THE DEFINITIVE GUIDE TO GOOGLE VAULT

I do Google Workspace Administration to make living, and wanted to learn Google Vault in great detail, so I can help customers make informed decision.
I started asking myself “what would I miss in life without Google Vault?”, and kept going with my journey to collect & understand all aspects of it, So I can explain it to anyone without the jargon.
Let me share everything I learnt, and hopefully it would help you with strong understanding of Google Vault in simplified manner.

1. Why Google Vault?

Understand Why do we even need Google Vault?

Jump to section

4. Google Vault Data Coverage

Whats covered by Vault today, (and whats in roadmap)

Jump to section

7. Google Vault Privileges

Securely provide access to lawyers and delegated admins?

Jump to section

2. What is Google Vault?

Clearly understand what exactly is Google Vault

Jump to section

5. Google Vault Terminology

Easily understand Google Vault terminology without the jargon.

Jump to section

8. Google Vault Reporting

Understand Auditing & Logging capabilities of Google Vault

Jump to section

3. Google Vault Pricing

How much Google Vault cost and to save money on it?

Jump to section

6. Google Vault Data Retention

Understand how data retention rules work with examples.

Jump to section

9. Vault API & Integrations

Whats possible with Google Vault API?

Jump to section

Why do we need Google Vault?

Instead of straight away jumping to Vault as a solution, let us first discuss the problem to understand why do we even need something like it in the first place?

The Problem

Now before we even talk about Google Vault, which is a solution, let us first understand the problem, I mean why we really need it? what are we missing without Vault?

Today, almost all the business communications take place via digital channels such as emails, file sharing, instant messaging (chat), video conference which is great as it makes us productive, but it comes with some challenges too, lets talk about them-:

(a)‌ Accidental or Intentional Data Deletion

So you might have created your own Gmail account and have been using it in your personal life, you treat it the way you need, if you want (may be if you are drunk) you can even delete all of your emails, files etc and no one (other than you) cares, right?

Will it work if that happens to a business? what if one of your employees (either by mistake or intentionally) deletes all emails, files etc from his corporate G‌ Suite account?

That will be huge …, right, especially if that user belongs to any critical function like research or management.

(b)‌ Industry Compliances

As a business, you really need to meet your legal (and social) obligations, and ensure you meet all compliances based on your industry.

For e.g – In the United States, the Financial Industry Regulatory Authority (FINRA) supervises transactions in the investment banking sector and requires that providers of securities trading services retain emails for a certain period of time (see FINRA Rule 3110.09).

It is not unusual to see Enterprise businesses have dedicated “Compliance” department and “Compliance Officers” working hard to meet their industry compliance and minimize the chances of hefty fines.

(c) Legal Investigations

Your employees work hard round the clock, from different locations, devices, as individuals, as teams, toward a common goal of making the business successful.

They generate lots of content…………a lot happens in emails, files, chats, video conferences…… usually, positive….

but, sometimes there are cases where ethics are not followed, the right things are not done, conflicts take place, and investigations (either legal or internal) are required.

Now, as a business, you would need to ensure all communications among your employees, partners, customers, vendors etc are retained to serve those investigations if/when needed.

What is Google Vault?

As we have now discussed the problem at hand, let’s discuss how Vault can help us (as Google Workspace customer) in different scenarios.

The Solution - Google Vault

As we have looked at the challenges with digital communications, now lets about talk the solution.

Well, you guessed it right, let’s talk about “Google Vault”.

Now this guide is all about “Google Vault” which is a solution to the above challenges ONLY if you use “G‌ Suite”‌ (Google’s business class email and collaboration suite)

Assuming you are using (or considering)‌ G‌ Suite, let us see how Vault can help solve above challenges.

So, What is Google Vault?

Google Vault is an archiving and compliance solution from Google which helps you retain your Google Workspace data (e.g emails, files, chats etc) indefinitely or for a given number of days.

Now let us understand what Google Vault is used for, and how it can help us with the challenges we highlighted above-:

(a) Data Retention with Google Vault

If your employees either by mistake or intentionally delete their G‌ Suite data (e.g emails, files), that data is still available in Vault, which means authorized individuals (e.g Vault Administrator) can search for that data, view it, and export it too if required.

