Google for Education

• Colleges and districts must first create a Google Workspace for Education account and verify their domain. This involves choosing an edition (Fundamentals is free, others are paid upgrades). Subsequently, they need to define their mail architecture (setting up MX records if applicable), create user accounts for students, faculty, and staff (individually, via CSV, or through directory sync), and authenticate accounts (e.g., setting up single sign-on). Finally, they'll need to enable specific Google Workspace services, including the Gemini app and NotebookLM.
  
  The Digital Center will provide enablement resources to colleges that complete the Early Adopter Interest Form. 

• While a precise typical timeline isn't explicitly stated, the setup process involves several steps. Initial account creation and domain verification are usually quick. User provisioning can vary depending on the method chosen (manual vs. automated sync). Configuration of services and integration with existing systems (like an LMS) will also influence the overall timeline. Institutions should anticipate a period for planning, technical setup, and user onboarding.

• Yes. Google Workspace LTI™ tools are currently compatible with Canvas by Instructure. Gemini LTI™ brings a collection of product experiences powered by Gemini - like the Gemini app and NotebookLM - into Canvas.

• • Yes, districts, colleges, or regional consortia can use their existing Single Sign On (SSO) pathways, identity management systems, and identity provisioning (e.g., Microsoft/Azure Active Directory) to provide access to the Google AI tools.

• There is no requirement to turn on anything other than Gemini and NotebookLM, if that’s all you want to use.* Through the Google Admin console, administrators can:

  • Turn services on or off for all users or specific organizational units (e.g., students, faculty).
  • Customize service access using access groups.
  • Restrict access to additional Google services that don't have individual on/off controls.
  • For Google Workspace for Education editions, users under the age of 18 may have restricted access to certain services by default, even if the general setting is on.

   

• * NOTE: Google recommends enabling Google Drive for the purpose of sharing Notebooks

Yes. A lot of configuration is possible, including setting storage limits for individual users or groups of users (e.g., students). For more information, visit the Google Workspace Admin Help article, Set storage limits for users.

Yes, Google provides HECVAT self-assessments for Google Cloud and Google Workspace, which detail their compliance with industry standards and security protocols. These assessments are available on REN-ISAC's Cloud Broker Index.

VPATs are also generally available for Google products to demonstrate accessibility compliance. VPATs for the Gemini app and NotebookLM are forthcoming.

For additional guidelines on how to promote a culture of AI literacy see the AI Council’s document, Developing AI Literacy in the California Community Colleges.

Under the Google Workspace for Education Data Processing Amendment (DPA), the institution (Customer) retains ownership of the data generated by users. Google acts as a processor of this data, processing it on behalf of and under the instructions of the institution.

• Yes, there are concerns, and institutions must manage PII carefully. Google Workspace for Education Core Services are designed to comply with regulations like FERPA and COPPA, which protect student PII. However, the institution is responsible for obtaining necessary consents (e.g., parental consent for minors) and for managing access to sensitive data within their organization.

Institutions also play a critical role in ensuring compliance and safeguarding data. This includes, but is not limited to, responsibility for:

• obtaining necessary consents (e.g., parental consent for minors)
• configure access and permissions appropriately to limit exposure of sensitive information
• maintaining and enforcing clear data governance policies to ensure compliance
• training faculty, staff and students on appropriate use of the services, including:
  • Not entering PII or sensitive information (e.g., Social Security Numbers, driver’s license numbers, medical data, or financial records) into prompts, generative AI tools, or open-ended fields where it is not required
  • Understanding the difference between instructional/educational uses and system administration/data-management uses
  • Recognizing and reporting any accidental disclosure of PII

If you want to learn more, please review the Google privacy policy.

• Google differentiates between "customer data" (provided or created by users within core services) and "service data" (information collected as users interact with core services). Google states that they do not sell customer data or service data to third parties. While data may be processed on Google's infrastructure, Google commits to not co-mingling user or institutional data with data from other systems for purposes like advertising. However, data can be shared with the institution's administrator, with user consent, for external processing by trusted third parties as instructed by Google, or for legal reasons.
  
  If you want to learn more, please review the Google privacy policy.

• Google's commitment is that they do not use customer data in Google Workspace for Education Core Services for advertising purposes. They process data under the institution's instructions. While personal information may be shared with trusted third-party providers for processing on Google's behalf (e.g., for storage or technical support) and in compliance with privacy policies, or for legal reasons, it's not for independent use or sale.

Gemini and NotebookLM prompts and responses are neither human reviewed or used to train or improve language models.

Generally, Google's terms grant the institution's administrator access to their users' data for management, various analytics, and oversight. As applicable, any requests for access or analytics by the Digital Center would be through the institution's designated administrative controls and permissions.

