The partner agreeing to these terms ("Partner") and Looker Data Sciences
Inc. ("Looker") have entered into an agreement under which Looker has
agreed to provide the Services and, if applicable, related technical support to
Partner (as amended from time to time, the "Agreement").
These Data Processing and Security Terms for Looker Services, including their
appendices (the "Terms"), will be effective and replace any previously
applicable data processing and security terms as from the Terms Effective Date
(as defined below). These Terms supplement the Agreement.
2.1 Capitalized terms defined in the Agreement apply to these Terms. In addition,
in these Terms:
- Additional Security Controls means security resources, features,
functionality and/or controls, the use of which is controlled by Partner or its
Customers, including the identity and access management functionality of the
- Affiliated Infrastructure Provider means, if applicable, a Looker
Affiliate that is authorized under these Terms to supply any applicable
cloud-based infrastructure included in the Services.
- Agreed Liability Cap means the maximum monetary or payment-based amount
at which a party's liability is capped under the Agreement.
- Alternative Transfer Solution means a solution, other than the Model
Contract Clauses, that enables the lawful transfer of personal data to a third
country in accordance with European Data Protection Law.
- Audited Services means the Services when hosted on their integrated
cloud-based infrastructure but excluding such infrastructure from the scope of
any relevant certification or report.
- Customer has the meaning given in the Agreement.
- Data Incident means a breach of Looker's security leading to the
accidental or unlawful destruction, loss, alteration, unauthorized disclosure
of, or access to, Partner Data on systems managed by or otherwise controlled by
- EEA means the European Economic Area.
- EU GDPR means Regulation (EU) 2016/679 of the European Parliament and
of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC.
- European Data Protection Law means, as applicable: (a) the GDPR; and/or
(b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
- European or National Law means, as applicable: (a) EU or EU Member
State law (if the EU GDPR applies to the processing of Partner Personal Data);
and/or (b) the law of the UK or a part of the UK (if the UK GDPR applies to the
processing of Partner Personal Data).
- GDPR means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
- Infrastructure Provider means an Affiliated Infrastructure Provider or
an Unaffiliated Infrastructure Provider, as applicable.
- Looker's Third Party Auditor means a Looker-appointed, qualified and
independent third party auditor, whose then-current identity Looker will
disclose to Partner.
- Model Contract Clauses or MCCs mean standard data protection
clauses for the transfer of personal data to processors established in third
countries which do not ensure an adequate level of data protection, as described
in Article 46 of the EU GDPR and set out at
https://looker.com/trust-center/legal/customers/mcc, as may be modified by
the European Commission.
- Non-European Data Protection Law means data protection or privacy laws
in force outside the European Economic Area, Switzerland and the UK.
- Notification Email Address means the email address(es) designated by
Partner in the Order Form or via the Services (as applicable) to receive certain
notifications from Looker. Partner is responsible for giving Looker timely
notice of any changes to the email address(es) so designated and for ensuring
that its Notification Email Address remains current and valid.
- Order Form has the meaning given in the Agreement, unless Partner has
purchased via an online marketplace or is using the Services only for trial or
evaluation purposes under a trial or evaluation agreement, in which case "Order
Form" may mean another written form (email or other electronic means permitted)
as authorised by Looker.
- Partner Data has the meaning given in the Agreement.
- Partner Personal Data means the personal data contained within the
- Security Documentation means any and all documents and information made
available by Looker under Section 7.5.1 (Reviews of Security Documentation).
- Security Measures has the meaning given in Section 7.1.1 (Looker's
- Subprocessor means a third party authorized as another processor under
Section 11 (Looker Subprocessors) to have logical access to and process Partner
Data in order to provide parts of the Services and any applicable technical
- Subprocessor URL has the meaning given in Section 11.2 (Information
- Supervisory Authority means, as applicable: (a) a "supervisory
authority" as defined in the EU GDPR; and/or (b) the "Commissioner" as defined
in the UK GDPR.
- Term means the period from the Terms Effective Date until the end of
Looker's provision of the Services, including, if applicable, any period during
which provision of the Services may be suspended and any post-termination period
during which Looker may continue providing the Services for transitional
- Terms Effective Date means the date on which Partner accepted, or the
parties otherwise agreed to, these Terms.
- UK GDPR means the EU GDPR as amended and incorporated into UK law under
the UK European Union (Withdrawal) Act 2018, if in force.
- Unaffiliated Infrastructure Provider or UIP means, if
applicable, a third party, other than a Looker Affiliate, that is authorized
under these Terms to supply any applicable cloud-based infrastructure included
in the Services.
2.2 The terms "personal data", "data subject", "processing", "controller" and
"processor" as used in these Terms have the meanings given in the GDPR
irrespective of whether European Data Protection Law or Non-European Data
Protection Law applies.
These Terms will, notwithstanding expiry of the Term, remain in effect until,
and automatically expire upon, deletion of all Partner Data by Looker as
described in these Terms.
