Hello everyone,
I am currently evaluating the Gemini File Search feature for a production use case and I have several questions regarding GDPR compliance and data processing.
Our main concern is understanding whether it is possible to use the File Search functionality in a way that is fully compliant with GDPR requirements, especially when processing potentially sensitive or personal data.
Specifically, I would like clarification on the following points:
-
When documents are uploaded to a File Search Store, how exactly are they processed and stored?
-
Are the embeddings and indexed data stored within specific regions (e.g., EU-only data residency)?
-
Is it possible to guarantee that data remains within the EU?
-
Are uploaded documents or derived embeddings ever used for model training or product improvement?
-
Does Google provide a Data Processing Agreement (DPA) that explicitly covers Gemini API and File Search?
-
What technical and organizational measures are in place to support GDPR compliance?
We understand that raw files are deleted after a certain period, but we would like more clarity about the lifecycle and storage of the processed/indexed data.
If anyone from the Google team or community has experience implementing Gemini File Search in a GDPR-compliant environment (especially within the EU), we would greatly appreciate any guidance or documentation references.
Thank you in advance for your help.