Security, privacy, risk, and compliance for the Conversational Analytics API

This document provides an overview of various controls that support the security of the Conversational Analytics API on Google Cloud and links to further information on how to configure the controls. Security controls such as network security options, policies, and access management can help you address your business risks and meet the privacy and regulatory requirements that apply to your business.

The security, privacy, risk, and compliance for the Conversational Analytics API use a shared responsibility model. For example, because the Conversational Analytics API is a fully-managed service, Google secures and manages the infrastructure that the Conversational Analytics API and other Google Cloud services run on, and provides you with the capabilities that help you manage access to your services and resources. For more information about how we secure the infrastructure, see the Google infrastructure security design overview.

As part of the Gemini for Google Cloud family of products, the Conversational Analytics API follows Google's commitments for data privacy and usage. For more information, see how Gemini for Google Cloud uses your data and certifications and security for Gemini for Google Cloud.

The Conversational Analytics API includes security controls to help mitigate risks such as prompt injection. Because large language model (LLM) security is a rapidly evolving field, these defense mechanisms are continuously updated to help safeguard data agent interactions.

Provisioned services

When you get started with the Conversational Analytics API, you enable the following APIs:

• geminidataanalytics.googleapis.com
• cloudaicompanion.googleapis.com

For more information, see Enable the Conversational Analytics API.

Authentication for Google Cloud management

Administrators and developers who create and manage the Conversational Analytics API instances must authenticate to Google Cloud to verify their identity and access privileges. You must set up each user with a user account that is managed by Cloud Identity, Google Workspace, or an identity provider that you've federated with Cloud Identity or Google Workspace. For more information, see Overview of Google identity management.

After you create the user accounts, implement security best practices such as single sign-on and 2-step verification.

To use the Conversational Analytics API, you must authenticate to Google Cloud. Depending on your data sources, you might also need to provide separate credentials to authorize the agent to access the underlying data. For more information, see Authenticate and connect to a data source.

Identity and Access Management

To manage Identity and Access Management (IAM) roles at scale for your administrators and developers, consider creating separate functional groups for your various user roles and applications. Grant the IAM roles or permissions that are required to manage the Conversational Analytics API to your groups. When you assign roles to your groups, follow the principle of least privilege and other IAM security best practices. For more information, see Best practices for using Google Groups.

For more information about setting up IAM, see IAM overview.

IAM controls access to Conversational Analytics API resources, such as agents and conversations. Access to the underlying data that an agent queries is controlled by permissions on the data source itself. For more information, see Conversational Analytics API access control with IAM.

Conversational Analytics API service accounts

When you enable the Conversational Analytics API, Google creates service accounts for you. A service account is a special type of non-interactive Google Account that's typically used by an application or compute workload, such as a Compute Engine instance, rather than a person. Applications use service accounts to access Google APIs.

Service agents

To enable the Conversational Analytics API to access your resources on your behalf, Google Cloud creates a special service account known as a service agent.

When you enable the Conversational Analytics API, the following Conversational Analytics API service agents are created:

• service-PROJECT_NUMBER@gcp-sa-geminidataanalytics.iam.gserviceaccount.com
• service-PROJECT_NUMBER@gcp-sa-cloudaicompanion.iam.gserviceaccount.com

Policies for the Conversational Analytics API

The predefined organization policies that apply to the Conversational Analytics API include the following:

• Restrict Resource Service Usage (constraints/gcp.restrictServiceUsage)
• Resource Location Restriction (constraints/gcp.resourceLocations)
• Restrict CMEK Crypto Key Projects (constraints/gcp.restrictCmekCryptoKeyProjects)
• Restrict Non-CMEK Services (constraints/gcp.restrictNonCmekServices)

For more information, see Organization policy constraints.

Network security

By default, Google applies default protections to data in transit for all Google Cloud services, including the Conversational Analytics API instances that are running on Google Cloud. For more information about default network protections, see Encryption in transit.

If required by your organization, you can configure additional security controls to further protect traffic on the Google Cloud network and traffic between the Google Cloud network and your corporate network. Consider the following:

• The Conversational Analytics API supports VPC Service Controls. VPC Service Controls let you control the movement of data in Google services and set up context-based perimeter security. For more information on setting up VPC Service Controls, see Configure perimeter security with VPC Service Controls.
• In Google Cloud, consider using Shared VPC as your network topology. Shared VPC provides centralized network configuration management while maintaining separation of environments.

For more information about network security best practices, see Implement zero trust and Decide the network design for your Google Cloud landing zone.

Data protection and privacy

The Conversational Analytics API encrypts your data that is stored in Google Cloud using default encryption. Example data includes the following:

• Data agent configuration (system instructions and example queries)
• Data agent context (staging and published context)
• Conversation messages and state history

This data can only be accessed by the Conversational Analytics API instances.

You can enable customer-managed encryption keys (CMEK) to encrypt your data at rest. With CMEK, keys are stored in Cloud Key Management Service (Cloud KMS) as software-protected keys or hardware-protected keys with Cloud HSM, but they are managed by you. To provision encryption keys automatically, you can enable Cloud KMS Autokey. When you enable Autokey, a developer can request a key from Cloud KMS, and the service agent provisions a key that matches the developer's intent. With Cloud KMS Autokey, keys are available on demand, are consistent, and follow industry-standard practices.

Where data is processed

The Conversational Analytics API supports data residency for data that is stored on Google Cloud. Data residency lets you choose the regions that you want your data to be stored in using the Resource Location Restriction policy constraint. You can use Cloud Asset Inventory to verify the location of the Conversational Analytics API resources.

Data privacy

To help protect the privacy of your data, the Conversational Analytics API conforms to the Common Privacy Principles.

The Conversational Analytics API acts as a data processor for Customer Data. Google also acts as a data controller for information such as billing and account management and abuse detections. For more information, see Google Cloud Privacy Notice.

Audit logging

The Conversational Analytics API writes the following types of audit logs:

• Admin Activity audit logs: Includes ADMIN WRITE operations that write metadata or configuration information.

• Data Access audit logs: Includes ADMIN READ operations that read metadata or configuration information. Also includes DATA READ and DATA WRITE operations that read or write user-provided data.

For more information, see Audit logging.

Monitoring and incident response

You can use a variety of tools to help you monitor the performance and security of the Conversational Analytics API. Consider the following:

• Logs Explorer to view and analyze event logs and create custom metrics and alerts.
• Use the Cloud Monitoring dashboard to monitor the performance of the Conversational Analytics API.
• Deploy cloud controls and frameworks in Security Command Center to detect vulnerabilities and threats to the Conversational Analytics API (such as privilege escalations). You can set up alerts and playbooks for your security operations center (SOC) analysts so that they can respond to findings.

What's next

• Use Google Threat Intelligence to track external threats that apply to your business.
• Learn how to authenticate to the Conversational Analytics API.
• Learn about access control for the Conversational Analytics API.
• Learn how to protect resources with customer-managed encryption keys (CMEK).
• Learn how to view and manage audit logs.
• Learn how to configure a service perimeter with VPC Service Controls.
• Learn how to apply organization policy constraints.
• Learn about data residency and supported regions.