4. Scope of Data Protection Law
4.1 Application of European Law. The parties acknowledge that European
Data Protection Law will apply to the processing of Partner Personal Data if, for
- the processing is carried out in the context of the activities of an
establishment of Partner or its Customers in the territory of the EEA or the
- The Partner Personal Data is personal data relating to data subjects who are
in the EEA or the UK and the processing relates to the offering to them of
goods or services in the EEA or the UK, or the monitoring of their behaviour in
the EEA or the UK.
4.2 Application of Non-European Law. The parties acknowledge that
Non-European Data Protection Law may also apply to the processing of Partner
4.3 Application of Terms. Except to the extent these Terms state
otherwise, these Terms will apply irrespective of whether European Data
Protection Law or Non-European Data Protection Law applies to the processing of
Partner Personal Data.
5. Processing of Data
5.1 Roles and Regulatory Compliance; Authorization.
5.1.1 Processor and Controller Responsibilities. If European Data
Protection Law applies to the processing of Partner Personal Data:
- the subject matter and details of the processing are described in Appendix 1;
- Looker is a processor of that Partner Personal Data under European Data
- Partner is a controller or processor, as applicable, of that Partner Personal
Data under European Data Protection Law; and
- each party will comply with the obligations applicable to it under European
Data Protection Law with respect to the processing of that Partner Personal
5.1.2 Authorization by Third Party Controller. If European Data Protection
Law applies to the processing of Partner Personal Data and Partner is a processor,
Partner warrants that its instructions and actions with respect to that Partner
Personal Data, including its appointment of Looker as another processor, have been
authorized by the relevant controller.
5.1.3 Responsibilities under Non-European Law. If Non-European Data
Protection Law applies to either party's processing of Partner Personal Data, the
relevant party will comply with any obligations applicable to it under that law
with respect to the processing of that Partner Personal Data.
5.2 Scope of Processing.
5.2.1 Partner's Instructions. Partner instructs Looker to process Partner
Personal Data in accordance with applicable law only: (a) to provide the Services
and any applicable technical support; (b) as further specified via Partner's use
of the Services (acting on behalf of itself and its Customers) and any applicable
technical support; (c) as documented in the form of the Agreement, including these
Terms; and (d) as further documented in any other written instructions given by
Partner (acting on behalf of itself and its Customers) and acknowledged by Looker
as constituting instructions for purposes of these Terms.
5.2.2 Looker's Compliance with Instructions. Looker will comply with the
instructions described in Section 5.2.1 (Partner's Instructions) (including with
regard to data transfers) unless European or National Law to which Looker is
subject requires other processing of Partner Personal Data by Looker, in which
case Looker will notify Partner (unless that law prohibits Looker from doing so
on important grounds of public interest) before such other processing.
6. Data Deletion
6.1 Deletion by Partner. Looker will enable Partner to delete certain
Partner Data during the Term in a manner consistent with the functionality of the
Services. If Partner uses the Services to delete any Partner Data during the Term
and that Partner Data cannot be recovered by Partner, this use will constitute an
instruction to Looker to delete the relevant Partner Data from Looker's systems in
accordance with applicable law. Looker will comply with this instruction as soon
as reasonably practicable and within a maximum period of 180 days, unless European
or National Law requires storage.
6.2 Deletion on Termination. On expiry of the Term, Partner instructs
Looker to delete all Partner Data (including existing copies) from Looker's
systems in accordance with applicable law. Looker will, after a recovery period
of up to 30 days following such expiry, comply with this instruction as soon as
reasonably practicable and within a maximum period of 180 days, unless European or
National Law requires storage. Without prejudice to Section 9.1 (Access;
Rectification; Restricted Processing; Portability), Partner is responsible for
exporting, before the Term expires, any Partner Data it wishes to retain.
7. Data Security
7.1 Looker's Security Measures, Controls and Assistance.
7.1.1 Looker's Security Measures. Looker will implement and maintain
technical and organizational measures to protect Partner Data against accidental
or unlawful destruction, loss, alteration, unauthorized disclosure or access as
described in Appendix 2 (the "Security Measures"). The Security Measures
may include measures to encrypt personal data; to help ensure ongoing
confidentiality, integrity, availability and resilience of Looker's systems and
services; to help restore timely access to personal data following an incident;
and for regular testing of effectiveness. Looker may update the Security Measures
from time to time provided that such updates do not result in the degradation of
the overall security of the Services.
7.1.2 Security Compliance by Looker Staff. Looker will: (a) take
appropriate steps to ensure compliance with the Security Measures by its
employees, contractors and Subprocessors to the extent applicable to their scope
of performance, and (b) ensure that all persons authorized to process Partner
Personal Data are under an obligation of confidentiality.
7.1.3 Additional Security Controls. Looker will make Additional Security
Controls available to: (a) allow Partner or its Customers to take steps to secure
Partner Data; and (b) provide Partner or its Customers with information about
securing, accessing and using Partner Data.