(b) Industry Compliance with Google Vault

So you have to meet an industry compliance which says “keep all of your emails for X years”?

No problem, Google Vault can help you with that as it offers flexibility to retain your data for an indefinite period or for a time duration you define.

(c) Seamless Legal Investigations with Google Vault

Your business need to run an investigation where communications in G‌ Suite (e.g emails, files, chats) would be served as evidence?

You are covered here with Vault.

Though I will cover it in great detail later in this guide, but in short, you can run legal investigations including-:

Create legal investigation matters (Matter = Folder for a specific case to organize evidence)
Put the required users on legal hold, so their data stays intact while investigation regardless of retention rule expiry.
Search data for the parties involved in the investigation
Export data from your search results
Run Audit reports to see who performed which action in Vault

Google Vault Pricing?

In this section, let’s cover cost of Google Vault, and how you can save on Vault licensing when you need to grant access to external investigators.

Google Vault Cost

Ok, so…. do you kinda liked what Google Vault has to offer and now wondering how much would it cost you?

Absolutely, in this section, we will talk about Google Vault pricing in (great) details.

But before that, let’s talk a bit about G‌ Suite pricing, which comes in a few flavors today and may or may not include Vault depending on the subscription level as following-:

SKU Name	Cost (per user / month)	Google Vault
G Suite Basic	$6	Vault not included in the price
G Suite Business	$12	Vault included in the price
G Suite Enterprise	$25	Vault included in the price
Drive Enterprise	Varies based on usage	Vault included in the price (for files only)
G Suite Education	Free	Vault included in the price
G Suite Education for Education	$4	Vault included in the price

As you see in the pricing table above, Google vault is included in the license price of all Google Workspace SKUs except the “Basic” SKU.

Though you can purchase Vault as a standalone add-on to your Google Workspace basic by paying $5/user/month, however upgrading to business SKU might make more sense in that case because by paying $1/user/month extra, you get other applications too.

Google Workspace Basic ($6) + Google Vault ($5) = $11 per user / per month.
Google Workspace Business = $12 per user / per month (includes Vault + Cloud Search + AppMaker + Additional Reporting and Security controls).

Pricing for External Users (e.g Investigators)

Let’s talk about pricing in a use case where you need to provide Vault’s rights to an external (outside your company) investigator.

Though Google does not have any such called “External User” concept from Vault’s licensing purpose, however you can consider using the following approach to save license costs in such cases without compromising on security.

Google has a product SKU called “Cloud Identity Free” which lets you create users in your domain similar to Google Workspace users but without Google Workspace license, at no cost.

Now, as our external investigators will only need access to Google Vault (and not to Google Workspace), we can leverage these free licenses to save money on Google Workspace as following-:

Create a free Google Cloud Identity User in your Google Workspace domain (e.g externalinvestigator@yourdomain.co

Create a Google Vault delegated admin role

Assign this user Google Vault privileges (from Admin Console → Admin Roles → assign the role to required user).

Google Vault Data Coverage

In this section, I will discuss the scope of Google Vault. It will help you understand what data is retained by Vault for archiving and compliance purposes.

What data is covered by Google Vault?

G‌ Suite offers more than 60 core (with SLA) and non core (without SLA) applications, and it is important to understand which services are covered by Google’s e-discovery solution.

Understanding Google Vault’s scope in details would help you decide-:

(i)‌ Does it meet our compliance needs?

(ii) Is it the right solution for our needs?

(iii) How should we setup right expectations to our management?

(iv)‌ How and What should we communicate to our employees / users in terms of education, training and contract/legal binding.

Google Vault Product Coverage Summary Table

Product Name	Covered by Vault
Gmail	Yes (details below)
Google Groups	Yes (details below)
Google Drive	Yes (details below)
Google Sites	In Public Roadmap*
Google Chat	Yes (details below)
Google Meet	Yes (details below)
Google Voice	In Public Roadmap*
Google Currents (Google +)	In Public Roadmap*

Google Vault Default Retention screenshot showing the covered products.

Now let us understand in a bit of details of what exactly is covered within these covered products.

