be shared. Visit the Help Center to learn more about classification labels in Gmail.



Users can apply classification labels to a message, according to the organization’s data governance policies


Classification labels on mobile when composing a message and reading a message



Rollout pace


Availability

The Label Manager and manual classification is available to Google Workspace:
  • Frontline Starter and Standard
  • Business Standard and Plus
  • Enterprise Standard and Plus
  • Education Standard and Education Plus
  • Essentials, Enterprise Essentials, and Enterprise Essentials Plus


Data loss prevention rules with labels as a condition or labels as an action are available to:
  • Enterprise Standard and Plus
  • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
  • Frontline Standard
  • Cloud Identity Premium (in combination with a Workspace Edition that includes Gmail)

Resources


The Gemini app, as well as Gemini features in Google Workspace, are now BSI C5 certified

What’s changing 

Today at Google Cloud Next 2025, we announced that the Gemini in Google Workspace apps and the Gemini App have achieved the German BSI C5 attestations – the first AI productivity assistant to achieve this certification. For our customers operating in the EU, this means they can confidently adopt and integrate AI into their work with assurances that stringent third-party auditors have determined that Gemini’s architecture meets a high bar of security and privacy. 

This latest certification continues to build on Gemini’s existing, comprehensive set of safety, privacy, and security standards, including: SOC 1/2/3, ISO 27017/18, and ISO 42001 (the first international standard for AI Management Systems), as well as HIPAA compliance and as the first generative AI assistant to achieve US FedRAMP High attestations

Getting started 


Availability 

  • This update impacts all Google Workspace users accessing the Gemini in Google Workspace and the Gemini app. 

Resources 

Gmail data loss prevention now supports “sensitive content snippets”

What’s changing

We recently launched data loss prevention for Gmail and, beginning today, Admins can see “Sensitive content snippets” for Gmail messages that trigger data loss prevention rules. This content is logged  in the security investigation tool and admins can use the information to better identify security risks, determine whether a false positive was returned, and decide on an appropriate course of action.

Snippets are already available for DLP events for Drive, Chat, and Chrome. Visit our Help Center and our previous announcement for more information.

Matched content and information about the data detector type is displayed in the side panel under ‘Log Details’ in the Security Investigation Tool

Getting started

Rollout pace

Availability

Available to Google Workspace 
  • Frontline Standard
  • Enterprise Standard and Plus 
  • Education Fundamentals, Standard, Plus, and the Teaching and Learning add-on
  • Enterprise Essentials Plus
  • Also available for Chrome Enterprise Premium

Resources