Google’s Security Measures, Controls and Assistance.
7.1.1 Google’s Security Measures. Google will
implement and maintain technical, organizational, and
physical measures to protect Customer Data against
accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or access as described in Appendix
2 (Security Measures) (the
“Security Measures”). The Security Measures
include measures to encrypt Customer Data; to help ensure
ongoing confidentiality, integrity, availability and
resilience of Google’s systems and services; to help
restore timely access to Customer Data following an
incident; and for regular testing of effectiveness. Google
may update the Security Measures from time to time
provided that such updates do not result in a material
reduction of the security of the Services.
7.1.2 Access and Compliance. Google will:
a. authorize its employees,
contractors and Subprocessors to access Customer Data only
as strictly necessary to comply with Instructions;
b. take appropriate steps to
ensure compliance with the Security Measures by its
employees, contractors and Subprocessors to the extent
applicable to their scope of performance; and
c. ensure that all persons
authorized to process Customer Data are under an
obligation of confidentiality.
7.1.3 Additional Security Controls. Google will
make Additional Security Controls available to:
a. allow Customer to take
steps to secure Customer Data; and
b. provide Customer with
information about securing, accessing and using Customer
7.1.4 Google’s Security Assistance. Google will
(taking into account the nature of the processing of
Customer Personal Data and the information available to
Google) assist Customer in ensuring compliance with its
(or, where Customer is a processor, the relevant
controller’s) obligations relating to security and
personal data breaches under Applicable Privacy Law, by:
a. implementing and
maintaining the Security Measures in accordance with
Section 7.1.1 (Google’s Security Measures);
b. making Additional Security
Controls available in accordance with Section 7.1.3
(Additional Security Controls);
c. complying with the terms
of Section 7.2 (Data Incidents);
d. making the Security
Documentation available in accordance with Section 7.5.1
(Reviews of Security Documentation) and providing the
information contained in the applicable Agreement
(including this Addendum); and
e. if subsections (a)-(d)
above are insufficient for Customer (or the relevant
controller) to comply with such obligations, upon
Customer’s request, providing Customer with additional
reasonable cooperation and assistance.
7.2 Data Incidents.
7.2.1 Incident Notification. Google will notify
Customer promptly and without undue delay after becoming
aware of a Data Incident, and promptly take reasonable
steps to minimize harm and secure Customer Data.
7.2.2 Details of Data Incident. Google’s
notification of a Data Incident will describe: the nature
of the Data Incident including the Customer resources
impacted; the measures Google has taken, or plans to take,
to address the Data Incident and mitigate its potential
risk; the measures, if any, Google recommends that
Customer take to address the Data Incident; and details of
a contact point where more information can be obtained. If
it is not possible to provide all such information at the
same time, Google’s initial notification will contain the
information then available and further information will be
provided without undue delay as it becomes available.
7.2.3 No Assessment of Customer Data by Google.
Google has no obligation to assess Customer Data in order
to identify information subject to any specific legal
7.2.4 No Acknowledgement of Fault by Google.
Google’s notification of or response to a Data Incident
under this Section 7.2 (Data Incidents) will not be
construed as an acknowledgement by Google of any fault or
liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities and Assessment.
7.3.1 Customer’s Security Responsibilities.
Without prejudice to Google’s obligations under Sections
7.1 (Google’s Security Measures, Controls and Assistance)
and 7.2 (Data Incidents), and elsewhere in the applicable
Agreement, Customer is responsible for its use of the
Services and its storage of any copies of Customer Data
outside Google’s or Google’s Subprocessors’ systems,
a. using the Services and
Additional Security Controls to ensure a level of security
appropriate to the risk to the Customer Data;
b. securing the account
authentication credentials, systems and devices Customer
uses to access the Services; and
c. backing up or retaining
copies of its Customer Data as appropriate.
7.3.2 Customer’s Security Assessment. Customer
agrees that the Services, Security Measures, Additional
Security Controls, and Google’s commitments under this
Section 7 (Data Security) provide a level of security
appropriate to the risk to Customer Data (taking into
account the state of the art, the costs of implementation
and the nature, scope, context and purposes of the
processing of Customer Data as well as the risks to
7.4 Compliance Certifications and SOC Reports.
Google will maintain at least the following for the
Audited Services to verify the continued effectiveness of
the Security Measures:
a. certificates for ISO 27001
and any additional certifications described in Appendix 4
(Specific Products) (the
“Compliance Certifications”); and
b. SOC 2 and SOC 3 reports
produced by Google’s Third-Party Auditor and updated
annually based on an audit performed at least once every
12 months (the “SOC Reports”).
Google may add standards at any time. Google may replace
a Compliance Certification or SOC Report with an
equivalent or enhanced alternative.
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation. To
demonstrate compliance by Google with its obligations
under this Addendum, Google will make the Security
Documentation available for review by Customer and, if
Customer is a processor, allow Customer to request access
to the SOC Reports for the relevant controller in
accordance with Section 7.5.3 (Additional Business Terms
for Reviews and Audits).
7.5.2 Customer’s Audit Rights.
Customer Audit. Google will, if required
under Applicable Privacy Law, allow Customer or an
independent auditor appointed by Customer to conduct
audits (including inspections) to verify Google’s
compliance with its obligations under this Addendum in
accordance with Section 7.5.3 (Additional Business Terms
for Reviews and Audits). During an audit, Google will
reasonably cooperate with Customer or its auditor as
described in this Section 7.5 (Reviews and Audits of
Customer Independent Review. Customer may conduct
an audit to verify Google’s compliance with its
obligations under this Addendum by reviewing the Security
Documentation (which reflects the outcome of audits
conducted by Google’s Third-Party Auditor).
Additional Business Terms for Reviews and Audits.
a. Customer must contact
Google’s Cloud Data Protection Team to request:
i. access to the SOC Reports
for a relevant controller under Section 7.5.1 (Reviews of
Security Documentation); or
ii. an audit under Section
7.5.2(a) (Customer Audit).
b. Following a Customer
request under Section 7.5.3(a), Google and Customer will
discuss and agree in advance on:
i. security and
confidentiality controls applicable to any access to the
SOC Reports by a relevant controller under Section 7.5.1
(Reviews of Security Documentation); and
ii. the reasonable start
date, scope and duration of and security and
confidentiality controls applicable to any audit under
Section 7.5.2(a) (Customer Audit).
c. Google may charge a fee
(based on Google’s reasonable costs) for any audit under
Section 7.5.2(a) (Customer Audit). Google will provide
Customer with further details of any applicable fee, and
the basis of its calculation, in advance of any such
audit. Customer will be responsible for any fees charged
by any auditor appointed by Customer to execute any such
d. Google may object in
writing to an auditor appointed by Customer to conduct any
audit under Section 7.5.2(a) (Customer Audit) if the
auditor is, in Google’s reasonable opinion, not suitably
qualified or independent, a competitor of Google, or
otherwise manifestly unsuitable. Any such objection by
Google will require Customer to appoint another auditor or
conduct the audit itself.
e. Any Customer requests
under Appendix 3 (Specific Privacy Laws) or Appendix 4
(Specific Products) for access to any SOC reports for a
relevant controller or for audits will also be subject to
this Section 7.5.3 (Additional Business Terms for Reviews