Gmail Coverage

All the emails that your users send and receive in Google Workspace are archived in Google Vault based on the retention rules you set. I will talk about retention rules in much detail later in this guide.
There are a couple of special scenarios which you should be aware of where emails are not archived in Vault
- Emails sent from other services -: If your users send any email from products other than Gmail (e.g the message you send while sharing Google Drive documents).
- Exclusion of reference material in emails -: If you link references from non covered products in your emails, for e.g a youtube video in email, though the email will be archived but not the video in it.

Groups Coverage

Whether you create a distribution list or have a Q&A type group, you are covered with Google Vault, however for latter one (e.g Collaborative Inbox, Q&A group etc) you or your group managers should turn the “Archiving” on from the groups interface.

Google Drive Coverage

There is a lot of content you store in Google Drive including Google native documents (e.g docs, sheets, slides etc) and non Google native ones like pdf, word etc. so lets us see in detail what’s covered by Vault

Google Docs are covered
Google Sheets are covered
Google Slides are covered
Google Forms are covered
Google Drawings are covered
Non Google format files (e.g pdf, jpeg, word) are covered too if you have uploaded them to Google Drive
Recording of Hangout Meet calls are covered
Jamboard (Google’s innovative whiteboarding solution) files that users store in their Google Drive

Hangouts Chat Coverage

Your hangout chats are also archived in Google Vault, but it is important to note following

Chats in rooms are always archived
In case of 1:1 or Group chat, only “on the record” chats are archived, however as a Google Workspace admin, you can change hangout chat setting to “History is always ON” which means “Chat history is always on the record and users cannot change it”.

Hangouts Meet Coverage

Google Workspace enterprise customers get an additional functionality of recording Google Meet meetings, and these recordings are saved in Google Drive and hence covered by Vault.

Google Sites Coverage

Though Google Sites is not covered by Vault today, however as per the “Google Workspace Upcoming Releases” page, it seems it is under development and will be launching soon.

Google Voice Coverage

Similar to Sites, upcoming releases page shows that Google is also working to increase the scope of Vault by adding Google Voice coverage.

Google Currents Coverage

Google’s social platform for Google Workspace customers called Currents (which was previously known as Google +) would also be covered under Google Vault in future based on the publicly shown roadmap here.

Google Vault Terminology

In this section, lets simplify and understand the terminology of Google Vault and deepen our understanding of Vault terms.

Simplified Google Vault Terminology

Matter

- You create matter to investigate a case, it helps you organize everything about that case.
- You can think of matter in Google Vault as a “Folder” where you would put all information or evidence for a case such as emails, files chats etc.
- Matter allows you search Vault data to find information (evidence) that you need for your investigation (Note – You can not search Google Vault without creating a matter first)

Though I will talk about permissions in details in next section, but for now keep in mind that you can assign (i) “View All Matters” permission to any of your users OR (ii) Assign “Manager Matters” to any user with Organization Unit scope.

Below is a screenshot from Google Vault matter interface for your reference.

Hold

- While you are running your investigation and finding information about a case, you do not want any of your Vault’s default or custom retention rules to delete concerned user’s data, right…? well that’s exactly where “Holds” help.
- Holds override any default and custom retention rules, and scoped data of users on hold is kept indefinitely (until you remove hold OR delete user’s mailbox OR your Google Workspace / Vault contract with Google expires)
- You can assign “Manage Hold” permission to any user in your Google account and it can also be scoped to an Organization Unit.
  Here is a screenshot from Google Vault Hold interface for your reference.

Search (Data in Vault)

You might have seen in movies where lawyers ask a lot of questions to their clients to collect as much information (or evidence) as they can about the case, Similarly, here you can ask those questions to Google Vault.
- However, unlike we humans, Vault only understands a specific “questioning language” which includes “search operators”. For e.g to find all emails sent by Larry, your search query will be “FROM:larry@domain.com”
- You can perform granular searches by tightening your criteria, for e.g you can make your search based on-:
  - Product (e.g Gmail or Drive)
  - Organization Unit
  - Specific User
  - Type of data (e.g held data, unprocessed data)
  - Date Range (e.g From 26-FEB-2016 TO 31-DEC-2018)
  - You can also combine your queries (e.g using AND, OR etc)
  - Using Search Operators (e.g “has:attachment” to find emails with attachments only), You can learn more about these operators at Google’s documentation here
  - You can also save your “search queries” so you can use them next time with one click instead of writing them again, I find this feature really handy to save time.
    
