This Standard Contractual Clauses Amendment (the "SCC Amendment") is entered into between Google and Customer and amends the Looker Data Sciences, Inc. Data Protection Addendum (the “Legacy Looker DPA Terms”). This SCC Amendment is effective on the date of the last signature appearing on the agreement into which this SCC Amendment is incorporated (the "Amendment Effective Date"). Each defined term used and not defined in this SCC Amendment has the meaning set forth in the Legacy Looker DPA Terms.

A. Looker Data Sciences, Inc. (“Looker”) and Customer signed an Agreement for the provision of Looker Services to Customer. 

B. The parties also entered into the Legacy Looker DPA Terms to govern Google’s processing of Customer Personal Data during the provision of Looker Services to Customer. 

C. Following the acquisition of Looker, Google launched new Looker terms that incorporated the Google DPST Terms. 

D. Subject to the scope described in Section 1 (Agreement Scope) below, the parties wish to amend the Legacy Looker DPA Terms to reflect the new standard contractual clauses approved by the European Commission. 

1. Agreement Scope.

1.1 Purpose. The Legacy Looker DPA Terms contain data protection terms applicable to the Looker Services, and the parties are supplementing and modifying those terms to reflect the new standard contractual clauses approved by the European Commission. 

1.2 Applicability. This SCC Amendment does not apply to Customer’s use of the Looker Services if (i) Customer and Google (including as an assignee of Looker Data Science, Inc.) did not execute the Legacy Looker DPA Terms, or (ii) the agreement governing the Looker Services includes the Google DPST Terms. For the avoidance of doubt, if either (i) or (ii) is applicable to Customer, the parties acknowledge that this SCC Amendment is null and void. 

2. New and Amended Definitions.

The following definitions are added to or amend the Legacy Looker DPA Terms:

(a) “Adequate Country” means:

(1) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate protection under the EU GDPR; 

(2) for data processed subject to the UK GDPR: the UK or a country or territory recognized as ensuring adequacy protection under the UK GDPR and the Data Protection Act 2018; and/or 

(3) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that is (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under the Swiss FDPA, 

in each case, other than on the basis of an optional data protection framework.

(b) “Agreement” means the Looker Master Services License Agreement or the applicable license agreement governing the Looker Services into which the Legacy Looker DPA Terms are incorporated. 

(c) “Alternative Transfer Solution” means a solution, other than the SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law, for example a data protection framework recognized as ensuring that participating entities provide adequate data protection.

(d) “Controller-to-Processor SCCs” means the terms at https://cloud.google.com/terms/looker/legal/sccs/eu-c2p   

(e) “Customer” either (i) the entity defined as “Customer” in the Agreement, or (ii) a Customer affiliate that signed an Order Form governed by the Agreement. 

(f) “Customer Personal Data” means Customer Data that is personal data. 

(g) “Customer SCCs” means the Controller-to-Processor SCCs, Processor-to-Processor SCCs, and/or the Processor-to-Controller SCCs, as applicable.

(h) “EEA” means the European Economic Area. 

(i) “European Data Protection Law” or “European Data Protection Legislation” means as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.

(j) “European Law” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data).

(k) “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

(l) “GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

(m) “Google” means the Google Entity that is assignee of the Agreement from Looker Data Sciences, Inc.

(n) “Google DPST Terms” means the Looker Data Processing and Security Terms (Customer) at the following URL: https://looker.com/trust-center/legal/customers/dpst or the Looker Data Processing and Security Terms (Partner) at the following URL: https://cloud.google.com/terms/looker/legal/partners/partner-dpst.

(o) “Google Entity” means Google LLC, Google Cloud EMEA Limited, or another affiliate of Google LLC.

(p) “Instructions” has the meaning set forth in Section 6.1 (Customer Instructions)

(q) “Legacy Looker DPA Terms” has the meaning set forth in the Preamble of this SCC Amendment. 

(r) “Looker Services” means the Software and Services that Google provisioned for Customer. 

(s) “Non-European Data Protection Law” means data protection or privacy laws in force outside the EEA, Switzerland, and the UK.

(t) “Order Form” means an order form executed by Customer and Google specifying the Software and Services Google will provide to Customer under the Agreement.

(u) “Processor-to-Processor SCCs” means the terms at https://cloud.google.com/terms/looker/legal/sccs/eu-p2p.

(v) “Processor-to-Processor, Google Exporter SCCs” means the terms at https://cloud.google.com/terms/looker/legal/sccs/eu-p2p-intra-group.

(w) “Processor-to-Controller SCCs” means the terms at https://cloud.google.com/terms/looker/legal/sccs/eu-p2c.

(x) “SCCs” means the Customer SCCs and/or Processor-to-Processor, Google Exporter SCCs, as applicable.

(y) “Standard Contractual Clauses” or “Applicable Standard Contractual Clauses” means the European Commission’s standard contractual clauses which are standard data protection terms for the transfer of personal data to third countries that do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR including: (i) EU Controller-to-Processor SCCs, (ii) EU Processor-to-Processor SCCs, or (iii) the EU Processor-to-Controller SCCs, each as defined in this SCC Amendment.

