Privacy and Security in Firebase

Privacy and Security in Firebase

This page outlines Firebase's key security and privacy information. Whether you're looking to kick off a new project with Firebase, or curious about how Firebase works with your existing project, read on to see how Firebase can help protect you and your users.

Last modified: July 19, 2018

Data protection

Firebase is GDPR-ready

On May 25th, 2018, the EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. Google is committed to helping our customers succeed under the GDPR, whether they are large software companies or independent developers.

The GDPR imposes obligations on data controllers and data processors. Firebase customers typically act as the "data controller" for any personal data about their end-users they provide to Google in connection with their use of Firebase, and Google is, generally, a "data processor".

This means that data is under the customer's control. Controllers are responsible for obligations like fulfilling an individual's rights with respect to their personal data.

If you're a customer, and would like to understand your responsibilities as a data controller, you should familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

Key questions to consider:

  • How does your organization ensure user transparency and control around data use?
  • Are you sure that your organization has the right consents in place where these are needed under the GDPR?
  • Does your organization have the right systems to record user preferences and consents?
  • How will you show regulators and partners that you meet the principles of the GDPR and are an accountable organisation?

Firebase Data Processing and Security Terms

When customers use Firebase, Google is generally a data processor and processes personal data on their behalf. Firebase terms include Data Processing and Security Terms for all Firebase services, effective May 25, 2018.

Certain Firebase services governed by the Google Cloud Platform (GCP) Terms of Service are already covered by associated data processing terms, the GCP Data Processing and Security Terms. A complete list of Firebase services currently governed by the GCP Terms of Service is available in the Terms of Service for Firebase Services.

Google Analytics for Firebase is covered under the Google Ads Data Processing Terms.

Firebase is certified under major privacy and security standards

ISO and SOC compliance

All Firebase services have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process:

Privacy Shield Framework certifications

In July 2016, the European Commission concluded that the EU-U.S. Privacy Shield Framework provides an adequate mechanism to allow EU companies to comply with requirements under the Directive in connection with transfer of personal data from the European Union to the United States. Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. You can see the certifications on the Privacy Shield list.

Data processing information

Examples of end-user personal data processed by Firebase

Some Firebase services process your end users' personal data to provide their service. The chart below has examples of how various Firebase services use and handle end-user personal data. In addition, many Firebase services offer the ability to request deletion of specific data or control how data is handled.

Guides for enabling opt-in for end-user personal data processing

Services in the table above need some amount of end-user personal data to function. As a result, it's not possible to entirely disable data collection while using those services.

If you're a customer who would like to offer users a chance to opt-in to a service, and the data collection that comes with it, in most cases that just requires adding a dialog or settings toggle before using the service.

Some services, however, start up automatically when included in an app. To give users a chance to opt-in before using those services, you can choose to disable auto-initialization for each service, and manually initialize them at run time instead. To find out how, read the guides below:

Data storage and processing locations

Unless a service or feature offers data location selection, Firebase may process and store your data anywhere Google or its agents maintain facilities. Potential facility locations vary by service.

US-only services

A few Firebase services are only run from US data centers. As a result, these services process data exclusively in the United States.

  • Firebase Realtime Database
  • Cloud Firestore for Firebase
  • Firebase Hosting
  • Firebase Test Lab
  • Firebase Authentication

Global services

The majority of Firebase services run on global Google infrastructure. They could process data at any of the Google Cloud Platform locations or Google data center locations. For some services you can make a specific Data Location Selection which restricts processing to that location.

  • Cloud Storage for Firebase
  • Cloud Functions for Firebase
  • Firebase Performance Monitoring
  • Firebase Crash Reporting
  • Firebase Dynamic Links
  • Firebase Invites
  • Firebase Remote Config
  • Firebase Cloud Messaging
  • Firebase Predictions
  • Google Analytics for Firebase
  • ML Kit for Firebase

Security information

Data encryption

Firebase services encrypt data in transit using HTTPS and logically isolate customer data.

In addition, several Firebase services also encrypt their data at rest:

  • Cloud Firestore
  • Cloud Functions for Firebase
  • Cloud Storage for Firebase
  • Firebase Authentication
  • Firebase Cloud Messaging
  • Firebase Realtime Database
  • Firebase Test Lab

Security practices

To keep personal data safe, Firebase employs extensive security measures to minimize access:

  • Firebase restricts access to a select employees who have a business purpose to access personal data.
  • Firebase logs employee access to systems that contain personal data.
  • Firebase only permits access to personal data by employees who sign in with Google Sign-In and 2-factor authentication.

Still have questions? Contact us

For any privacy-related questions you have that aren't covered here, reach out through the Account Services form.

Send feedback about...

Need help? Visit our support page.