7.1.4 Looker's Security Assistance. Looker will (taking into account the
nature of the processing of Partner Personal Data and the information available
to Looker) assist Partner in ensuring compliance with its obligations pursuant to
Articles 32 to 34 of the GDPR, by:
- implementing and maintaining the Security Measures in accordance with Section
7.1.1 (Looker's Security Measures);
- making Additional Security Controls available to Partner in accordance with
Section 7.1.3 (Additional Security Controls);
- complying with the terms of Section 7.2 (Data Incidents);
- providing Partner with (i) any Security Documentation maintained under Section
7.4 (Compliance Certification and SOC Report) in accordance with Section 7.5.1
(Reviews of Security Documentation) and (ii) the information contained in the
Agreement including these Terms; and
- complying with the terms of Section 11 (Looker Subprocessors) and, if
applicable, Section 12 (Unaffiliated Infrastructure Providers).
7.2 Data Incidents.
7.2.1 Incident Notification. Looker will notify Partner promptly and
without undue delay after becoming aware of a Data Incident, and promptly take
reasonable steps to minimize harm and secure Partner Data. Partner may instead
instruct Looker to provide this notice to Partner's Customer if the Notification
Email Address that Partner provides belongs to the Customer.
7.2.2 Details of Data Incident. Looker's notification of a Data Incident
will describe, to the extent possible, the nature of the Data Incident, the
measures taken to mitigate the potential risks and the measures Looker recommends
Partner or its Customers take to address the Data Incident.
7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s)
will be delivered to the Notification Email Address.
7.2.4 No Assessment of Partner Data by Looker. Looker has no obligation to
assess Partner Data in order to identify information subject to any specific legal
7.2.5 Notification of Customers. Partner will notify each Customer
affected by a Data Incident without undue delay after becoming aware of the Data
7.2.6 No Acknowledgement of Fault by Looker. Looker's notification of or
response to a Data Incident under this Section 7.2 (Data Incidents) will not be
construed as an acknowledgement by Looker of any fault or liability with respect
to the Data Incident.
7.3 Partner's Security Responsibilities and Assessment.
7.3.1 Partner's Security Responsibilities. Without prejudice to Looker's
obligations under Sections 7.1 (Looker's Security Measures, Controls and
Assistance) and 7.2 (Data Incidents) and elsewhere in the Agreement, as between
Partner and Google, Partner is responsible for its and its Customers' use of the
Services; its use and storage of Partner Data outside of systems managed or
otherwise controlled by Looker including Subprocessors' and/or any Unaffiliated
Infrastructure Provider's systems; and the security of Partner's environment,
databases and configuration of the Services. Partner's responsibilities under
this Section 7.3.1 (Partner's Security Responsibilities) include, without
- using the Services and Additional Security Controls to ensure a level of
security appropriate to the risk in respect of the Partner Data;
- administering, managing access to and securing the account authentication
credentials, systems, software, networks and devices that Partner or its
Customers use to access, or authorizes to be accessed by, the Services; and
- backing up its Partner Data as appropriate.
7.3.2 Partner's Security Assessment. Partner agrees, based on its current
and intended use of the Services, that the Services, Security Measures, Additional
Security Controls and Looker's commitments under this Section 7 (Data Security),
Section 11 (Looker Subprocessors) and, if applicable, Section 12 (Unaffiliated
Infrastructure Providers): (a) meet Partner's needs, including with respect to any
security obligations of Partner under European Data Protection Law and/or
Non-European Data Protection Law, as applicable, and (b) provide a level of
security appropriate to the risk in respect of the Partner Data.
7.4 Compliance Certification and SOC Report. Looker will ensure that one
or more of the following is/are maintained for the Audited Services in order to
evaluate the continued effectiveness of the Security Measures: (a) certificate(s)
for ISO 27001 DSS Attestation of Compliance (collectively, the "Compliance
Certification(s)"); and/or (b) a SOC 2 report produced by Looker's Third Party
Auditor and updated annually based on an audit performed at least once every 12
months (the "SOC Report"). The Compliance Certification(s) and/or SOC
Report maintained for the Audited Services under this Section 7.4 (Compliance
Certification and SOC Report) may vary according to the hosting environment in
which such Services are used; Looker will provide details of the Compliance
Certification(s) and SOC Report available for specific hosting environments
on request. Looker may also add standards and/or replace any Compliance
Certification or SOC Report with an equivalent or enhanced alternative at any
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation. Looker will make any Compliance
Certification(s) and/or SOC Report maintained under Section 7.4 (Compliance
Certification and SOC Report) available for review by Partner to demonstrate
compliance by Looker with its obligations under these Terms. Looker and Partner
may discuss and agree to a mechanism to make available to Partner's Customers the
applicable Compliance Certification(s) and/or SOC Report.
7.5.2 Partner's Audit Rights.
- If European Data Protection Law applies to the processing of Partner Personal
Data, Looker will allow Partner or an independent auditor appointed by Partner
to conduct audits (including inspections) to verify Looker's compliance with
its obligations under these Terms in accordance with Section 7.5.3 (Additional
Business Terms for Reviews and Audits). Looker will contribute to such audits
as described in Section 7.4 (Compliance Certification and SOC Report) and this
Section 7.5 (Reviews and Audits of Compliance).
- If Looker and Partner have entered into the Model Contract Clauses under
Section 10.2 (Transfers of Data), Looker will allow Partner or an independent
auditor appointed by Partner to conduct audits as described in the Model
Contract Clauses in accordance with Section 7.5.3 (Additional Business Terms
for Reviews and Audits).
