AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Google DeepMind

Gemini 2.5 Pro

v2.5 Pro · frontier · Released March 25, 2025

Cleared

Updated June 27, 2026

No active compliance flags. Available via Gemini API and Google Cloud Vertex AI. Strong data residency options via GCP regions.

Enterprise guidance

Gemini 2.5 Pro is available via Google AI Studio (development) and Vertex AI (enterprise production). For regulated workloads, use Vertex AI — data stays within your chosen GCP region, a Data Processing Addendum is included in Google Cloud terms, and HIPAA BAA is available. Google does not use Vertex AI prompts to train Gemini models.

Data handling

Default data retention

Gemini API: up to 30 days for safety monitoring; Vertex AI: stays in your GCP region

Zero-retention available

Yes

Via: Google Cloud Vertex AI

API data used for training

No

Vertex AI: prompts are not used to train Google models. Gemini API free tier: interactions may be reviewed by human reviewers to improve models.

GDPR Data Processing Agreement

Available

HIPAA Business Associate Agreement

Available

Google Cloud Vertex AI

Data residency options

Configurable GCP regions including US, EU, and APAC

Vendor compliance certifications

SOC 2 Type IIISO 27001ISO 27017ISO 27018HIPAA (Vertex AI)FedRAMP High (Vertex AI)PCI DSS

Key use restrictions

  • No CSAM or sexual content involving minors
  • No content facilitating attacks on critical infrastructure or illegal weapons
  • No content designed to enable real-world violence against specific targets
  • No impersonation of real individuals intended to deceive or defraud
  • No content designed to interfere with elections or suppress voting

Safety documentation

Model card published
System card published
Red-team report published

Gemini safety reports published by Google DeepMind. Google AI Principles applied across the development process. Internal red-team evaluations conducted. Third-party safety assessments completed before major releases.

Safety documentation →

Related governance resources

Governance controls

AI Vendor Due Diligence

Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.

AI Contractual Requirements

Define minimum contractual provisions that must be present in agreements with AI vendors, covering data handling, transparency, audit rights, and incident notification.

Cross-Border Data Transfer Controls for AI

Govern the international transfer of personal data through AI systems, including data sent to AI API providers, training pipelines, and cloud infrastructure in other jurisdictions.

AI Procurement Risk Assessment

Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.

Third-Party AI Model Evaluation

Evaluate third-party AI models against defined performance, safety, and bias criteria before deploying them in enterprise workflows.

Playbook guides

How do we ensure third-party AI vendors meet our standards?

Extending vendor due diligence to cover model transparency, data handling, bias testing, and contractual liability for AI outputs.

How do we maintain data privacy compliance when using AI?

Addressing training data sourcing, data minimization, cross-border transfers, and the right to explanation under GDPR and CCPA.

How does the EU AI Act affect our global operations?

Understanding the Brussels Effect on non-EU organizations, and evaluating whether to adopt the EU risk-based framework as a global internal standard.

← All tracked models