(z) “Swiss FDPA” means the Federal Data Protection Act of 19 June 1992 (Switzerland).

(aa) “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

(bb) "URL" means a uniform resource locator address to a site on the internet.

3. Processor and Controller Responsibilities. The parties acknowledge and agree that:

3.1 Appendix 1 to this SCC Amendment describes the subject matter and details for the processing of Customer Personal Data by Google;

3.2 Google is a processor of Customer Personal Data under the European Data Protection Law; 

3.3 Customer is a controller or processor, as applicable, of Customer Personal Data under the European Data Protection Law; and

3.4 each party will comply with the obligations applicable to it under the European Data Protection Law with respect to the processing of Customer Personal Data.

4. Processor Customers. If Customer is a processor:

4.1 Customer warrants on an ongoing basis that the relevant controller has authorized (i) the Instructions, (ii) Customer’s appointment of Google as another processor, and (iii) Google’s engagement of Subprocessors as described in the Legacy Looker DPA Terms.

4.2 Customer will immediately forward to the relevant controller any notice provided by Google (i) under the Data Breach Notification and Resolution or Subprocessing provisions of the Legacy Looker DPA Terms, (ii) under Sections 6.3 (Instruction Notifications) or 9 (Changes to URL Terms) of this SCC Amendment or (iii) that refers to any SCCs.  

4.3 Customer may make available to the relevant controller any information made available by Google under the Audit provisions of the Legacy Looker DPA Terms.

5. Responsibilities under Non-European Law. If Non-European Data Protection Law applies to either party's processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.

6. Scope of Processing.

6.1 Compliance with Customer's Instructions. Customer instructs Google to process Customer Data in accordance with the Agreement and applicable law only: (a) to provide, secure and monitor, the Looker Services; (b) as further specified via Customer's use of the Looker Services and any applicable technical support; (c) as documented in the form of the Legacy Looker DPA Terms and this SCC Amendment; and (d) as further specified via (i) Customer’s use of the Looker Services (including any functionality of the Looker Services), and (ii) any other written instructions given by Customer and acknowledged by Google as constituting instructions under this SCC Amendment for purposes of the Legacy Looker DPA Terms (collectively, the "Instructions"). Google will comply with the Instructions unless prohibited by European Law.

6.2 Google's Compliance with Instructions. Google will comply with the Instructions unless prohibited by European Law.

6.3 Instruction Notifications. Without prejudice to Google’s obligations under Section 6.1 (Compliance with Customer’s Instructions) or any other rights or obligations of either party under the Agreement, Google will immediately notify Customer if, in Google's opinion: (a) European Law prohibits Google from complying with an Instruction; (b) an Instruction does not comply with European Data Protection Law; or (c) Google is otherwise unable to comply with an Instruction, in each case unless such notice is prohibited by European Law. 

7. Customer Audit Rights. If Customer SCCs apply as described in Section 10 (Amended International Transfers) of this SCC Amendment, in addition to the audit rights set forth in the Legacy Looker DPA Terms, Google will allow Customer, or an independent auditor appointed by Customer, to conduct audits as described in the Customer SCCs and, during an audit, make available all information required by the Customer SCCs.

8. Legacy MCCs. Customer agrees that, as of the Amendment Effective Date, the SCCs will supersede and terminate any Model Contract Clauses approved under Article 26(2) of Directive 95/46/EC and previously entered into by Customer with Google LLC or an affiliate of Google LLC (“Model Contract Clauses”), including those in the Legacy Looker DPA Terms. In addition, any supplementary terms for any UK GDPR transfers in the SCCs will supersede and terminate any Model Contract Clauses approved under the UK GDPR and Data Protection Act 2018 and previously entered into by Customer and Google LLC in respect of UK GDPR transfers. Where Google LLC is not a party to the Agreement, Google LLC will be a third party beneficiary of this Section 8 (Legacy MCCs). This Section 8 (Legacy MCCs) will not affect either party’s rights, or any data subject’s rights, that may have accrued under the Model Contract Clauses while they were in force.

9. Changes to URLs.  

9.1 From time to time, Google may change the content of this SCC Amendment any URL referenced in this SCC Amendment, except that Google may only change the SCCs: (a) to incorporate any changes to, or new version of, the SCCs that may be adopted under the European Data Protection Law, in each case in a manner that does not affect the validity of the SCCs under the European Data Protection Law; (b) to reflect a change in the name or form of a legal entity; (c) as required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency, or reflects Google’s adoption of an Alternative Transfer Solution; or (d) in a manner that does not (i) result in a degradation of the overall security of the Software or Services; (ii) expand the scope of or remove any restrictions on Google’s processing of Customer Personal Data, as described in Section 6.2 (Google’s Compliance with Instructions) of this SCC Amendment; and (iii) otherwise have a material adverse impact on Customer’s rights under the Legacy Looker DPA Terms and this SCC Amendment, as reasonably determined by Google.