- Partner may conduct an audit to verify Looker's compliance with its
obligations under these Terms by reviewing any available Security Documentation
(which will reflect the outcome of audits conducted by Looker's Third Party
Auditor or another third party auditor).
7.5.3 Additional Business Terms for Reviews and Audits.
- Partner must send any requests for SOC Report reviews under Section 7.5.1 or
audits under Section 7.5.2(a) or 7.5.2(b) to Looker's Data Protection Team as
described in Section 13 (Data Protection Team; Processing Records).
- Following receipt by Looker of a request under Section 7.5.3(a), Looker and
Partner will discuss and agree in advance on: (i) the reasonable date(s) of and
security and confidentiality controls applicable to any SOC Report review under
Section 7.5.1; and (ii) the reasonable start date, scope and duration of and
security and confidentiality controls applicable to any audit under Section
7.5.2(a) or 7.5.2(b).
- Looker may charge a fee (based on Looker's reasonable costs) for any audit
under Section 7.5.2(a) or 7.5.2(b). Looker will provide Partner with further
details of any applicable fee, and the basis of its calculation, in advance of
any such audit. Partner will be responsible for any fees charged by any auditor
appointed by Partner to execute any such audit.
- Looker may object in writing to an auditor appointed by Partner to conduct
any audit under Section 7.5.2(a) or 7.5.2(b) if the auditor is, in Looker's
reasonable opinion, not suitably qualified or independent, a competitor of
Looker, or otherwise manifestly unsuitable. Any such objection by Looker will
require Partner to appoint another auditor or conduct the audit itself.
7.5.4 No Modification of MCCs. Nothing in this Section 7.5 (Reviews and
Audits of Compliance) varies or modifies any rights or obligations of Partner or
Looker under any Model Contract Clauses entered into as described in Section 10.2
(Transfers of Data).
8. Impact Assessments and Consultations
Looker will (taking into account the nature of the processing and the information
available to Looker) assist Partner in ensuring compliance with its obligations
pursuant to Articles 35 and 36 of the GDPR, by:
- providing Additional Security Controls in accordance with Section 7.1.3
(Additional Security Controls) and any Security Documentation made available
under Section 7.5.1 (Reviews of Security Documentation); and
- providing the information contained in the Agreement including these Terms.
9. Access etc.; Data Subject Rights; Data Export
9.1 Access; Rectification; Restricted Processing; Portability. During the
Term, Looker will enable Partner, in a manner consistent with the functionality
of the Services, to (a) access, rectify and restrict processing of Partner Data,
including via the deletion functionality provided by Looker as described in
Section 6.1 (Deletion by Partner), and (b) export Partner Data.
9.2 Data Subject Requests.
9.2.1 Partner's Responsibility for Requests. During the Term, if Looker's
Data Protection Team receives a request from a data subject in relation to Partner
Personal Data,Partner acknowledges that Looker may interact with the data subject.
If the request identifies Partner, Partner instructs that Looker will advise the
data subject to submit their request to the Partner, or if the data subject
identifies the Partner's Customer, then Looker will advise the data subject to
submit their request to the Customer. Partner and/or its Customers, as applicable,
will then be responsible for responding to any such request including, where
necessary, by using the functionality of the Services.
9.2.2 Looker's Data Subject Request Assistance. Looker will (taking into
account the nature of the processing of Partner Personal Data) assist Partner in
fulfilling its obligations under Chapter III of the GDPR to respond to requests
for exercising the data subject's rights by:
- providing the Services including the query and reporting functionality of the
Services in accordance with the Agreement; and
- complying with Sections 9.1 (Access; Rectification; Restricted Processing;
Portability) and 9.2.1 (Partner's Responsibility for Requests).
10. Data Transfers
10.1 Data Storage and Processing Facilities. Looker may store and process
Partner Data anywhere Looker, its Subprocessors or any Unaffiliated Infrastructure
Provider maintains facilities, subject to Section 10.2 (Transfers of Data) with
respect to the Model Contract Clauses or Alternative Transfer Solution.
10.2 Transfers of Data. Subject to Section 12.3 (Requirements for UIP
Engagement), if the storage and/or processing of Partner Personal Data involves
transfers of Partner Personal Data from the EEA, Switzerland or the UK to any
third country that does not ensure an adequate level of protection under European
Data Protection Law, and European Data Protection Law applies to the transfers of
such data, then:
- if Partner (as data exporter) enters into the Model Contract Clauses with
Looker (as data importer) in offline form, the transfers will be subject to the
Model Contract Clauses; or
if Partner does not enter into the Model Contract Clauses with Looker as
described in Section 10.2(a), then:
if an Alternative Transfer Solution is made available by Looker:
- Partner will be deemed to be using it and will take any action (which
may include execution of documents) strictly required to give it full
- Looker will ensure that the transfers are made in accordance with such
Alternative Transfer Solution; or
- if an Alternative Transfer Solution is not made available by Looker:
- Partner (as data exporter) will be deemed to have entered into the
Model Contract Clauses with Looker (as data importer); and
- the transfers will be subject to the Model Contract Clauses.
