Third Party Risk Management Resource Center

Google Cloud may engage third parties (Subcontractors) to perform specific activities in connection with the Google Cloud services. These Subcontractors are monitored and managed through Google Cloud’s Third Party Risk Management (TPRM) program, which is designed to ensure that engagements with any Subcontractor uphold Google Cloud's high standards of security, compliance, and operational efficiency.

The TPRM program at Google Cloud takes a risk-based approach to identifying, assessing, managing, and monitoring third parties proportional to the level of risk posed by the third party. Third parties that provide important services are treated with heightened governance and oversight. In particular, the TPRM program distinguishes between Subcontractors that process customer data (Subprocessors) and those that do not. The content below describes Google Cloud’s Third Party Risk Management activities across each phase of the life cycle of a Subcontractor.

Google Cloud’s TPRM program is governed and managed through the Cloud Chief Information Security Officer (CISO) organization and is supported by Google’s enterprise third-party risk management program, procurement, vendor management organizations, risk and compliance, and legal teams to ensure appropriate management of third party risk across the organization. 

Before engaging a third party, the Google Cloud TPRM program requires an assessment to be completed to classify the third party and determine the level of risk posed by the third party service. The level of risk is used to define requirements for due diligence, contracting, and onboarding as well as ongoing monitoring. At this stage overall concentration risk is assessed to determine the impact of onboarding a new Subcontractor to Google Cloud.

Google Cloud teams onboarding Subcontractors follow defined processes to execute appropriate contracts with Subcontractors before services commence. These contracts address Google Cloud’s robust security, privacy and compliance requirements as well as our obligations to customers about Subcontractors. 

SLAs, KPIs or other performance metrics are contractually defined and performance strategies are developed for Subcontractors to ensure that performance monitoring is conducted on an ongoing basis.

Once Subcontractors are onboarded, they are monitored on an ongoing basis by the relevant Google Cloud teams across various dimensions pertaining to performance and risk management. Performance is formally managed quarterly (at a minimum) through defined key performance indicators (KPIs) and quarterly business review (QBR) meetings. 

While risk assessments (similar to due diligence assessments) are conducted on an annual basis, Subcontractors are monitored continuously to detect potential changes to risk posture which may warrant further assessment. 

If there is a change to the type of service or location of an existing Subcontractor, Google Cloud will inform customers within contractually agreed upon timelines. 

Any incidents identified by Google Cloud during monitoring are tracked, managed, and resolved through a central incident management program that brings together a cross-functional team of experts in a dedicated team format to ensure investigation, remediation, and proactive communication in a timely manner. More information can be found on Google Cloud’s data incident response process.

Google Cloud understands the importance of service continuity to customers' success and has the comprehensive internal controls to protect it.

Google Cloud conducts regular assessments of our Subcontractors’ business continuity program to identify potential risks and develop strategies to mitigate their impact. Subcontractor performance, against contracts; is regularly monitored to maintain service quality within defined key performance indicators (KPIs).

Customer data is your data, not Google’s. We only process Customer Data in accordance with your instructions, and do not determine the purposes or the essential means of that processing. We are therefore a processor of customer data, and not a controller or a joint controller.

Google uses Subprocessors to perform limited activities in connection with the Google Cloud services, such as technical support services. As per our Cloud Data Processing Addendum, Google commits to customers that its written agreements with Subprocessors will contain certain protections. Google will ensure via that agreement that:

Google conducts an audit of the security and privacy practices of the Subprocessor to ensure the Subprocessor provides a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. 

Once Google has assessed the risks presented by the Subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms. In particular, Google will ensure via the contract that the Subprocessor accesses customer data only to the extent required to perform their limited activity and that all access is in accordance with Google Cloud’s data protection terms. 

For more information on Google Cloud's Privacy offerings, please see the privacy Resource Center.