This document answers common questions about RCS Business Messaging (RBM) data security and associated topics.
RBM is a messaging platform that brands use to send One-Time Passwords (OTPs) and engage customers in dialog about transactions, customer service, promotions, and more. RBM is provided through a Google API and delivered to end users through Google servers.
Typically, brands work with partners (such as carriers, SMS aggregators, CRM platforms, and bot builders) who connect to the Google API to build and maintain RBM agents on the brands' behalf. Partners who wish to use RBM through the API or the Business Communications Developer Console must agree to Google's Terms of Service and Acceptable Use Policy. Because Google is acting as a Data Processor, partners are also governed by Google's Data Processing Addendum.
Google does not enter into custom or supplementary agreements regarding RBM.
Certification and compliance
Is RBM certified by any third parties?
RBM and Google's RCS infrastructure are independently audited on an annual basis to ensure compliance with widely recognized quality and data security standards. Our services hold ISO 27001, SOC 2, and SOC 3 certifications. Contact your account manager if you'd like copies of the certificates.
Is RBM compliant with EU Payment Services Directive 2 (PSD2)?
Yes, RBM is compliant with PSD2, which requires Strong Customer Authentication (SCA). Because RBM is associated with the end user's verified phone number and SIM card, a One-Time Password (OTP) sent using RBM constitutes a compliant SCA "possession element" as described by the European Banking Authority.
Data processing
What does it mean for Google to be a Data Processor?
With RBM, Google serves as a Data Processor and the brand or partner serves as a Data Controller. The Data Processing Addendum (DPA) explains that Google is a Data Processor and it governs the terms for handing data on behalf of brands and partners.
Does the DPA apply to all end users who interact with an RBM agent?
Yes, the DPA applies to all end users and their data. Google built the RBM platform to comply with the DPA and ensure that all end users receive the same high level of data security.
Message storage and encryption
What data is stored on the end user's device?
Metadata about RBM agents and the messages exchanged with them are stored on the end user's device. These messages may include personal information shared with an RBM agent.
How is the agent's "region" related to message storage?
The region that a partner specifies during agent setup tells RBM where the agent is located. Google uses this information to determine where message data should be stored and to optimize the routing of message traffic to the agent.
For the most part, messages are stored in data centers within the specified region (refer to the DPA for more information on data center and network security). However, Google may reroute message traffic if a regional outage occurs. This means that message data may not be stored exclusively in the agent's specified region.
What is the messaging architecture and flow for RBM? Which elements are encrypted?
Messages sent between brands and end users are encrypted between the end user's device and Google's servers and between Google's servers and the messaging partner through Google's RCS Business Messaging (RBM) API.
Messages are encrypted across Google's network using keys that are only accessible to specific service components. The encryption keys enable inspection by Google systems for policy compliance.
Refer to How it works for an overview of the end-to-end messaging flow and the roles of all parties involved.
Are stored messages encrypted?
Storage on Google servers
Messages stored on Google servers are encrypted at rest. Google stores encrypted messages so they can be synced across the end user's devices and to ensure that previous messages are shown on new devices.
Access to stored messages is only available with the end user's Google ID. Note these two exceptions:
- When the end user reports messages as spam, Google may review the spam information. To learn more about data handling for spam reports, see Does Google ever read messages between brands and end users?.
- Stored messages may be shared with external law enforcement agencies under the terms of Google's obligations to meet applicable law. Refer to Google's transparency report for more information.
Storage on mobile devices
Message encryption on the end user's device depends on the device-wide encryption that's configured for their device. For Google's Messages app, Google deploys on-device security models to protect message data. Other client vendors may implement different security policies.
For how long are messages stored?
Storage on Google servers
- RBM agent assets (logo, name, description, etc): Persistently stored in global Google storage.
- User-to-agent messages (P2A messages): Held on a store-and-forward basis for no longer than seven days. As soon as the RBM agent receives and acknowledges the message, it's deleted.
- Agent-to-user messages (A2P messages): Held until delivered, for up to 30 days. Undelivered messages can be revoked by agents prior to delivery. If the messages contain media files, such as images or videos, these files are stored for 60 days. For spam detection, encrypted A2P messages may be held on Google servers for 14 days after delivery.
Storage on mobile devices
Messages on the end user's device are stored there until the end user deletes them or changes the storage mechanism.
Can a brand control the encryption keys for its messages stored at Google?
No, a brand can't control the encryption keys. To protect end users from spam, Google needs to scan messages for malicious content, such as phishing and malware URLs. Google uses automated protections to scan messages. The message contents are not accessible to humans unless the end user reports a conversation as spam (for details, see Does Google ever read messages between brands and end users?).