10.3 Disclosure of Confidential Information Containing Personal Data. If
Looker and Partner have entered into the Model Contract Clauses under Section 10.2
(Transfers of Data), Looker will, notwithstanding any term to the contrary in the
Agreement, ensure that any disclosure of Partner's Confidential Information
containing personal data, and any notifications relating to any such disclosures,
will be made in accordance with such Model Contract Clauses.
11. Looker Subprocessors
11.1 Consent to Subprocessor Engagement. Partner specifically authorizes
the engagement as Subprocessors of: (a) those entities listed as of the Terms
Effective Date at the Subprocessor URL; and (b) all other Looker Affiliates from
time to time. Such authorized Subprocessors will include any Affiliated
Infrastructure Provider Partner or its Customers may choose to use, as indicated
in an Order Form. In addition, without prejudice to Section 11.4 (Opportunity to
Object to Looker Subprocessor Changes), Partner generally authorizes the
engagement as Subprocessors of any other third parties ("New Looker
11.2 Information about Subprocessors. Information about Subprocessors,
including their functions and locations, is available at
and, if Partner or its Customer chooses to use an Affiliated Infrastructure
https://cloud.google.com/terms/subprocessors, as both URLs may be updated
from time to time in accordance with these Terms
(collectively, the "Subprocessor URL").
11.3 Requirements for Subprocessor Engagement. Before engaging any
Subprocessor, Looker will ensure that the Subprocessor's security and privacy
practices are assessed to verify that the Subprocessor provides a level of
security and privacy appropriate to the data it will access and the services
it will provide. In addition, when engaging any Subprocessor, Looker will:
- ensure via a written contract that:
- the Subprocessor only accesses and uses Partner Data as required to
perform the obligations subcontracted to it and in accordance with the
Agreement (including these Terms) and the Model Contract Clauses or
Alternative Transfer Solution, as applicable under Section 10.2 (Data
- if the GDPR applies to the processing of Partner Personal Data, data
protection obligations equivalent to those referred to in Article 28(3) of
the GDPR are imposed on the Subprocessor;
- if the Subprocessor is an Affiliated Infrastructure Provider:
- the Subprocessor implements and maintains those Security Measures
described in Section 4 (Affiliated Infrastructure Provider) of Appendix
2, as may be updated from time to time provided that such updates do not
result in the degradation of the overall security of the Services; and
- the Subprocessor maintains one or more of the Compliance
Certification(s) and/or SOC Report described in Section 7.4 (Compliance
Certification and SOC Report) for its cloud-based infrastructure
included in the Services and will make any such Compliance
Certification(s) and/or SOC Report available for review by Partner as
described in Sections 7.5.1 (Reviews of Security Documentation) and
7.5.3 (Additional Business Terms for Reviews and Audits); and
- remain fully liable for all obligations subcontracted to, and all acts and
omissions of, the Subprocessor.
11.4 Opportunity to Object to Looker Subprocessor Changes.
- When any New Looker Subprocessor is engaged during the Term, Looker will, at
least 30 days before the date the New Looker Subprocessor is due to start
processing any Partner Data (the "Subprocessor Start Date"), and
subject to Section 11.4(b) below:
- update the Subprocessor URL to include the name, function and location of
the New Looker Subprocessor; and
- notify Partner of the engagement of the New Looker Subprocessor (including
its name, function and location) or provide a mechanism Partner can use to
obtain such notices; and
- Partner may, within 60 days of the Subprocessor Start Date, object to the New
Looker Subprocessor by terminating the Agreement immediately upon written
notice to Looker. This termination right is Partner's sole and exclusive
remedy if Partner objects to any New Looker Subprocessor.
12. Unaffiliated Infrastructure Providers
12.1 Use of Unaffiliated Infrastructure Provider. Partner is not required
to use an Unaffiliated Infrastructure Provider in order to use the Services or
host them on their integrated cloud-based infrastructure. If Partner (acting on
behalf of itself and its Customers). chooses to use an Unaffiliated
Infrastructure Provider, as indicated in an Order Form (the "UIP Order
specifically authorizes the engagement of that Unaffiliated Infrastructure
Provider and of any processors engaged by the Unaffiliated Infrastructure
Provider as of the effective date of the UIP Order Form; and
without prejudice to Section 12.4 (Opportunity to Object to UIP Subprocessor
Changes), generally authorizes the engagement by the Unaffiliated
Infrastructure Provider of any other processors ("New UIP
12.2 Information about Unaffiliated Infrastructure Provider. Information
about any Unaffiliated Infrastructure Provider Partner has chosen to use,
including its identity, function and location, will be included in the UIP Order
Form, together with information about any processors engaged by the Unaffiliated
Infrastructure Provider as of the effective date of the UIP Order Form. It is the
obligation of Partner to share details of the Unaffiliated Infrastructure
Provider with its Customers, and Partner may instruct Looker to provide this
information to Partner's Customers provided that Partner has provided Looker with
contact details for the Customer.