    You can see Google Vault’s search interface and available search options in the screenshot here-:

Export Data

- You need a way to present the information (or evidence) around a case, though Google Vault does not have any presentation capabilities other than sharing your screen, so what do you do?
- Well, you use “Export Data”, which allows you to export all of search result data into multiple formats based on the product type.
- For emails –: You can export them in PST or Mbox format, you may have export in multiple files if your file size is more than 1 GB for PST (or 10 GB for Mbox) or if it has data for more than one user.
- Exports are available for 15 days from when they are started before Google deletes them, You can also choose the geographic region (United States or Europe) to save your exports, but do not forget to download them within 15 days.

Google Vault Data Retention

In this section, lets understand data retention rules, how do they work and a few example scenarios to see their impact on our Google Workspace data.

Data Retention

Now let’s talk about data retention as this is the most valuable proposition of Google Vault.

You can retain your (covered products) data in vault indefinitely OR for a given number of days (e.g 365 days) as per your needs.

You can create two types of retention rules in Google Vault-:

Default Retention Rule
Custom Retention Rule

Default Retention Rule

This is a global or tenant level data retention rule, so for example if you want to retain all the data indefinitely, you can create a default retention rule to keep data indefinitely.
As this is a tenant level rule, you can not go granular while creating default retention rule (e.g you can not apply it on a given Organizational Unit), this rule gets applied on all of your users.
Based on its global or tenant based nature, only one default rule can be created.
Usually, you should have the default retention rule of indefinite unless there is a real requirement (e.g industry compliance) to purge data after a certain period.

Custom Retention Rule

Unlike default rule, custom rule provides flexibility to go granular so you can create rules based on-:
- Product (e.g Gmail or Google Drive)
- Organization Unit (e.g Americas)
- Conditions & Search Criteria (e.g Date range, To/From, Gmail labels etc)
- You can create multiple custom retention rules based on your needs, In the scenarios section below, I will discuss impact where multiple rules are applied to the same scope.

Very Important -: Custom Retention Rules take precedence over Default Retention Rules.

Scenario 1-: Default vs Custom Rule

let’s take an example here, let’s say you have created two rules and applied it on all users-:

(i) Rule 1 – Default Retention Rule – to retain data indefinitely.

(ii) Rule 2 – Custom Retention Rule – to retain data for 365 days.

Result -: Your data will be deleted after 365 days based on custom retention rule as it will override default retention rule.

Scenario 2 -: Custom Vs Default Rule

(i) Rule 1 – Default Retention Rule – to retain data for 365 days.

(ii) Rule 2 – Custom Retention Rule – to retain data indefinitely.

Result -: Your data will be kept indefinitely (indefinitely = your lifetime as Google Workspace customer) based on custom retention rule as it will override default retention rule.

Scenario 3 -: Custom vs Custom Rule

(i) Rule 1 – Custom Retention Rule – to retain data for 365 days.

(ii) Rule 2 – Custom Retention Rule – to retain data indefinitely.

Result -: Your data will be kept indefinitely because whenever there is a conflict of custom rules, one with the longer retention duration wins.

Though the retention rules are adjustable (e.g you can change them later as required), however a wrongly created rule will start deleting data, so please be careful while creating them or better create them either in your sandbox tenant (if you have one) or apply it only to your test organization unit which has a few test users.

Also, Google Vault is not setup out of the box when you get it (either stand alone or as part of your Google Workspace license), you need to explicitly configure your retention rules to set it up.

When is data deleted from Google Vault?

In this section, lets understand the scenarios in which your data can be deleted forever from Google Vault

Data Deletion in Google Vault

Before talking about data deletion from Google Vault, let us understand clearly “Data is not deleted from Vault based on user actions, it is only deleted based on your default or custom retention rules”

Let us understand how does retention rule impacts your company email data, I mean obviously email data will be deleted once your retention period expires, but there are a couple of watch points here)-:

After the emails are deleted due to retention period expiration, they are still available for Vault Admins for additional 30 days* where they can search, put them on hold or export that data, but once that 30 days limit is passed, there is no way to retrieve that data.
Now above I said “30 Days”, but there are a couple of watch points point here too-:
- If the user permanently deletes emails from his mailbox (trash it and then empties trash) more than 30 days before the retention period expires, then the messages will be deleted straight away from Vault on expiration date, no additional 30 days are provided.
- If the user permanently deletes emails from his mailbox (trash it and then empties trash) less than 30 days before the retention period expires, then Vault admin would see those messages till retention rule expiration date + whatever days are left between (i) 30 Days and (ii) How many days early did the user deletes the message

Confusing……????

