AI Provider Trust Registry evidence verified as of 2026-07-05

Registry / Gemini via Vertex AI

Gemini via Vertex AI

developer: Google platform: Google Cloud Vertex AI category: first party

Google's Gemini models served through Google Cloud Vertex AI (renamed "Gemini Enterprise Agent Platform" in 2026). Inherits Google Cloud's certification portfolio (SOC 1/2/3, ISO 27001/27017/27018, ISO 42001), HIPAA BAA coverage, the Cloud Data Processing Addendum, and documented data-governance controls including a configurable zero-data-retention path.

Watch-outs 1

The cells where this offering is not a clean public yes. This is what to check before you sign.

Vendor trust
SOC 2 Type II Is a SOC 2 Type II report available for this offering?
Yes, public confidence: high · verified 2026-07-05

Google Cloud's services-in-scope page lists "Vertex AI Platform" and "Generative AI on Vertex AI" under SOC 1/2/3. SOC 2 reports are downloadable self-serve via Compliance Reports Manager (Google account sign-in required, no NDA or sales contact). Vertex AI was renamed "Gemini Enterprise Agent Platform" in 2026; newer pages use that name.

tier: self_serve · route: public · default: enabled ·

in_scope_services: ['Vertex AI Platform', 'Generative AI on Vertex AI']

source · archived copy

ISO 27001 Is there an ISO/IEC 27001 certification covering this offering?
Yes, public confidence: high · verified 2026-07-05

"Vertex AI Platform" and "Generative AI on Vertex AI" are in scope for ISO/IEC 27001 (plus 27017/27018 for most Vertex services). Certificates available via Compliance Reports Manager.

tier: self_serve · route: public · default: enabled ·

standards: ['ISO/IEC 27001', 'ISO/IEC 27017', 'ISO/IEC 27018']

source · archived copy

ISO 42001 Is there an ISO/IEC 42001 (AI management system) certification?
Yes, public confidence: high · verified 2026-07-05

Google Cloud Platform, Google Workspace, and Gemini (App) are certified ISO/IEC 42001:2023. The page's products-in-scope list explicitly includes "Gemini Enterprise Agent Platform" and "Generative AI on Gemini Enterprise Agent Platform" (i.e., Vertex AI under its 2026 name). Certificate verifiable at iafcertsearch.org.

tier: self_serve · route: public · default: enabled ·

in_scope_products: ['Gemini Enterprise Agent Platform', 'Generative AI on Gemini Enterprise Agent Platform', 'Gemini App', 'Gemini Enterprise'] · certificate_registry: https://www.iafcertsearch.org

source · archived copy

Trust center Is there a maintained trust center / compliance portal?
Yes, public confidence: high · verified 2026-07-05

Compliance Reports Manager provides free, on-demand, self-serve downloads of ISO certificates, SOC reports (incl. SOC 2), and self-assessments; requires Google Cloud/Workspace sign-in but no NDA for current reports. Broader compliance hub at cloud.google.com/security/compliance.

tier: self_serve · route: public · default: enabled ·

source

Data handling
HIPAA BAA Will they sign a HIPAA Business Associate Agreement covering this offering?
Yes, public confidence: high · verified 2026-07-05

"Google will enter into Business Associate Agreements with customers as necessary under HIPAA." The BAA-covered-products list includes "Gemini Enterprise Agent Platform" and "Generative AI on Gemini Enterprise Agent Platform" (the renamed Vertex AI; the old "Vertex AI" name no longer appears). BAA is executed self-serve via account settings (support.google.com/cloud/answer/6329727). requires_config: customer must execute the BAA and restrict use to covered products.

tier: self_serve · route: public · default: requires_config ·

covered_products: ['Gemini Enterprise Agent Platform', 'Generative AI on Gemini Enterprise Agent Platform']

source · archived copy

GDPR DPA Is there a public DPA with SCCs and a published subprocessor list?
Yes, public confidence: high · verified 2026-07-05