Both the Gemini app and NotebookLM are Core Services, meaning chats are not human-reviewed or used to train AI models. They are also covered under the Workspace for Education terms of service, with robust data protections in place. This includes a commitment to adhere to relevant privacy laws like FERPA (Family Educational Rights and Privacy Act) and COPPA (Children's Online Privacy Protection Act) in the U.S., as well as international regulations like General Data Protection Regulation (GDPR), which are critical standards for protecting the privacy of student education records. By leveraging the secure infrastructure of Google Workspace for Education and requiring the use of institutional accounts, the partnership ensures that student and faculty data is managed in a safe, private, and compliant manner. Google Workspace for Education Core Services are designed to be compliant, but institutions must ensure they meet their parental consent requirements.

There is no public, universal timeline for all Google Workspace for education breaches; instead, timelines vary depending on the specific incident, and Google provides a Google Workspace Status Dashboard for its services. The time to identify and contain a breach varies widely, with an average of 204 days for identification and 73 days for containment in enterprise environments, which can be even longer for schools with fewer resources. Key factors influencing the timeline include the complexity of the breach and the organization's own preparedness, such as having an incident response plan and appropriate security measures in place.

The Generative AI in Google Workspace Privacy Hub document describes data retention. Here is a quick summary:

• Gemini prompts and responses can be retained up to 36 months, as determined by admins. Admins can control whether conversations with Gemini are saved and for how long before they are automatically deleted.
• NotebookLM prompts and responses are not retained after the session ends. Retention of uploaded files and user-created notebooks follows the Cloud Data Processing Addendum, Section 6. Data Deletion. Users can manually delete files and notebooks and/or export them using Google Takeout

Gemini has attained SOC 1/2/3, ISO 9001, ISO/IEC 27001, 27701, 27017, 27018, and 42001 Gemini has FedRAMP High authorization.

For more details see Generative AI in Google Workspace Privacy Hub, Gemini for Google Workspace privacy, security and compliance whitepaper, and How Google protects your organization's security and privacy

At this stage NotebookLM does not support ISO, SOC, or FedRAMP compliance and is not covered by the Google Business Associate Agreement (BAA) for HIPAA compliance. Google plans to work toward these compliance certifications and will share more updates in 2025. (Source: Generative AI in Google Workspace Privacy Hub, last updated 9/15/25)

Google also has a Compliance Reports Manager site.

Google provides VPAT reports to document how products work for people with disabilities. Google Workspace VPAT reports are available and have WCAG 2.1 Level AA as the target standard. We are working on VPATs for Gemini for Education and NotebookLM, and Google is committed to expanding its Workspace accessibility features with the April 2026 deadline in mind, in compliance with the Department of Justice’s (Department) final rule updating its regulations for Title II of the Americans with Disabilities Act (ADA).

Google Workspace for Education tools are primarily cloud-based, meaning their impact on end-user devices is generally minimal. They operate within a web browser, reducing the need for extensive local software installations or significant processing power. The main impact is typically network bandwidth usage for accessing and collaborating on cloud-based files and services.

• For core functionalities, most modern web browsers and operating systems on desktops, laptops, and mobile devices are compatible. For advanced mobile management features, Google provides specific device requirements:
• Android: Android 2.2 Froyo and later (basic mobile management), Android 6.0 Marshmallow or later (advanced mobile management).
• iOS/iPadOS: iOS 8 and later or iPadOS 13.1 and later (basic mobile management), iOS 12.0 and later or iPadOS 13.1 and later (advanced mobile management).
• Desktop OS: Windows, Mac, and Linux are supported for Chrome browser management. The specific requirements for managing devices with Google Endpoint Management are detailed in Google's documentation.

For use of the Gemini app or NotebookLM, a software agent or dedicated browser extension is generally not required; users can access services directly through a web browser.

• In settings with shared or lab-based devices, the appropriate technology departments should implement automated security measures on shared devices to enforce log-out-upon-leaving policies. This prevents unauthorized access to sensitive data, protects against identity theft, and ensures user privacy.
  
  Strategies include implementing auto-logout after a set period of inactivity; using software to automatically wipe user data, including browsing history, cache, and downloads, at the end of each session; and saving user data to a cloud-based profile to keep sensitive data off the local machine and ensure that when a user logs out, their data leaves with them.
  
  Additionally, technology departments should encourage every user to take responsibility for their own privacy and security when using a shared or public computer–e.g., log out manually, do not save passwords locally, clear browsing data.

Google Workspace for Education tools are generally web-based and designed to be compatible across various browsers and operating systems. While the Chrome browser offers enhanced management features for IT administrators, it's not strictly required for end-user functionality. Google provides support for the latest versions of Chrome browser (Stable, Extended stable, Beta, and Dev channels) and ChromeOS. Institutions should ensure their systems are up-to-date and may need to test internal applications for compatibility.

• Yes, institutions and their administrators can manage and restrict access to Google Workspace for Education tools. Through the Google Admin console, administrators can:
• Turn services on or off for all users or specific organizational units (e.g., students, faculty).
• Customize service access using access groups.
• Restrict access to additional Google services that don't have individual on/off controls.
• For Google Workspace for Education editions, users under the age of 18 may have restricted access to certain services by default, even if the general setting is on.
  
  

Yes. Google Workspace for Education is available to primary, secondary, and higher education institutions worldwide that meet certain requirements, such as being officially registered and having an active website.