It surely is……..

so let us take a couple of examples to clarify it further.

Base Cases for our example scenario -:

We have a custom retention rule of 180 days

User receives an email an 01-Jan-2019

Scenario 1-:

User deletes an email on 01-Jan-2019 itself.
Result – As have a 180 days retention policy, this email will be available in Vault till 29-June-2019 to complete retention period, and data deletion will start on 181st day which is 30-June-2019.

Scenario 2-:

User deletes an email on 20-June-2019 (which is 170th day of email received date, 10 days before our retention expires)
Result – Vault should have this email till 29-June-2019 to complete our 180 days retention + it will also add 20 days (30 additional granted days – 10 days because user deleted it permanently from his mailbox 10 days before retention policy expiration which counts against 30 days grant). So email data deletion in this case will start on 19-July-2019.

Google Vault Access Permission

In this section, lets understand how we can securely assign least required permissions to Vault Admins or Investigators based on their needs.

Understanding Vault Access Privileges

So, who can access Google Vault?

Google Workspace is a complete messaging and collaboration platform which includes lots of applications (60+) and Vault is one of them.

Now based on the security concept of “Least Privileges”, your administrators should only have the rights required to perform specific administration tasks they are being assigned.

Though Google provides some out of the box delegated administrator roles (e.g user admin, group admin, helpdesk admin etc) but nothing specific to Google Vault, which makes sense because Vault includes all users data and its permissions should be assigned explicitly and carefully.

Now before I talk about creating dedicated Vault admin roles, let’s understand a concept of “Organization Unit” in Google Workspace.

You don’t treat all your users the same way, for e.g you might want to provide youtube’s access to your marketing team but not to your finance team.

I know this might not be a perfect example, but you get the idea, right…..?

So to create those different policies, Google lets you organize your Google Workspace users into “Organization Units” (like sales, marketing, finance, or maybe geography based ones like Americas, Europe, Asia etc).

Now once you have that OrgUnit structure in place, you can apply different levels of policies on these OUs.

This org unit structure is very helpful as it provides the flexibility of assigning administration permissions on a specific org unit.

For e.g –: I can create an administration role for resetting users password, and then assign it to a user but only with the scope of “America’s Org Unit”, which means this delegated administrator can now reset password of any user who is inside the “America’s Org Unit”, but not for users that are in other org units.

So to summarize, you can create Google Vault delegated administration role, and then assign that role to a user with the scope of either the whole Google Workspace tenant (which includes all users) OR to a specific Org Unit.

However, there are some roles which are only available for tenant (global) and not for org units, I have created a table below which might help you understand it-:

Google Vault Access Privileges Summary Table

Privilege Name	What it does	Assignment Scope
Manage Retention policies	Create, Update, Delete, View Retention policies	G Suite Tenant
Manage Audits	View audit logs, hold reports, view holds in matters	G Suite Tenant
View Retention policies	View all Retention policies	G Suite Tenant
View All Matters	View all matters	G Suite Tenant
Manage Matters	Create, Close, Modify, Delete, Restore, & Share Matters	G Suite Tenant OR Org Unit
Manage Holds	Create, Remove & View Holds (with list of users on hold)	G Suite Tenant OR Org Unit
Manage Searches	Perform Searches, View search output data (e.g email, files)	G Suite Tenant OR Org Unit
Manage Exports	View and download exports, delete exports	G Suite Tenant OR Org Unit

You can find more information about the privileges at this Google support article.

Google Vault Reporting

In this section, lets explore how Google Vault ensures integrity by keeping the audit logs for future references.