Cloud Data Processing Addendum is public, incorporated into Google Cloud Platform agreements (covers Vertex AI), positions Google as processor, includes SCC mechanisms via Appendix 3 (Specific Privacy Laws), subprocessor terms in Section 11, and commits to maintaining ISO 27001 certificates and SOC 2/3 reports for audited services. A public subprocessor list is maintained at cloud.google.com/terms/subprocessors (verified reachable 2026-07-05).

tier: self_serve · route: public · default: enabled ·

subprocessor_list: https://cloud.google.com/terms/subprocessors

source · archived copy

No-training default Is there a public commitment not to train on customer API data by default?
Yes, public confidence: high · verified 2026-07-05

"As outlined in Section 17 'Training Restriction' in the Service Terms section of Service Specific Terms, Google won't use your data to train or fine-tune any AI/ML models without your prior permission or instruction. This applies to all managed models on Gemini Enterprise Agent Platform, including GA and pre-GA models." The old URL cloud.google.com/vertex-ai/generative-ai/docs/data-governance now redirects to this page; the archived snapshot is of the pre-rename URL.

tier: self_serve · route: public · default: enabled ·

contractual_basis: Service Specific Terms, Section 17 "Training Restriction"

source · archived copy

Retention / ZDR Is retention documented, and is zero-data-retention available?
Yes, public confidence: high · verified 2026-07-05

Retention is documented in detail and zero data retention is achievable, but requires configuration: (1) Gemini models cache inputs/ outputs in-memory (not at-rest) with a 24-hour TTL by default, disableable at the project level; (2) abuse-monitoring prompt logging applies to customers on standard GCP ToS, a ZDR exception can be requested (not applicable on invoiced billing per Google's docs); (3) request-response logging is disabled by default; (4) Grounding with Google Search/Maps stores prompts and outputs for 30 days and cannot be disabled, Google recommends Web Grounding for Enterprise for ZDR; (5) some Advanced AI features (Advanced AI Safety Addendum) may preclude ZDR.

tier: self_serve · route: public · default: requires_config ·

cache_disable_scope: project-level · inmemory_cache_ttl_hours: 24 · request_response_logging_default: disabled · grounding_google_search_retention_days: 30

source · archived copy

Residency Can data be pinned to a region (especially the EU)?
Yes, public confidence: high · verified 2026-07-05

"Data stored at rest in the customer selected location remains at rest in that location" and "ML processing for Agent Platform services occurs within the specific region or multi-region where the request is made." Per-model residency tables cover Gemini models across US/EU multi-regions and many country regions. Endpoints not listed (e.g., some Middle East regions / older models) carry no ML-processing guarantee. Customer must select regional endpoints (requires_config). Cached in-memory data also "adheres to all Data Residency requirements for the selected location."

tier: self_serve · route: public · default: requires_config · geography: US and EU multi-regions plus country regions incl. Germany, France, Netherlands, UK, and APAC regions

at_rest: data stored at rest remains in the customer-selected location · ml_processing: occurs within the specific region or multi-region where the request is made · example_eu_regions: ['eu multi-region', 'europe-west1', 'europe-west2', 'europe-west3', 'europe-west4', 'europe-west9']

source

EU AI Act
GPAI Code Is the model developer on the EC's GPAI Code of Practice signatory list?
Yes, public confidence: high · verified 2026-07-05

Google appears on the European Commission's GPAI Code of Practice signatory list with no caveat, i.e., signed all three chapters (unlike xAI, which signed Safety & Security only). CoP signature is a developer-level (Google) commitment covering its GPAI models incl. Gemini.

tier: self_serve · route: public · default: enabled · geography: EU

chapters: ['Transparency', 'Copyright', 'Safety and Security']

source · archived copy

Art. 53 summary Has the model developer published the Art. 53 training-data summary?
No public evidence confidence: low · verified 2026-07-05

Could not locate a published Article 53(1)(d) public training-content summary for Gemini using the EU template, despite targeted searches of ai.google, deepmind.google, blog.google, and cloud.google.com (2026-07-05). Google signed the full GPAI Code of Practice (incl. the Transparency chapter) and the obligation has applied since 2025-08-02, so a summary may exist behind a URL not surfaced by search, flagged for human review. Google Cloud's EU AI Act compliance page (cloud.google.com/security/compliance/eu-ai-act) does not link one.

no public source

Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.