Google is giving Workspace admins a new way to prove where their organization’s data actually lives and moves, and it’s now backed by an independent auditor.

Starting today, Workspace admins with Assured Controls can download a third‑party attestation for data regions from their existing data regions reporting dashboard in the Admin console. The report comes from Coalfire, a well‑known independent assessment organization that already works with Google Cloud on other compliance validations, and it essentially serves as an external check that Google is enforcing the storage and processing boundaries you’ve configured for your users. In practical terms, it gives admins something concrete to hand to security, risk, or legal teams when they ask, “How do we know our data is really staying in the EU, US, or another selected region?”

If you’re not deep into this space, “data regions” in Workspace let you control where core service data is stored and processed—think Gmail, Drive, Docs, and so on—so you can align with regulations like GDPR, data sovereignty rules, or sector‑specific requirements in government and regulated industries. With supported editions such as Enterprise Plus and Frontline Plus, admins can set region policies (global, US, EU, or multiple geos), and then use the data regions dashboard to verify, usually within 24–48 hours, that data has shifted and is staying where it’s supposed to. For Assured Controls customers, that dashboard was already more advanced, showing both storage and processing locations by app and region; the new attestation effectively layers an independent opinion on top of those internal reports.

The move fits into Google’s broader strategy around digital sovereignty and high‑compliance workloads, where controls like data regions, Assured Controls, and Assured Workloads on Google Cloud are designed to satisfy stricter rules in areas such as government, justice, and critical infrastructure. Customers in those spaces increasingly need not just technical controls but also audit‑ready paperwork—certifications, configuration guides, independent assessments—that can be attached to internal risk registers or shared with regulators and auditors. Coalfire’s involvement here mirrors its role in validating Google’s compliance with frameworks like PCI DSS and CJIS, which makes this attestation more than just marketing collateral; it’s the kind of artifact compliance teams expect to see.

From an admin’s day‑to‑day perspective, nothing changes for end users and there’s no new toggle to flip; this is about giving admins another line of evidence that their data residency setup is working as advertised. If your organization is already leaning on data regions and Assured Controls to meet local data requirements, this download might quickly become something you staple into every audit pack, risk review, or vendor due-diligence response.