7.1 Google’s Security Measures, Controls and Assistance.
7.1.1 Google’s Security Measures. Google will
implement and maintain technical, organizational and
physical measures to protect Customer Data against
accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or access as described in Appendix
2 (the “Security Measures”). The Security Measures
include measures to encrypt Customer Data; to help ensure
ongoing confidentiality, integrity, availability and
resilience of Google’s systems and services; to help
restore timely access to Customer Data following an
incident; and for regular testing of effectiveness. Google
may update the Security Measures from time to time
provided that such updates do not result in a material
reduction of the security of the Services.
7.1.2 Access and Compliance. Google will: (a)
authorize its employees, contractors and Subprocessors to
access Customer Data only as strictly necessary to comply
with Instructions; (b) take appropriate steps to ensure
compliance with the Security Measures by its employees,
contractors and Subprocessors to the extent applicable to
their scope of performance; and (c) ensure that all
persons authorized to process Customer Data are under an
obligation of confidentiality.
7.1.3 Additional Security Controls. Google
will make Additional Security Controls available to: (a)
allow Customer to take steps to secure Customer Data; and
(b) provide Customer with information about securing,
accessing and using Customer Data.
7.1.4 Google’s Security Assistance. Google
will (taking into account the nature of the processing of
Customer Personal Data and the information available to
Google) assist Customer in ensuring compliance with its
(or, where Customer is a processor, the relevant
controller’s) obligations under Articles 32 to 34 of the
a. implementing and
maintaining the Security Measures in accordance with
Section 7.1.1 (Google’s Security Measures);
b. making Additional Security
Controls available to Customer in accordance with Section
7.1.3 (Additional Security Controls);
c. complying with the terms
of Section 7.2 (Data Incidents);
d. providing Customer with
the Security Documentation in accordance with Section
7.5.1 (Reviews of Security Documentation) and the
information contained in the applicable Agreement
(including this Addendum); and
e. if subsections (a)-(d)
above are insufficient for Customer (or the relevant
controller) to comply with such obligations, upon
Customer’s request, providing Customer with additional
reasonable cooperation and assistance.
7.2 Data Incidents.
7.2.1 Incident Notification. Google will
notify Customer promptly and without undue delay after
becoming aware of a Data Incident, and promptly take
reasonable steps to minimize harm and secure Customer
7.2.2 Details of Data Incident. Google’s
notification of a Data Incident will describe: the nature
of the Data Incident including the Customer resources
impacted; the measures Google has taken, or plans to take,
to address the Data Incident and mitigate its potential
risk; the measures, if any, Google recommends that
Customer take to address the Data Incident; and details of
a contact point where more information can be obtained. If
it is not possible to provide all such information at the
same time, Google’s initial notification will contain the
information then available and further information will be
provided without undue delay as it becomes available.
7.2.3 Delivery of Notification.
Notification(s) of any Data Incident(s) will be delivered
to the Notification Email Address.
7.2.4 No Assessment of Customer Data by Google.
Google has no obligation to assess Customer Data in order
to identify information subject to any specific legal
7.2.5 No Acknowledgement of Fault by Google.
Google’s notification of or response to a Data Incident
under this Section 7.2 (Data Incidents) will not be
construed as an acknowledgement by Google of any fault or
liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities and Assessment.
7.3.1 Customer’s Security Responsibilities.
Without prejudice to Google’s obligations under Sections
7.1 (Google’s Security Measures, Controls and Assistance)
and 7.2 (Data Incidents), and elsewhere in the applicable
Agreement, Customer is responsible for its use of the
Services and its storage of any copies of Customer Data
outside Google’s or Google’s Subprocessors’ systems,
a. using the Services and
Additional Security Controls to ensure a level of security
appropriate to the risk to the Customer Data;
b. securing the account
authentication credentials, systems and devices Customer
uses to access the Services; and
c. backing up or retaining
copies of its Customer Data as appropriate.
7.3.2 Customer’s Security Assessment.
Customer agrees that the Services, Security Measures
implemented and maintained by Google, Additional Security
Controls and Google’s commitments under this Section 7
(Data Security) provide a level of security appropriate to
the risk to Customer Data (taking into account the state
of the art, the costs of implementation and the nature,
scope, context and purposes of the processing of Customer
Personal Data as well as the risks to individuals).
7.4 Compliance Certifications and SOC Reports.
Google will maintain at least the following for the
Audited Services in order to evaluate the continued
effectiveness of the Security Measures: (a) certificates
for ISO 27001, ISO 27017 and ISO 27018 and, for Google
Cloud Platform, a PCI DSS Attestation of Compliance (the
“Compliance Certifications”); and (b) SOC 2 and SOC
3 reports produced by Google’s Third Party Auditor and
updated annually based on an audit performed at least once
every 12 months (the “SOC Reports”). Google may add
standards at any time. Google may replace a Compliance
Certification or SOC Report with an equivalent or enhanced
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation.
Google will make the Compliance Certifications and the SOC
Reports available for review by Customer to demonstrate
compliance by Google with its obligations under this
7.5.2 Customer’s Audit Rights.
a. If European Data
Protection Law applies to the processing of Customer
Personal Data, Google will allow Customer or an
independent auditor appointed by Customer to conduct
audits (including inspections) to verify Google’s
compliance with its obligations under this Addendum in
accordance with Section 7.5.3 (Additional Business Terms
for Reviews and Audits). During an audit, Google will make
available all information necessary to demonstrate such
compliance and contribute to the audit as described in
Section 7.4 (Compliance Certifications and SOC Reports)
and this Section 7.5 (Reviews and Audits of Compliance).
b. If Customer SCCs apply as
described in Section 10.2 (Restricted European Transfers),
Google will allow Customer (or an independent auditor
appointed by Customer) to conduct audits as described in
those SCCs and, during an audit, make available all
information required by those SCCs, both in accordance
with Section 7.5.3 (Additional Business Terms for Reviews
c. Customer may conduct an
audit to verify Google’s compliance with its obligations
under this Addendum by reviewing the Security
Documentation (which reflects the outcome of audits
conducted by Google’s Third Party Auditor).
7.5.3 Additional Business Terms for Reviews and Audits.
a. Customer must send any
requests for reviews of the SOC 2 report under Section
5.1.2(c)(i) or 7.5.1, or audits under Section 7.5.2(a) or
7.5.2(b), to Google’s Cloud Data Protection Team as
described in Section 12 (Cloud Data Protection Team;
b. Following receipt by
Google of a request under Section 7.5.3(a), Google and
Customer will discuss and agree in advance on: (i) the
reasonable date(s) of and security and confidentiality
controls applicable to any review of the SOC 2 report
under Section 5.1.2(c)(i) or 7.5.1; and (ii) the
reasonable start date, scope and duration of and security
and confidentiality controls applicable to any audit under
Section 7.5.2(a) or 7.5.2(b).
c. Google may charge a fee
(based on Google’s reasonable costs) for any audit under
Section 7.5.2(a) or 7.5.2(b). Google will provide Customer
with further details of any applicable fee, and the basis
of its calculation, in advance of any such audit. Customer
will be responsible for any fees charged by any auditor
appointed by Customer to execute any such audit.
d. Google may object in
writing to an auditor appointed by Customer to conduct any
audit under Section 7.5.2(a) or 7.5.2(b) if the auditor
is, in Google’s reasonable opinion, not suitably qualified
or independent, a competitor of Google, or otherwise
manifestly unsuitable. Any such objection by Google will
require Customer to appoint another auditor or conduct the