What responsibility do partners and brands have to ensure data security?
RBM is a transit technology. It moves messages between end users and agents. Because RBM agents are built, operated, and accessed by partners and brands outside of Google, these parties are responsible for their agents meeting data security, privacy, and local regulatory requirements.
RBM API security
Can Google obtain the access tokens sent by the OAuth provider?
No, Google never obtains the access tokens sent by the OAuth provider during user authentication. OAuth 2.0 uses the Proof Key for Code Exchange (PKCE) to secure the authentication flow.
How is data encrypted between an RBM developer and Google?
Developers access the RBM API over HTTPS, the global standard for secure web transactions. The RBM API supports TLS 1.3 with AES 256 and SHA384 ciphers.
Run the following command to check the certificate chain, TLS version, and supported ciphers:
openssl s_client -connect rcsbusinessmessaging.googleapis.com:443
Phone number verification
To maintain the security of Google's Messages app, how does Google verify that a phone number still belongs to its original user?
Initial verification of phone number: Google uses a variety of techniques to identify the end user's phone number (i.e., their MSISDN or Mobile Station International Subscriber Directory Number). These techniques include direct API integration with carriers, mobile-originated SMS, and asking the end user to enter their phone number. Once the phone number is identified, Google may send an invisible One-Time Password (OTP) SMS to verify it.
Maintaining security after initial verification: When a carrier has a direct API integration, they can periodically send a SIM/MSISDN deactivation feed to Google to disable RCS and thereby disable RBM for phone numbers that are no longer active. Google may also monitor changes in phone number ownership through device signals like SIM removal and SIM activity and by periodically reverifying the phone number.
Privacy and security
What reporting does Google do on RBM agents?
Google has internal reporting on the gross number of end users, messages, and responses for each agent based on the last 14 days' data. Google uses this data for diagnostics, system improvements, and to generate billing reports for carriers. Message contents are not stored for reporting purposes. Beyond 14 days, Google stores only aggregate reporting data; there is no time limit on this storage. Any aggregate data shared externally has a Time to Live (TTL) lifespan of 63 days.
The billing reports and activity logs that carriers receive are stored for 30 days on Google's servers. Carrier partners may choose to download these files and hold them for as long as they deem necessary.
Does Google use end user data outside of RBM?
Google uses end user data only to provide and improve the RBM service, as stated in section 5.2 of the DPA.
For example, Google may do the following with end user data:
- Detect and prevent spam and fraud.
- Share unaggregated billing reports and activity logs with carrier partners.
- Measure and improve RBM performance for end users and brands.
As part of this effort, Google shares aggregated data with partners so they can improve the messaging experience. See What reporting does Google do on RBM agents? for details.
But Google will not do the following with end user data:
- Perform ad targeting based on message contents.
- Share message contents with any competitors or third parties, with the exception of law enforcement agencies as required by applicable law.
Does Google ever read messages between brands and end users?
Google doesn't have access to the contents of any messages unless the end user reports a conversation as spam. When the end user chooses to report spam, they're notified that Google employees and contractors may review their spam information to help improve Google's protections against spam and abuse. Human reviewers have restricted and audited access to this information for 30 days. The end user's phone number is redacted for the purposes of spam review.
To learn more about the controls Google has in place to protect end user data, see Google's privacy policy.
What information about end users does Google provide to the brand?
To enable an RBM conversation, Google shares the end user's telephone number with the brand to identify the end user in the conversation. No other personal information is shared with the brand.
In the Acceptable Use Policy, does the Privacy and Security section limit a brand's ability to collect and use information about its own customers?
Google doesn't intend to restrict a brand's ability to serve its customers. A conversation between an end user and a brand that is created through the RBM API can be stored by the brand, according to the terms of its own privacy policy.
In the Terms of Service, what does the following mean? “You will obtain and maintain any required consents necessary to permit the processing of personal data under these RBM Terms."
Google expects all brands using RBM to adhere to the relevant data and security regulations (such as GDPR) and to supply a privacy policy that clarifies how they use and/or share end user data. A developer must provide their privacy policy for an agent to be considered for launch review.
Google's cooperation when a brand is audited
Our brand is subject to regulations and may be audited. Will Google comply?
It's the brand's responsibility to ensure their company meets the relevant regulations. Google will only respond to law enforcement and regulator inquiries in accordance with applicable law.
Incident response
How does Google handle data breaches?
Refer to section 7.2 Data Incidents in the DPA.
Unsupported network capabilities
What network capabilities are not supported by RBM?
- Custom headers to allow firewall pass-throughs
- Classless inter-domain routing (CIDR) block ranges from Google's services