Carnegie Mellon University

Google Privacy and Security Frequently Asked Questions (FAQs)

Find answers to your most common questions about using privacy and security with Google Workspace for Education at CMU.

The university may not use Google for High Risk Activities, for data that is controlled for export under Export Control Laws, or in ways that reverse engineers, resells, or creates similar services through the use of Google.

Google is considered a “School Official” and will comply with the requirements and obligations of School Officials under FERPA.

No. When you access Google through a web browser or SSO supported app your password is authenticated on our servers and is not sent to Google. For the best experience, including with desktop mail, use Google products in a browser or with Google mobile apps.

No, ads are disabled for CMU Google Mail.

Google complies with applicable laws and notifies customers directly in the most expedient time possible.  Depending on the situation, Google may automatically suspend the offending user and inform the university’s administrator.

When discs that contain customer data experience performance issues or errors they are decommissioned by Google. Every decommissioned disk is subject to a series of data destruction processes before leaving Google premises. Discs are erased in a multi-step process and verified complete by at least two independent validators.

Each Google data center maintains an on-site security operation responsible for all physical data center security functions 24/7. The on-site security operation personnel monitor Closed Circuit TV (CCTV) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly. Google employs a centralized access management system to control personnel access to Google production servers, and provides access to a limited number of authorized personnel.

Customer data that is uploaded or created in G Suite services is encrypted at rest. HTTPS is also enabled for all G Suite services so that your data is encrypted when traveling from your device to Google and also while in transit between Google data centers.

Google’s infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks.  For example, Google’s data center power systems are designed to be redundant and maintainable 24/7.

Google provides customer access and the ability to export their data for a reasonable period of time. After this time, Google will destroy/overwrite the data.

Our agreement with Google does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property. As a Google customer, we (university/end user) own all intellectual Property Rights in customer data; conversely, Google owns all intellectual property rights in the services.

Google data is stored in a vast number of geographically distributed data centers that are owned/managed by Google. These centers adhere to, at least, industry standard systems and procedures that ensure security and confidentiality and protect against threats, hazards and unauthorized access.