Registry / Gemini via Vertex AI
Gemini via Vertex AI
Google's Gemini models served through Google Cloud Vertex AI (renamed "Gemini Enterprise Agent Platform" in 2026). Inherits Google Cloud's certification portfolio (SOC 1/2/3, ISO 27001/27017/27018, ISO 42001), HIPAA BAA coverage, the Cloud Data Processing Addendum, and documented data-governance controls including a configurable zero-data-retention path.
Watch-outs 1
The cells where this offering is not a clean public yes. This is what to check before you sign.
- Art. 53 summary: No public evidence Art. 53 summary not published for Gemini.
Google Cloud's services-in-scope page lists "Vertex AI Platform" and "Generative AI on Vertex AI" under SOC 1/2/3. SOC 2 reports are downloadable self-serve via Compliance Reports Manager (Google account sign-in required, no NDA or sales contact). Vertex AI was renamed "Gemini Enterprise Agent Platform" in 2026; newer pages use that name.
tier: self_serve · route: public · default: enabled ·
in_scope_services: ['Vertex AI Platform', 'Generative AI on Vertex AI']
"Vertex AI Platform" and "Generative AI on Vertex AI" are in scope for ISO/IEC 27001 (plus 27017/27018 for most Vertex services). Certificates available via Compliance Reports Manager.
tier: self_serve · route: public · default: enabled ·
standards: ['ISO/IEC 27001', 'ISO/IEC 27017', 'ISO/IEC 27018']
Google Cloud Platform, Google Workspace, and Gemini (App) are certified ISO/IEC 42001:2023. The page's products-in-scope list explicitly includes "Gemini Enterprise Agent Platform" and "Generative AI on Gemini Enterprise Agent Platform" (i.e., Vertex AI under its 2026 name). Certificate verifiable at iafcertsearch.org.
tier: self_serve · route: public · default: enabled ·
in_scope_products: ['Gemini Enterprise Agent Platform', 'Generative AI on Gemini Enterprise Agent Platform', 'Gemini App', 'Gemini Enterprise'] · certificate_registry: https://www.iafcertsearch.org
Compliance Reports Manager provides free, on-demand, self-serve downloads of ISO certificates, SOC reports (incl. SOC 2), and self-assessments; requires Google Cloud/Workspace sign-in but no NDA for current reports. Broader compliance hub at cloud.google.com/security/compliance.
tier: self_serve · route: public · default: enabled ·
"Google will enter into Business Associate Agreements with customers as necessary under HIPAA." The BAA-covered-products list includes "Gemini Enterprise Agent Platform" and "Generative AI on Gemini Enterprise Agent Platform" (the renamed Vertex AI; the old "Vertex AI" name no longer appears). BAA is executed self-serve via account settings (support.google.com/cloud/answer/6329727). requires_config: customer must execute the BAA and restrict use to covered products.
tier: self_serve · route: public · default: requires_config ·
covered_products: ['Gemini Enterprise Agent Platform', 'Generative AI on Gemini Enterprise Agent Platform']
Cloud Data Processing Addendum is public, incorporated into Google Cloud Platform agreements (covers Vertex AI), positions Google as processor, includes SCC mechanisms via Appendix 3 (Specific Privacy Laws), subprocessor terms in Section 11, and commits to maintaining ISO 27001 certificates and SOC 2/3 reports for audited services. A public subprocessor list is maintained at cloud.google.com/terms/subprocessors (verified reachable 2026-07-05).
tier: self_serve · route: public · default: enabled ·
subprocessor_list: https://cloud.google.com/terms/subprocessors
"As outlined in Section 17 'Training Restriction' in the Service Terms section of Service Specific Terms, Google won't use your data to train or fine-tune any AI/ML models without your prior permission or instruction. This applies to all managed models on Gemini Enterprise Agent Platform, including GA and pre-GA models." The old URL cloud.google.com/vertex-ai/generative-ai/docs/data-governance now redirects to this page; the archived snapshot is of the pre-rename URL.
tier: self_serve · route: public · default: enabled ·
contractual_basis: Service Specific Terms, Section 17 "Training Restriction"
Retention is documented in detail and zero data retention is achievable, but requires configuration: (1) Gemini models cache inputs/ outputs in-memory (not at-rest) with a 24-hour TTL by default, disableable at the project level; (2) abuse-monitoring prompt logging applies to customers on standard GCP ToS, a ZDR exception can be requested (not applicable on invoiced billing per Google's docs); (3) request-response logging is disabled by default; (4) Grounding with Google Search/Maps stores prompts and outputs for 30 days and cannot be disabled, Google recommends Web Grounding for Enterprise for ZDR; (5) some Advanced AI features (Advanced AI Safety Addendum) may preclude ZDR.
tier: self_serve · route: public · default: requires_config ·
cache_disable_scope: project-level · inmemory_cache_ttl_hours: 24 · request_response_logging_default: disabled · grounding_google_search_retention_days: 30
"Data stored at rest in the customer selected location remains at rest in that location" and "ML processing for Agent Platform services occurs within the specific region or multi-region where the request is made." Per-model residency tables cover Gemini models across US/EU multi-regions and many country regions. Endpoints not listed (e.g., some Middle East regions / older models) carry no ML-processing guarantee. Customer must select regional endpoints (requires_config). Cached in-memory data also "adheres to all Data Residency requirements for the selected location."
tier: self_serve · route: public · default: requires_config · geography: US and EU multi-regions plus country regions incl. Germany, France, Netherlands, UK, and APAC regions
at_rest: data stored at rest remains in the customer-selected location · ml_processing: occurs within the specific region or multi-region where the request is made · example_eu_regions: ['eu multi-region', 'europe-west1', 'europe-west2', 'europe-west3', 'europe-west4', 'europe-west9']
Google appears on the European Commission's GPAI Code of Practice signatory list with no caveat, i.e., signed all three chapters (unlike xAI, which signed Safety & Security only). CoP signature is a developer-level (Google) commitment covering its GPAI models incl. Gemini.
tier: self_serve · route: public · default: enabled · geography: EU
chapters: ['Transparency', 'Copyright', 'Safety and Security']
Could not locate a published Article 53(1)(d) public training-content summary for Gemini using the EU template, despite targeted searches of ai.google, deepmind.google, blog.google, and cloud.google.com (2026-07-05). Google signed the full GPAI Code of Practice (incl. the Transparency chapter) and the obligation has applied since 2025-08-02, so a summary may exist behind a URL not surfaced by search, flagged for human review. Google Cloud's EU AI Act compliance page (cloud.google.com/security/compliance/eu-ai-act) does not link one.
no public source
Spotted an error? Submit a correction with evidence, corrections with a primary source are folded in and credited in the changelog.