12.3 Requirements for UIP Engagement. When engaging any Unaffiliated
Infrastructure Provider Partner has chosen to use, Looker will:
- ensure via a written contract that:
- the Unaffiliated Infrastructure Provider only accesses and uses Partner
Data as required to perform the obligations subcontracted to it; and
- if the GDPR applies to the processing of Partner Personal Data, data
protection obligations equivalent to those referred to in Article 28(3) of
the GDPR are imposed on the Unaffiliated Infrastructure Provider, including
with respect to data transfers; and
- remain fully liable for all obligations subcontracted to, and all acts and
omissions of, the Unaffiliated Infrastructure Provider.
12.4 Opportunity to Object to UIP Subprocessor Changes. The UIP Order
Form will identify a mechanism Partner can use to obtain information about the
intended engagement of any New UIP Subprocessors. Partner may object to any New
UIP Subprocessor within 60 days of its start date by terminating the Agreement
immediately upon written notice to Looker. This termination right is Partner's
sole and exclusive remedy if Partner objects to a New UIP Subprocessor.
13. Data Protection Team; Processing Records
13.1 Looker's Data Protection Team. Looker's Data Protection Team can be
(and/or via such other means as Looker may provide from time to time).
13.2 Looker's Processing Records. To the extent the GDPR requires Looker
to collect and maintain records of certain information relating to Partner,
Partner will, where requested, supply such information to Looker and give Looker
timely notice of any changes to such information to ensure that Looker's records
remain accurate and up-to-date. Looker may make any such information available to
the Supervisory Authorities if required by the GDPR.
14.1 Liability Cap. If the Model Contract Clauses have been entered into
under Section 10.2 (Transfers of Data) then, subject to Section 14.2 (Liability
Cap Exclusions), the total combined liability of either party and its Affiliates
towards the other party and its Affiliates under or in connection with the
Agreement and such Model Contract Clauses combined will be limited to the Agreed
Liability Cap for the relevant party.
14.2 Liability Cap Exclusions. Nothing in Section 14.1 (Liability Cap)
will affect the remaining terms of the Agreement relating to liability (including
any specific exclusions from any limitation of liability).
15. Effect of These Terms
Notwithstanding anything to the contrary in the Agreement, to the extent of any
conflict or inconsistency between these Terms and the remaining terms of the
Agreement, these Terms will govern.
Appendix 1: Subject Matter and Details of the Data Processing
Looker's provision of the Services and any applicable technical support to
Partner (acting on behalf of itself and its Customers).
Duration of the Processing
The Term plus the period from the expiry of the Term until deletion of all
Partner Data by Looker in accordance with the Terms.
Nature and Purpose of the Processing
Looker will process Partner Personal Data for the purposes of providing the
Services and any applicable technical support to Partner (acting on behalf of
itself and its Customers) in accordance with the Terms.
Categories of Data
Data relating to individuals provided to Looker via the Services, by (or at the
direction of) Partner or by its Customers.
Data subjects include the individuals about whom data is provided to Looker via
the Services by (or at the direction of) Partner or its Customers.
Appendix 2: Additional Technical and Organizational Measures
As from the Terms Effective Date, Looker will implement and maintain the Security
Measures described in this Appendix 2.
1. Looker Application Security for Partner Hosted Environment
If Partner opts not to use an Infrastructure Provider, the Services will run on
infrastructure provided by the Partner or its Customer. In this case, without
prejudice to Partner's obligations under Section 7.3 (Partner's Security
Responsibilities and Assessment), Looker will only:
- maintain controls designed to ensure code security for the Services; and
- notify and make software updates for the Services available to Partner through
Looker's release management and partner notification processes.
2. Looker Application Security for Looker Hosted Environment
If Partner or its Customer opts to use an Infrastructure Provider, the Services
will run on infrastructure provided by the Infrastructure Provider chosen by
Partner or its Customer. In this case, without prejudice to Partner's obligations
under Section 7.3 (Partner's Security Responsibilities and Assessment) and in
addition to Looker's obligations relating to Infrastructure Providers as described
in Section 11 (Looker Subprocessors) or 12 (Unaffiliated Infrastructure
Providers), as applicable, Looker will implement and maintain the Security
Measures described below:
Code Quality. Looker employs an SDLC code review process, automated
testing, and regular penetration testing designed to maintain the security of the
code used to provide the Services.
Access. The Services support
SAML-based single sign-on
(SSO) and two-factor authentication (2FA) for users. The Services support
authentication of users and a flexible governance model to allow administrators to
associate users with Services groups, roles, and permissions.
Logical separation of data. The Services store configuration information,
event data, and cached query results in each Instance. The Services are
architected to logically separate this information in order to isolate each
Data security architecture. Looker follows at least industry standard
practices for security architecture. Proxy servers help secure access to the
Services by providing a single point to filter attacks through IP denylisting and
connection rate limiting.
Redundancy. Looker employs a Cloud-based distributed backup framework for
Access. Access to the Services or back-end infrastructure by Looker
personnel requires multiple levels of authentication and all access is uniquely
identified, logged, and monitored. Access to the Services by Looker personnel to
provide technical support requested by Partner or its Customers is controlled by
Partner's or its Customers' administrators.
