Shared responsibility model for Marketplace services

Google and your GDC operator distribute services through the GDC Marketplace for your benefit. The responsibility model for Marketplace services is different from other services on the GDC platform.

Google and GDC operator responsibilities

Google ensures that Marketplace services go through the same rigorous security scans as the rest of GDC. When vulnerabilities are detected in a Marketplace service, Google works with the relevant vendor to fix the vulnerabilities. Depending on your contract, your GDC operator might implement additional processes and security measures on Marketplace services. Google ensures that Marketplace services are compatible with GDC, and can be deployed in a recommended way. Google ensures that once a software vendor makes a new version of their software available, that new version is included in the GDC Marketplace in a timely manner.

Vendor responsibilities

The software vendor documents how you can comply with specific policy regimes with their product. For example, this can take the form of a technical implementation guide that targets a specific compliance regime.

It is the responsibility of the software vendor to patch vulnerabilities in their own product, and to provide Google with the patched version so that we can distribute it in the GDC Marketplace.

If included in your contract with a software vendor, it is their responsibility to provide you support. Google and your GDC operator support the GDC Marketplace systems, but not the Marketplace services themselves, unless provided by Google directly.

User responsibility

It is essential that the user is aware of the compliance regime to which they are subject, and that they consult the documentation that the software vendor provides related to their compliance regime, if available.

The user is obligated to configure the Marketplace service in accordance with their own policies and the compliance regimes to which they are subject.

It is the responsibility of the user to obtain licenses from the relevant software vendor for any Marketplace service that requires licenses.

Once installed and running, Marketplace services are considered user workloads. They run in the user environment and are their responsibility. Google provides features to install, update, and uninstall Marketplace services, but it is the user responsibility to use the features. Unless specified in the contract with GDC operator, they don't actively monitor user workloads and don't fix issues that arise.