NOTE: If you have a project or data storage / transfer need that involves protected data, or if you are not sure if you do, Start a Conversation with us so we can ensure you have the best resources and environment possible for your work.
--

In pairing with Google to offer VT Google Apps, the security and privacy of user information and data is a top priority. Google's How Google protects your organization's security and privacy page answers several frequently asked questions about security and privacy of Google Apps. Additionally, this page addresses questions and issues specific to how VT Google Apps data is handled in accordance with Virginia Tech's collaborative arrangement with Google.

Ownership of VT Google Apps Data

Google does not "own" data within our VT Google Apps domain; Google specifically disavows any ownership of end-user intellectual property. As the data owner, you grant Google the right to process data as needed to show it to individuals based on the permissions you set. Should the agreement with Google ever be terminated, Google is obligated to delete and/or return any end-user data to Virginia Tech.

Usage of VT Google Apps Data

Google does not mine VT Google Apps data for their own purposes. Per the terms of our agreement, Google may only process or otherwise use Virginia Tech account data as required for the purpose of providing services and performing its obligations under the agreement. This includes processes for preventing span and ensuring the technical functioning of Google's network (such as detecting, preventing, or otherwise addressing fraud, security, or technical issues).

Additionally, our agreement specifically prohibits advertising within the Virginia Tech Google Apps for Education domain. The university is neither selling data nor profiting from this arrangement.

Storage of VT Google Apps Data

In general, you may keep university files on VT Google Apps with the privacy, confidentiality, and ownership of the files protected. In negotiating a contract with Google, Virginia Tech ensured that VT Google Apps would be acceptable for storage of university files.

Google stores data on its secure servers, which could be located outside the U.S. or within the U.S. and accessible to foreign nationals. For this reason, Virginia Tech has policies in place that users working with export-controlled data must not store such data in their email or house this data outside the U.S. to be managed by non-U.S. citizens. Their use of other Google Apps must be in accordance with the Proper Use Policy and the Export Controls Laws and Regulations policy. If you have questions about Export Controls and how they apply to you or your data, see the Office of Export and Secure Research Compliance Web page.

Regulated Data in VT Google Apps

In addition to special consideration for export-controlled data, certain types of regulated data may need to be handled differently in regard to VT Google Apps. Guidelines include that:

• compliance with HIPAA data is your responsibility
• Google services are not ITAR compliant; for more information on ITAR compliance, see the Office of Export and Secure Research Compliance Web page

The Virginia Tech version of Google Apps has been approved to store student information owned or used by Virginia Tech and therefore it may be used to store appropriately secured information covered by FERPA.

Note: only the VT version of Google Apps is approved, not the consumer version of Google Apps.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Student data protected by FERPA is permitted in the Virginia Tech Google Apps portal. It is subject to access by school officials who have a legitimate educational interest as well as by other identified officials, as defined and identified by the university’s FERPA privacy regulation.

To the extent that Google has access to student educational records as a contractor for the university, it is deemed a “school official,” as defined by FERPA, under the Virginia Tech Google Apps agreement and will comply with its obligations under FERPA. Personally identifiable student data should never be made publicly accessible without the student’s signed, written consent.

Terms of Service and G Suite Core Services

The Virginia Tech Google Apps for Education contract may be amended from time to time. You should check the contract periodically to review any changes. The entire contract can be viewed at the following PDF link: VT Google Apps Contract.

To view the Google Apps Core Services that are currently available, see the G Suite - Services Summary page.

To view other Google applications that are not part of the Google Apps Core Services, see Google's Additional Google Services Web page. (Use of any of these services will require accepting the Google Terms of Service.)

To view an explanation of the difference between Google Apps Core Services and other applications that are not Google Apps Core Services, see the G Suite for Education Core and Additional services page.

By using the Virginia Tech contracted Google Apps Core Services, you agree to abide by the End User terms of the Virginia Tech Google Apps for Education Agreement. The following are some parts of Virginia Tech's contract with Google that specifically apply to you:

• Google will store and process a Virginia Tech end user's data (generated, transmitted, or displayed), including mail, with the same security standards used to process Google's own information of a similar type.
• Google may transfer, store, and process data within the United States or any other country where Google maintains facilities.
• Designated Virginia Tech administrators may have the ability to access, monitor, use, or disclose data available to end users within end user accounts.
• The default setting for the Google Apps Core Services is that Google cannot serve ads.
• Virginia Tech will use commercially reasonable efforts to prevent and terminate unauthorized use of Services and will notify Google of any unauthorized uses.
• Google can request suspension of end user accounts if Google becomes aware of an end user's violation of the Google Apps for Education agreement. If Virginia Tech does not comply with the request, then Google can suspend the transgressing account. The suspension will remain until the end user has cured the breach that caused the suspension.
• Google may automatically suspend an account in the case that the account might provide unauthorized third-party access to the Services or potentially disrupt Services, other users' use of Services, or Google network or servers used to provide the Services.
• Virginia Tech owns intellectual property rights of their own data, while Google owns property rights of their Services.
• If any messages are confirmed as deleted by the user, then that data is deleted from the Google interface, and the data is no longer accessible or recoverable by the end user.
• At any time, an administrator can delete an end user and their data from Google. Alternatively, an administrator can suspend an end user or change their password such that their data is accessible to the organization but not the end user.

More Information

For more information about Virginia Tech's policies and recommendations with regard to security and using cloud or Web-based services, visit the Virginia Tech IT Security Office Web site.