Vulnerability and threat scanning. Looker regularly scans the Services
including back-end infrastructure for known security vulnerabilities. Logs and
network activity are reviewed for threats and potential risks, anomalous activity,
and alerts. Known vulnerabilities are reviewed and mitigated based on criticality.
Encryption Technologies. Looker uses the following forms of encryption:
(a) AES-256 bit encryption for database connection configurations and cached
query data; (b) dedicated password-based key derivation function (bcrypt) with
hashing and salting for native usernames and passwords; and (c) TLS 1.2 for data
in transit from the user's browser to the Services. The Services support database
connection configurations via encrypted TLS 1.2 or SSH.
3. Subprocessor Security
Regardless of whether Partner opts to use an Infrastructure Provider, Looker
conducts an audit of the security and privacy practices of all Subprocessors
before they are onboarded to ensure they provide a level of security and privacy
appropriate to their access to data and the scope of the services they are
engaged to provide. Once Looker has assessed the risks presented by the
Subprocessor, then subject to the requirements described in Section 11.3
(Requirements for Subprocessor Engagement) of these Terms, the Subprocessor is
required to enter into appropriate security, confidentiality and privacy contract
4. Affiliated Infrastructure Provider
If Partner or its Customer chooses to use an Affiliated Infrastructure Provider
(hereinafter, "Google"), Looker will ensure that, as from the Terms
Effective Date, Google will implement and maintain the additional Security
Measures described in this Appendix 2.
(a) Data Center and Network Security
Infrastructure. Google maintains geographically distributed data centers.
Google stores all production data in physically secure data centers.
Redundancy. Infrastructure systems have been designed to eliminate single
points of failure and minimize the impact of anticipated environmental risks.
Dual circuits, switches, networks or other necessary devices help provide this
redundancy. The Services are designed to allow Google to perform certain types of
preventative and corrective maintenance without interruption. All environmental
equipment and facilities have documented preventative maintenance procedures that
detail the process for and frequency of performance in accordance with the
manufacturer's or internal specifications. Preventative and corrective maintenance
of the data center equipment is scheduled through a standard change process
according to documented procedures.
Power. The data center electrical power systems are designed to be
redundant and maintainable without impact to continuous operations, 24 hours a
day, 7 days a week. In most cases, a primary as well as an alternate power source,
each with equal capacity, is provided for critical infrastructure components in
the data center. Backup power is provided by various mechanisms such as
uninterruptible power supplies (UPS) batteries, which supply consistently reliable
power protection during utility brownouts, blackouts, over voltage, under voltage,
and out-of-tolerance frequency conditions. If utility power is interrupted, backup
power is designed to provide transitory power to the data center, at full
capacity, for up to 10 minutes until the diesel generator systems take over.
The diesel generators are capable of automatically starting up within seconds to
provide enough emergency electrical power to run the data center at full capacity
typically for a period of days.
Server Operating Systems. Google servers use a Linux based implementation
customized for the application environment. Data is stored using proprietary
algorithms to augment data security and redundancy. Google employs a code review
process to increase the security of the code used to provide the Services and
enhance the security products in production environments.
Businesses Continuity. Google has designed and regularly plans and tests
its business continuity planning/disaster recovery programs.
(ii) Networks and Transmission.
Data Transmission. Data centers are typically connected via high-speed
private links to provide secure and fast data transfer between data centers. This
is designed to prevent data from being read, copied, altered or removed without
authorization during electronic transfer or transport or while being recorded onto
data storage media. Google transfers data via Internet standard protocols.
External Attack Surface. Google employs multiple layers of network devices
and intrusion detection to protect its external attack surface. Google considers
potential attack vectors and incorporates appropriate purpose built technologies
into external facing systems.
Intrusion Detection. Intrusion detection is intended to provide insight
into ongoing attack activities and provide adequate information to respond to
incidents. Google's intrusion detection involves:
- tightly controlling the size and make-up of Google's attack surface through
- employing intelligent detection controls at data entry points; and
- employing technologies that automatically remedy certain dangerous situations.
Incident Response. Google monitors a variety of communication channels for
security incidents, and Google's security personnel will react promptly to known
Encryption Technologies. Google makes HTTPS encryption (also referred to
as SSL or TLS connection) available. Google servers support ephemeral elliptic
curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These
perfect forward secrecy (PFS) methods help protect traffic and minimize the impact
of a compromised key, or a cryptographic breakthrough.
(b) Access and Site Controls
(i) Site Controls.
On-site Data Center Security Operation. Google's data centers maintain an
on-site security operation responsible for all physical data center security
functions 24 hours a day, 7 days a week. The on-site security operation personnel
monitor closed circuit TV (CCTV) cameras and all alarm systems. On-site security
operation personnel perform internal and external patrols of the data center
Data Center Access Procedures. Google maintains formal access procedures
for allowing physical access to the data centers. The data centers are housed in
facilities that require electronic card key access, with alarms that are linked to
the on-site security operation. All entrants to the data center are required
to identify themselves as well as show proof of identity to on-site security
operations. Only authorized employees, contractors and visitors are allowed entry
to the data centers. Only authorized employees and contractors are permitted to
request electronic card key access to these facilities. Data center electronic
card key access requests must be made through e-mail, and require the approval of
the requestor's manager and the data center director. All other entrants requiring
temporary data center access must: (i) obtain approval in advance from the data
center managers for the specific data center and internal areas they wish to
visit; (ii) sign in at on-site security operations; and (iii) reference an
approved data center access record identifying the individual as approved.
