Data and infrastructure security overview
This page describes the data and infrastructure security that apply toSecurity Command Center.
Data processing
When you enroll in Security Command Center, Google Cloud processes informationrelated to the Google Cloud services you use, including the following:
- The configuration and metadata associated with your Google Cloudresources
- The configuration and metadata for your Identity and Access Management (IAM) policiesand users
- Google Cloud-level API access patterns and usage
- Cloud Logging contents for your Google Cloud organization
- Security Command Center metadata, including service settings and securityfindings
Security Command Center processes data related to your cloud logs and assets that youconfigure to be scanned or monitored, including telemetry and other datatherein, to provide findings and improve the service. As such, the scanning andmonitoring reports are processed as Service Data by Google pursuant to the termsof theGoogle Cloud Privacy Notice.
In order to protect your assets against new and evolving threats,Security Command Center analyzes data related to misconfigured assets, indicators ofcompromise in logs, and attack vectors. This activity may include processingto improve service models, recommendations for hardening customer environments,the effectiveness and quality of services, and user experience. If you prefer touse the service without your data being processed for purposes of improving theservice, you can contactGoogle Cloud Support to opt out.Certain features that depend on security telemetry might not be available to youif you opt out. Examples of these are customized detections tailored to yourenvironment, and service improvements that incorporate your serviceconfigurations.
Data is encrypted at rest and in transit between internal systems. Additionally,Security Command Center's data access controls arecompliant with the Health InsurancePortability and Accountability Act (HIPAA) and other Google Cloudcompliance offerings.
Limiting sensitive data
Administrators and other privileged users in your organization must exerciseappropriate care when adding data to Security Command Center.
Security Command Center lets privileged users add descriptive information toGoogle Cloud resources and the findings generated by scans. In some cases,users may unknowingly relay sensitive data when using the product, for example,adding customer names or account numbers to findings. To protect your data, werecommended that you avoid adding sensitive information when naming orannotating assets.
As an additional safeguard, Security Command Center can be integrated withSensitive Data Protection. Sensitive Data Protection discovers,classifies, and masks sensitive data and personal information, such as creditcard numbers, Social Security numbers, and Google Cloud credentials.
Depending on the quantity of information, Sensitive Data Protection costs can besignificant. Follow best practices forkeeping Sensitive Data Protection costs undercontrol.
For guidance on setting up Security Command Center, including managing resources, seeOptimizing Security Command Center.
Data retention for findings
Data that Security Command Center processes is captured and stored infindings that identify threats, vulnerabilities, and misconfigurations in the resources and assets within your organization, folders, and projects. Findings contain a series of daily snapshots that capture the state and properties of a finding each day.
The following table shows the retention periods for findings in Security Command Center.
Note:- The retention periods for findings in Security Command Center are subject to change.
- Data retention differs by finding class and state. For example, for a vulnerability, if the underlying issue has been resolved or if the affected resource has been deleted, the data retention policy is limited to 7 days. Whereas if the vulnerability is still active, the data retention policy is longer.
- Retention periods are based on the creation times of the findings.
| Finding | Retention period |
|---|---|
| Inactive vulnerability | 7 days |
| Inactive misconfiguration | 30 days |
| Everything active (except threats) | Deleted after the following amount of time has passed:
If the underlying issue for a misconfiguration or vulnerability finding remains unresolved or reoccurs, Security Command Center recreates the finding on a subsequent detection scan. |
| All other findings | 90 days |
A finding persists in Security Command Center as long as it contains at least one snapshot that remains within the applicable retention period. To keep findings and all of their data for longer periods, export them to another storage location. To learn more, seeExporting Security Command Center data.
Any third-party finding isdeleted after the creation time exceeds the retention period. Findings that are generated in error or withoutany security, risk, or compliance value might be deleted at any time.
Behavior when an organization is deleted
For all tiers, an exception to the retention periods applies when an organization is deleted from Google Cloud. When an organization is deleted, all findings derived from the organization and its folders and projects are deleted within the retention period documented inData deletion on Google Cloud.
Behavior when a project is deleted
If a project is deleted, the findings from the project are not deleted at the same time, but are instead retained for the auditability of the organization that contained the deleted project. The retention period depends on the tier that was active in the deleted project: 13 months for the Enterprise and Premium tiers or 35 days for the Standard tier.
If you delete a project and need to delete all of the findings for the project at the same time, contactCloud Customer Care, who can initiate an early deletion of all findings in the project for you.
Behavior when an asset is deleted
If an asset associated with a finding is deleted, Security Command Center might reassign the finding to the organization; that is, the parent of the finding becomes the organization. This reassignment occurs a few days after the asset is deleted and only if the finding is updated. This reassignment allows the finding to remain available for auditability, even though the original asset no longer exists.
Data retention for disk clones
Virtual Machine Threat Detection takes short-lived clones of your VM's persistent disk andstores them in Google-owned projects, in the same zone for zonal disks or thesame region for regional disks. VM Threat Detection scans the disk clones anddeletes them within an hour after completing disk scan activities and handlingerrors, such as timeouts.
Infrastructure security
Security Command Center is built on top of the same infrastructure that Google uses forits own consumer and enterprise services. The layered security of ourinfrastructure is designed to protect all services, data, communications,and operations in Google Cloud.
To learn more about Google's infrastructure security, seeGoogle infrastructuresecurity design overview.
What's next
To learn about Security Command Center's features and benefits, seeSecurity Command Center overview.
Learn more aboutusing Security Command Center.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.