← All providers

Firebase

DatabaseMedium RiskVerified 2026-03-05
Visit website
Overview
HeadquartersπŸ‡ΊπŸ‡Έ USMountain View
Parent CompanyGoogle/Alphabet(πŸ‡ΊπŸ‡Έ US)
US IncorporatedYes
CLOUD Act ExposureYes
InfrastructureGoogle Cloud Platform
NotesFirebase runs on GCP. HIPAA compliance available via Google Cloud BAA. PCI DSS does not apply as Firebase is not a payment processor.
Regions (5 in 5 countries)
πŸ‡ΊπŸ‡Έ US
US Central Iowa Β· Iowa
πŸ‡§πŸ‡ͺ BE
EU Belgium Β· Belgium
πŸ‡¬πŸ‡§ GB
EU London Β· London
πŸ‡―πŸ‡΅ JP
AP Tokyo Β· Tokyo
πŸ‡ΈπŸ‡¬ SG
AP Singapore Β· Singapore
Compliance & Data

Certifications

βœ“ SOC 2βœ“ ISO 27001βœ“ GDPRβœ“ HIPAAβœ— PCI DSS

Data Types Handled

Application DataPIIAuth Data
Applicable Laws (7)

Applies to businesses meeting revenue or data volume thresholds that handle California residents' data.

Max fine: USD 7,500 per intentional violationvia πŸ‡ΊπŸ‡Έ US
UK GDPRUnited Kingdom

UK has its own adequacy decisions separate from the EU. Transfers from the UK follow UK-specific rules.

Max fine: 4% of global annual turnover or GBP 17.5Mvia πŸ‡¬πŸ‡§ GB
CLOUD ActUnited States

Any US-incorporated provider or subsidiary may be compelled to disclose data regardless of where it is stored.

Max fine: Contempt of court penaltiesvia πŸ‡ΊπŸ‡Έ US

Cross-border transfers require consent or equivalent protection standards recognized by Japan's PPC.

Max fine: JPY 100M for corporate violationsvia πŸ‡―πŸ‡΅ JP

Cross-border transfers require comparable protection standards in the receiving country.

Max fine: SGD 1M or 10% of annual turnovervia πŸ‡ΈπŸ‡¬ SG

Cross-border transfers to non-adequate countries require SCCs, BCRs, or other safeguards.

Max fine: 4% of global annual turnover or EUR 20Mvia πŸ‡§πŸ‡ͺ BE
FISA Section 702United States

US providers may be subject to surveillance orders targeting non-US persons, creating risk for EU data subjects.

Max fine: Contempt of court penaltiesvia πŸ‡ΊπŸ‡Έ US