7.1 Google’s Security Measures, Controls and
7.1.1 Google’s Security Measures. Google will
implement and maintain technical and organizational
measures to protect Customer Data against accidental or
unlawful destruction, loss, alteration, unauthorized
disclosure or access as described in Appendix 2 (the
“Security Measures”). The Security Measures include
measures to encrypt personal data; to help ensure ongoing
confidentiality, integrity, availability and resilience of
Google’s systems and services; to help restore timely
access to personal data following an incident; and for
regular testing of effectiveness. Google may update the
Security Measures from time to time provided that such
updates do not result in a material reduction of the
security of the Services.
7.1.2 Access and Compliance. Google will: (a)
authorize its employees, contractors and Subprocessors to
access Customer Personal Data only as strictly necessary
to comply with Instructions; (b) take appropriate steps to
ensure compliance with the Security Measures by its
employees, contractors and Subprocessors to the extent
applicable to their scope of performance; and (c) ensure
that all persons authorized to process Customer Personal
Data are under an obligation of confidentiality.
7.1.3 Additional Security Controls. Google will
make Additional Security Controls available to: (a) allow
Customer to take steps to secure Customer Data; and (b)
provide Customer with information about securing,
accessing and using Customer Data.
7.1.4 Google’s Security Assistance. Google will
(taking into account the nature of the processing of
Customer Personal Data and the information available to
Google) assist Customer in ensuring compliance with its
(or, where Customer is a processor, the relevant
controller’s) obligations under Articles 32 to 34 of the
a. implementing and
maintaining the Security Measures in accordance with
Section 7.1.1 (Google’s Security Measures);
b. making Additional Security
Controls available to Customer in accordance with Section
7.1.3 (Additional Security Controls);
c. complying with the terms
of Section 7.2 (Data Incidents);
d. providing Customer with
the Security Documentation in accordance with Section
7.5.1 (Reviews of Security Documentation) and the
information contained in the Agreement (including these
e. if subsections (a)-(d)
above are insufficient for Customer (or the relevant
controller) to comply with such obligations, upon
Customer’s request, providing Customer with additional
reasonable cooperation and assistance.
7.2 Data Incidents.
7.2.1 Incident Notification. Google will notify
Customer promptly and without undue delay after becoming
aware of a Data Incident, and promptly take reasonable
steps to minimize harm and secure Customer Data.
7.2.2 Details of Data Incident. Google’s
notification of a Data Incident will describe: the nature
of the Data Incident including the Customer resources
impacted; the measures Google has taken, or plans to take,
to address the Data Incident and mitigate its potential
risk; the measures, if any, Google recommends that
Customer take to address the Data Incident; and details of
a contact point where more information can be obtained. If
it is not possible to provide all such information at the
same time, Google’s initial notification will contain the
information then available and further information will be
provided without undue delay as it becomes available.
7.2.3 Delivery of Notification. Notification(s)
of any Data Incident(s) will be delivered to the
Notification Email Address.
7.2.4 No Assessment of Customer Data by Google.
Google has no obligation to assess Customer Data in order
to identify information subject to any specific legal
7.2.5 No Acknowledgement of Fault by Google.
Google’s notification of or response to a Data Incident
under this Section 7.2 (Data Incidents) will not be
construed as an acknowledgement by Google of any fault or
liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities and
7.3.1 Customer’s Security Responsibilities. Without
prejudice to Google’s obligations under Sections 7.1
(Google’s Security Measures, Controls and Assistance) and
7.2 (Data Incidents), and elsewhere in the Agreement,
Customer is responsible for its use of the Services and
its storage of any copies of Customer Data outside
Google’s or Google’s Subprocessors’ systems, including:
a. using the Services and
Additional Security Controls to ensure a level of security
appropriate to the risk to the Customer Data;
b. securing the account
authentication credentials, systems and devices Customer
uses to access the Services; and
c. backing up its Customer
Data as appropriate.
7.3.2 Customer’s Security Assessment. Customer
agrees that the Services, Security Measures implemented
and maintained by Google, Additional Security Controls and
Google’s commitments under this Section 7 (Data Security)
provide a level of security appropriate to the risk to
Customer Data (taking into account the state of the art,
the costs of implementation and the nature, scope, context
and purposes of the processing of Customer Personal Data
as well as the risks to individuals).
7.4 Compliance Certifications and SOC Reports.
Google will maintain at least the following for the
Audited Services in order to evaluate the continued
effectiveness of the Security Measures: (a) certificates
for ISO 27001, ISO 27017 and ISO 27018, and its PCI DSS
Attestation of Compliance (the “Compliance
Certifications”); and (b) SOC 2 and SOC 3 reports produced
by Google’s Third Party Auditor and updated annually based
on an audit performed at least once every 12 months (the
“SOC Reports”). Google may add standards at any time.
Google may replace a Compliance Certification or SOC
Report with an equivalent or enhanced alternative.
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation. Google
will make the Compliance Certifications and the SOC
Reports available for review by Customer to demonstrate
compliance by Google with its obligations under these
7.5.2 Customer’s Audit Rights.
a. If European Data
Protection Law applies to the processing of Customer
Personal Data, Google will allow Customer or an
independent auditor appointed by Customer to conduct
audits (including inspections) to verify Google’s
compliance with its obligations under these Terms in
accordance with Section 7.5.3 (Additional Business Terms
for Reviews and Audits). During an audit, Google will make
available all information necessary to demonstrate such
compliance and contribute to the audit as described in
Section 7.4 (Compliance Certifications and SOC Reports)
and this Section 7.5 (Reviews and Audits of Compliance).
b. If Customer SCCs apply as
described in Section 10.3 (Restricted Transfers), Google
will allow Customer (or an independent auditor appointed
by Customer) to conduct audits as described in those SCCs
and, during an audit, make available all information
required by those SCCs, both in accordance with Section
7.5.3 (Additional Business Terms for Reviews and Audits).
c. Customer may conduct an
audit to verify Google’s compliance with its obligations
under these Terms by reviewing the Security Documentation
(which reflects the outcome of audits conducted by
Google’s Third Party Auditor).
7.5.3 Additional Business Terms for Reviews and
a. Customer must send any
requests for reviews of the SOC 2 report under Section
5.1.2(c)(i) or 7.5.1, or audits under Section 7.5.2(a) or
7.5.2(b), to Google’s Cloud Data Protection Team as
described in Section 12 (Cloud Data Protection Team;
b. Following receipt by
Google of a request under Section 7.5.3(a), Google and
Customer will discuss and agree in advance on: (i) the
reasonable date(s) of and security and confidentiality
controls applicable to any review of the SOC 2 report
under Section 5.1.2(c)(i) or 7.5.1; and (ii) the
reasonable start date, scope and duration of and security
and confidentiality controls applicable to any audit under
Section 7.5.2(a) or 7.5.2(b).
c. Google may charge a fee
(based on Google’s reasonable costs) for any audit under
Section 7.5.2(a) or 7.5.2(b). Google will provide Customer
with further details of any applicable fee, and the basis
of its calculation, in advance of any such audit. Customer
will be responsible for any fees charged by any auditor
appointed by Customer to execute any such audit.
d. Google may object in
writing to an auditor appointed by Customer to conduct any
audit under Section 7.5.2(a) or 7.5.2(b) if the auditor
is, in Google’s reasonable opinion, not suitably qualified
or independent, a competitor of Google, or otherwise
manifestly unsuitable. Any such objection by Google will
require Customer to appoint another auditor or conduct the