7.1 Google’s Security Measures, Controls and
7.1.1 Google’s Security Measures. Google will
implement and maintain technical and organizational
measures to protect Partner Data against accidental or
unlawful destruction, loss, alteration, unauthorized
disclosure or access as described in Appendix 2 (the
“Security Measures”). The Security Measures include
measures to encrypt personal data; to help ensure ongoing
confidentiality, integrity, availability and resilience of
Google’s systems and services; to help restore timely
access to personal data following an incident; and for
regular testing of effectiveness. Google may update the
Security Measures from time to time provided that such
updates do not result in a material reduction of the
security of the Services.
7.1.2 Access and Compliance. Google will: (a)
authorize its employees, contractors and Subprocessors to
access Partner Personal Data only as strictly necessary to
comply with Instructions; (b) take appropriate steps to
ensure compliance with the Security Measures by its
employees, contractors and Subprocessors to the extent
applicable to their scope of performance; and (c) ensure
that all persons authorized to process Partner Personal
Data are under an obligation of confidentiality.
7.1.3 Additional Security Controls. Google will
make Additional Security Controls available to: (a) allow
Partner to take steps to secure Partner Data; and (b)
provide Partner with information about securing, accessing
and using Partner Data.
7.1.4 Google’s Security Assistance. Google will
(taking into account the nature of the processing of
Partner Personal Data and the information available to
Google) assist Partner in ensuring compliance with its
(or, where Partner is a processor, the relevant
controller’s) obligations under Articles 32 to 34 of the
a. implementing and
maintaining the Security Measures in accordance with
Section 7.1.1 (Google’s Security Measures);
b. making Additional Security
Controls available to Partner in accordance with Section
7.1.3 (Additional Security Controls);
c. complying with the terms
of Section 7.2 (Data Incidents);
d. providing Partner with the
Security Documentation in accordance with Section 7.5.1
(Reviews of Security Documentation) and the information
contained in the Agreement (including these Terms); and
e. if subsections (a)-(d)
above are insufficient for Partner (or the relevant
controller) to comply with such obligations, upon
Partner’s request, providing Partner with additional
reasonable cooperation and assistance.
7.2 Data Incidents.
7.2.1 Incident Notification. Google will notify
Partner promptly and without undue delay after becoming
aware of a Data Incident, and promptly take reasonable
steps to minimize harm and secure Partner Data.
7.2.2 Details of Data Incident. Google’s
notification of a Data Incident will describe: the nature
of the Data Incident including the Partner resources
impacted; the measures Google has taken, or plans to take,
to address the Data Incident and mitigate its potential
risk; the measures, if any, Google recommends that Partner
take to address the Data Incident; and details of a
contact point where more information can be obtained. If
it is not possible to provide all such information at the
same time, Google’s initial notification will contain the
information then available and further information will be
provided without undue delay as it becomes available.
7.2.3 Delivery of Notification. Notification(s)
of any Data Incident(s) will be delivered to the
Notification Email Address.
7.2.4 No Assessment of Partner Data by Google.
Google has no obligation to assess Partner Data in order
to identify information subject to any specific legal
7.2.5 No Acknowledgement of Fault by Google.
Google’s notification of or response to a Data Incident
under this Section 7.2 (Data Incidents) will not be
construed as an acknowledgement by Google of any fault or
liability with respect to the Data Incident.
7.3 Partner's Security Responsibilities and
7.3.1 Partner’s Security Responsibilities.
Without prejudice to Google’s obligations under Sections
7.1 (Google’s Security Measures, Controls and Assistance)
and 7.2 (Data Incidents), and elsewhere in the Agreement,
as between Google and Partner, Partner is responsible for
its and its Customer's use of the Services and its and
their storage of any copies of Partner Data outside
Google’s or Google’s Subprocessors’ systems, including:
a. using the Services and
Additional Security Controls to ensure a level of security
appropriate to the risk to the Partner Data;
b. securing the account
authentication credentials, systems and devices Partner
and Customers use to access the Services; and
c. backing up its Partner
Data as appropriate.
7.3.2 Partner's Security Assessment. Partner
agrees that the Services, Security Measures implemented
and maintained by Google, Additional Security Controls and
Google’s commitments under this Section 7 (Data Security)
provide a level of security appropriate to the risk to
Partner Data (taking into account the state of the art,
the costs of implementation and the nature, scope, context
and purposes of the processing of Partner Personal Data as
well as the risks to individuals).
7.4 Compliance Certifications and SOC Reports.
Google will maintain at least the following for the
Audited Services in order to evaluate the continued
effectiveness of the Security Measures: (a) certificates
for ISO 27001, ISO 27017 and ISO 27018, and its PCI DSS
Attestation of Compliance (the “Compliance
Certifications”); and (b) SOC 2 and SOC 3 reports produced
by Google’s Third Party Auditor and updated annually based
on an audit performed at least once every 12 months (the
“SOC Reports”). Google may add standards at any time.
Google may replace a Compliance Certification or SOC
Report with an equivalent or enhanced alternative.
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation. Google
will make the Compliance Certifications and the SOC
Reports available for review by Partner to demonstrate
compliance by Google with its obligations under these
7.5.2 Partner’s Audit Rights.
a. If European Data
Protection Law applies to the processing of Partner
Personal Data, Google will allow Partner or an independent
auditor appointed by Partner to conduct audits (including
inspections) to verify Google’s compliance with its
obligations under these Terms in accordance with Section
7.5.3 (Additional Business Terms for Reviews and Audits).
During an audit, Google will make available all
information necessary to demonstrate such compliance and
contribute to the audit as described in Section 7.4
(Compliance Certifications and SOC Reports) and this
Section 7.5 (Reviews and Audits of Compliance).
b. If Partner SCCs apply as
described in Section 10.3 (Restricted Transfers), Google
will allow Partner (or an independent auditor appointed by
Partner) to conduct audits as described in those SCCs and,
during an audit, make available all information required
by those SCCs, both in accordance with Section 7.5.3
(Additional Business Terms for Reviews and Audits).
c. Partner may conduct an
audit to verify Google’s compliance with its obligations
under these Terms by reviewing the Security Documentation
(which reflects the outcome of audits conducted by
Google’s Third Party Auditor).
7.5.3 Additional Business Terms for Reviews and
a. Partner must send any
requests for reviews of the SOC 2 report under Section
5.1.2(c)(i) or 7.5.1, or audits under Section 7.5.2(a) or
7.5.2(b), to Google’s Cloud Data Protection Team as
described in Section 12 (Cloud Data Protection Team;
b. Following receipt by
Google of a request under Section 7.5.3(a), Google and
Partner will discuss and agree in advance on: (i) the
reasonable date(s) of and security and confidentiality
controls applicable to any review of the SOC 2 report
under Section 5.1.2(c)(i) or 7.5.1; and (ii) the
reasonable start date, scope and duration of and security
and confidentiality controls applicable to any audit under
Section 7.5.2(a) or 7.5.2(b).
c. Google may charge a fee
(based on Google’s reasonable costs) for any audit under
Section 7.5.2(a) or 7.5.2(b). Google will provide Partner
with further details of any applicable fee, and the basis
of its calculation, in advance of any such audit. Partner
will be responsible for any fees charged by any auditor
appointed by Partner to execute any such audit.
d. Google may object in
writing to an auditor appointed by Partner to conduct any
audit under Section 7.5.2(a) or 7.5.2(b) if the auditor
is, in Google’s reasonable opinion, not suitably qualified
or independent, a competitor of Google, or otherwise
manifestly unsuitable. Any such objection by Google will
require Partner to appoint another auditor or conduct the