Vault's Auditing & Logging Capabilities

Audit Report

- We now have cameras in our house, cars, offices or kinda everywhere to record everything just in case if there is something suspicious that we need to look at in future, Similarly Audit feature in Google Vault is that camera which keeps track of all performed actions by permitted users, e.g larry@domain.com exported a search result from XYZ matter, on this date, that time.
- Google Vault retains audit data for the lifetime of a Vault customer, you can either download all audit logs OR can also filter down to download only the required logs.
  (for e.g only the audit logs From 26-FEB-2018 TO 31-DEC-2018 where “export” or “search” actions were performed by larry@domain.com)
- These audit logs are immutable, which means no one can change them, so you always get an accurate picture of who did what in Vault, these logs are downloaded as CSV, which you can take to any supported system (e.g Google Sheet or MS Excel) to read.

Your Google Vault audit files will have the following header fields (depending on what you select while export as shown in above screenshot)

Google Vault API & Integrations

In this section, let’s understand how you can connect Google Vault to other systems or perform actions at scale.

Google Vault API

There might be scenarios where you would like to integrate Google Vault with your other systems, or maybe you need a way to programmatically perform certain actions in Vault, and that’s where you can leverage Vault API.

You can perform CRUD (create, retrieve, update, delete) operations via Vault API, below are a few references to common operations you perform via API

Get a list of all accounts which are on hold by making a GET call to Vault’s API-:
GET https://vault.googleapis.com/v1/matters/{matterId}/holds/{holdId}/accounts
Put account/s on hold by making a POST call to Vault’s API
POST https://vault.googleapis.com/v1/matters/{matterId}/holds/{holdId}:addHeldAccounts
Add a given user to the matter as collaborator by making a POST call to to Vault’s API-:
POST https://vault.googleapis.com/v1/matters/{matterId}:addPermissions

Please see Google’s documentation for a complete list of resources and methods available in the API at https://developers.google.com/vault/reference/rest

Google Vault - FAQs

Here am listing some of the frequently asked questions about Google Vault, if you have any question, please comment in the bottom, and I will add it (along with the answer) to FAQs.

FAQ

Most frequent questions and answers about Google Vault

Is google vault a backup?

Google Vault is primarily an e-discovery solution, hence it retains data of your Google Workspace users based on data retention policies, this archived data can be searched, exported, put on hold, however can’t be restored directly to users’ accounts.
Also, you need to keep your Google Workspace license for Google Vault to retain data of your former employees, if you (even by mistake) delete any user’s account, that user’s data will be deleted from Google Vault as well.

Is google vault free for education?

Google Vault is free for eligible educational institution as part of Google Workspace for Education.

We are switching to G suite, can we migrate data directly to Google Vault?

Yes, there are some 3rd party tools (e.g Cloudmigrator) which can help you migrate your data (either all or archive data) from your current system to Google Vault.

Can we Google Vault to archive 3rd party data?

No, till today Google Vault covers Google Workspace data (e.g Gmail, Drive, Chat etc) only.

There is no provision yet to archive 3rd party data (e.g Slack) to Google Vault.

Is Google Retroactive?

Once you setup Google Vault, your retention policies are applied on the data which exists in your users account (e.g existing Gmail emails, Google Drive data etc).

However, if any user has deleted data (e.g deleted Gmail emails even from trash / permanently) before you apply your retention policies, then this deleted data will not be covered by Vault.

To summarize, yes, Google Vault is retroactive and covers past data which is present on the day you setup Google Vault retention policies.

7 thoughts on “THE DEFINITIVE GUIDE TO GOOGLE VAULT”

Phil
November 11, 2021 at 8:54 am

Goldy,

Where can I find how much storage is used by Vault?

Reply
Steph Moss
June 30, 2021 at 5:32 pm

Hi, question. I’m trying to recover user data that was deleted about 33 days ago. If I add Google vault to our plan now – would I be able to go back to recover that email? Or would I have to have had Google vault already installed at the time of deleted email?

Reply
1. Goldy Arora
  July 27, 2021 at 6:00 pm
  
  Vault will only cover data which is not permanently deleted on the day you turn it on.
  
  Reply
Pingback: Tips to Integrate Shopify and Gmail in Minutes
Pingback: A Guide to the Uses of Google Vault - Goldy's blog
Pingback: The Definitive Guide to Google Workspace Essentials - Launched
Pingback: Google Workspace Archive User Guide - Goldy Arora

Leave a Comment Cancel Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2022 All rights reserved

Made with love for Google Workspace:)