On-site Data Center Security Devices. Google's data centers employ an
electronic card key and biometric access control system that is linked to a system
alarm. The access control system monitors and records each individual's electronic
card key and when they access perimeter doors, shipping and receiving, and other
critical areas. Unauthorized activity and failed access attempts are logged by the
access control system and investigated, as appropriate. Authorized access
throughout the business operations and data centers is restricted based on zones
and the individual's job responsibilities. The fire doors at the data centers are
alarmed. CCTV cameras are in operation both inside and outside the data centers.
The positioning of the cameras has been designed to cover strategic areas
including, among others, the perimeter, doors to the data center building, and
shipping/receiving. On-site security operations personnel manage the CCTV
monitoring, recording and control equipment. Secure cables throughout the data
centers connect the CCTV equipment. Cameras record on site via digital video
recorders 24 hours a day, 7 days a week. The surveillance records are retained for
up to 30 days based on activity.
(ii) Access Control.
Infrastructure Security Personnel. Google has, and maintains, a security
policy for its personnel, and requires security training as part of the training
package for its personnel. Google's infrastructure security personnel are
responsible for the ongoing monitoring of Google's security infrastructure, the
review of the Services, and responding to security incidents.
Access Control and Privilege Management. Partner's administrators must
authenticate themselves via a central authentication system or via a single sign
on system in order to administer the Services.
Internal Data Access Processes and Policies – Access Policy. Google's
internal data access processes and policies are designed to prevent unauthorized
persons and/or systems from gaining access to systems used to process personal
data. Google designs its systems to (i) only allow authorized persons to access
data they are authorized to access; and (ii) ensure that personal data cannot be
read, copied, altered or removed without authorization during processing, use and
after recording. The systems are designed to detect any inappropriate access.
Google employs a centralized access management system to control personnel access
to production servers, and only provides access to a limited number of authorized
personnel. Google's authentication and authorization systems utilize SSH
certificates and security keys, and are designed to provide Google with secure and
flexible access mechanisms. These mechanisms are designed to grant only approved
access rights to site hosts, logs, data and configuration information. Google
requires the use of unique user IDs, strong passwords, two factor authentication
and carefully monitored access lists to minimize the potential for unauthorized
account use. The granting or modification of access rights is based on: the
authorized personnel's job responsibilities; job duty requirements necessary to
perform authorized tasks; and a need to know basis. The granting or modification
of access rights must also be in accordance with Google's internal data access
policies and training. Approvals are managed by workflow tools that maintain audit
records of all changes. Access to systems is logged to create an audit trail for
accountability. Where passwords are employed for authentication (e.g., login to
workstations), password policies that follow at least industry standard practices
are implemented. These standards include restrictions on password reuse and
sufficient password strength. For access to extremely sensitive information
(e.g., credit card data), Google uses hardware tokens.
(i) Data Storage, Isolation and Logging. Google stores data in a
multi-tenant environment on Google-owned servers. Google replicates Partner Data
between multiple geographically dispersed data centers. Google also logically
isolates the Partner's data. Partner or its Customers will be given control over
specific data sharing policies. Those policies, in accordance with the
functionality of the Services, will enable Partner or its Customers to determine
the product sharing settings applicable to Partner's Customer for specific
purposes. Partner or its Customers may choose to make use of logging functionality
that Google makes available via the Services.
(ii) Decommissioned Disks and Disk Erase Policy. Disks containing data may
experience performance issues, errors or hardware failure that lead them to be
decommissioned ("Decommissioned Disk"). Every Decommissioned Disk is subject to
a series of data destruction processes (the "Disk Erase Policy") before leaving
Google's premises either for reuse or destruction. Decommissioned Disks are erased
in a multi-step process and verified complete by at least two independent
validators. The erase results are logged by the Decommissioned Disk's serial
number for tracking. Finally, the erased Decommissioned Disk is released to
inventory for reuse and redeployment. If, due to hardware failure, the
Decommissioned Disk cannot be erased, it is securely stored until it can be
destroyed. Each facility is audited regularly to monitor compliance with the Disk
(d) Personnel Security
Google personnel are required to conduct themselves in a manner consistent with
the company's guidelines regarding confidentiality, business ethics, appropriate
usage, and professional standards. Google conducts reasonably appropriate
backgrounds checks to the extent legally permissible and in accordance with
applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must
acknowledge receipt of, and compliance with, Google's confidentiality and privacy
policies. Personnel are provided with security training. Personnel handling
Partner Data are required to complete additional requirements appropriate to their
role (e.g., certifications). Google's personnel will not process Partner Data
5. Unaffiliated Infrastructure Provider
Partners who choose (on their own behalf or that of their Customers) to use an
Unaffiliated Infrastructure Provider should refer to the Order Form for details
of the technical and organizational measures implemented and maintained by the
Unaffiliated Infrastructure Provider.