9.2 If Google intends to update the Legacy Looker DPA Terms or this SCC Amendment, under Section 9(c) or (d), Google will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the address on the applicable Order Form; or (b) alerting Customer through the admin user interface for the Services.

10. Amended International Transfers. The International Transfers section of the Legacy Looker DPA Terms is deleted in its entirety and replaced with the following and “X” designates the appropriate section in the Legacy Looker DPA Terms:

X.1 Data Storage and Processing Facilities. Subject to the remainder of this Section (International Transfers), Customer Personal Data may be processed in any country in which Google and its Subprocessors maintain facilities.

X.2 Restricted EuropeanTransfers. The parties acknowledge that European Data Protection Law does not require SCCs or an Alternative Transfer Solution in order for Customer Personal Data to be processed in or transferred to an Adequate Country . If Customer Personal Data is transferred to any other country and European Data Protection Law applies to the transfers (“Restricted European Transfers”), then:

(a) if Google has adopted an Alternative Transfer Solution for any Restricted European Transfers, then Google will inform Customer of the relevant solution and ensure that such Restricted European Transfers are made in accordance with it; and/or

(b) if Google has not adopted, or informs Customer that Google is no longer adopting, an Alternative Transfer Solution for any Restricted European Transfers, then:

(i) if Google's address is in an Adequate Country:

A. the Processor-to-Processor, Google Exporter SCCs will apply with respect to such Restricted European Transfers from Google to Subprocessors; and

B. in addition, if Customer's billing address is not in an Adequate Country, the Processor-to-Controller SCCs will apply (regardless of whether Customer is a controller and/or processor) with respect to such Restricted European Transfers between Google and Customer; or

(ii) if Google's address is not in an Adequate Country: the Controller-to-Processor SCCs and/or Processor-to-Processor SCCs will apply (according to whether Customer is a controller and/or processor) with respect to Restricted European Transfers between Customer and Google.

X.3 Supplementary Measures and Information. Google will provide Customer with information relevant to Restricted European Transfers, including information about supplementary measures to protect Customer Personal Data:

(a) as described in the Audit section of the Legacy Looker DPA Terms;

(b) in the documentation for the Services, available at https://docs.looker.com/; and

(c) in the Trust and Security website for the Services, available at https://looker.com/trust-center/security/

X.4 Termination. If Customer concludes, based on its current or intended use of the Software and Services, that the Alternative Transfer Solution and/or SCCs, as applicable, do not provide appropriate safeguards for Customer Personal Data, then Customer may immediately terminate the Agreement for convenience by notifying Google.

X.5 Data Center Information. Information about the location of the data center(s) where Google stores personal data at rest in connection with the Services and Software is described on the applicable Order Form or as otherwise confirmed by Google.

11. Additional Amendments to the Legacy Looker DPA Terms

11.1 Any existing definition and related sentences referencing “Privacy Shield” are hereby removed from the Legacy Looker DPA Terms. 

11.2 Any existing definition of “Standard Contractual Clauses” or “Model Contractual Clauses” is removed from the Legacy Looker DPA Terms and all references to “Standard Contractual Clauses” or “Model Contractual Clauses” in the Legacy Looker DPA Terms is deleted. This includes any references to specific provisions of the Standard Contractual Clauses in the Legacy Looker DPA Terms, which are hereby deleted from the Legacy Looker DPA Terms.

11.3 Exhibit B (Standard Contractual Clauses (processors)), or the equivalent, from the Legacy Looker DPA Terms is deleted in its entirety. 

12. Miscellaneous. To the extent the Agreement governs Customer’s provision of Looker Services: (a) the parties' obligations under this SCC Amendment will survive expiration or termination of the Agreement as long as the parties continue to access Customer Personal Data subject to the European Data Protection Law, (b) the Legacy Looker DPA Terms remain in full force and effect, except as modified by this SCC Amendment, (c) the governing law and dispute resolution provisions applicable to the Legacy Looker DPA Terms also apply to this SCC Amendment, and (d) to the extent of any conflict or inconsistency between this SCC Amendment (including the Customer SCCs) and the remainder of the Agreement (including the Legacy Looker DPA Terms) this SCC Amendment will prevail. 

Appendix 1: Subject Matter and Details of the Data Processing

Subject Matter

Google's provision of the Looker Services to Customer and its Users.

Duration of the Processing

The term of the Agreement plus the period from the expiry of the Agreement until deletion of customer’s data by Google in accordance with the Agreement.

Nature and Purpose of the Processing

Google will process Customer Personal Data for the purposes of providing the Looker Services to Customer and its Users in accordance with the Agreement.

Categories of Data

Data relating to individuals provided to Google via the Looker Services, by (or at the direction of) Customer or its Users.

Data Subjects

Data subjects include the individuals about whom data is provided to Google via the Looker Services by (or at the direction of) Customer or its Users.