Google Cloud Marketplace Partner Information Protection Addendum

This Marketplace Partner Information Protection Addendum (“Marketplace PIPA”) is incorporated into the Marketplace Vendor Agreement between You and Google or the other agreement under which Google lists Your Products on the Google Cloud Marketplace (the “Agreement”). Capitalized terms used but not defined in this Marketplace PIPA have the meaning given to them in the Agreement.

(a) Agreement. This Partner Information Protection Addendum (the “PIPA”) forms part of the Google Cloud Marketplace Vendor Agreement between You and Google (collectively the “Agreement”) and incorporates the Controller-Controller SCCs (as defined below) to the extent applicable.

(b) Order of Precedence. To the extent the PIPA conflicts with the Agreement, the PIPA will govern.

(c) Interpretation. The Agreement’s defined terms apply unless the PIPA expressly states otherwise. Capitalized terms used but not defined will have the meanings given to them in the Agreement.

In this PIPA:

(a) “Alternative Transfer Solution” means a mechanism other than the Applicable Standard Contract Clauses that enables the lawful transfer of Personal Information from the EEA, UK, or Switzerland to a third country in accordance with Applicable Data Protection Laws, including if valid and as applicable, the EU-U.S., Swiss-U.S., or UK-U.S. Privacy Shield self-certification programs or the EU-U.S. Data Privacy Framework, each to the extent approved and operated by the U.S. Department of Commerce (the “Privacy Shield”), or another valid certification program in force in accordance with Applicable Data Protection Laws.

(b) “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

(c) “Applicable Data Protection Laws” means privacy, data security, and data protection laws, directives, and regulations in any jurisdiction applicable to the Personal Information Processed for the Services including the GDPR, LGPD, and U.S. State Data Protection Laws.

(d) “Controller-Controller SCCs” means the European Commission’s standard contractual clauses which are standard data protection clauses for the transfer of personal data to Data Controllers established in third countries that do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and set forth at https://business.safety.google/gdprcontrollerterms/sccs/eu-c2c

(e) “Data Controller” means an entity that determines the purposes and means of Processing Personal Information. Data Controller also means “controller” as defined by Applicable Data Protection Laws, and “business” as defined in the CCPA.

(f) “Deidentified Data” means “de-identified data” or “deidentified data” as defined by U.S. State Data Protection Laws.

(g) “Disclosing Controller” means You or the Google End Controller that transfers Personal Information to the Google End Controller or You under this PIPA as applicable. For purposes of the Controller-Controller SCCs, the Disclosing Controller means the data exporter.

(h) “End Controller” means, for each party, the ultimate Data Controller of Personal Information.

(i) “GDPR” means (i) the European Union General Data Protection Regulation (EU) 2016/679 (the “EU GDPR”) on data protection and privacy for all individuals within the European Union (“EU”) and the European Economic Area (“EEA”); (ii) the EU GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”); and (iii) the Federal Data Protection Act of 19 June 1992 (Switzerland) (each as amended, superseded, or replaced).

(j) “Google End Controller” means the End Controllers of Personal Information Processed by Google in accordance with Google’s applicable privacy policy at https://cloud.google.com/terms/cloud-privacy-notice or as otherwise notified to You.

(k) “includes” or “including” means “including but not limited to.”

(l) “individual” or “individuals” mean natural persons who can be readily identified, directly or indirectly, or data subjects as defined by Applicable Data Protection Laws.

(m) “LGPD” means Brazilian Law no. 13,709 for the protection of personal data.

(n) “Personal Information” means any information disclosed by or collected on behalf of Google and Processed by You in connection with the Agreement that is (i) about an individual; or (ii) not specifically about an individual but, when combined with other information, may identify an individual. Personal Information includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, online identifiers (including IP addresses and cookie identifiers), network and hardware identifiers, and geolocation information, and any information that constitutes “personal data” or “personal information” within the meaning of Applicable Data Protection Laws.

(o) “Process” or “Processing” means to access, handle, create, collect, acquire, receive, record, combine, consult, use, process, alter, store, retain, maintain, retrieve, disclose, or dispose of. Process also includes “processing” within the meaning of Applicable Data Protection Laws.

(p) “reasonable” means reasonable and appropriate to (i) the size, scope, and complexity of Your business; (ii) the nature of Personal Information being Processed; and (iii) the need for privacy, confidentiality, and security of Personal Information.

(q) “Receiving Controller” means You or the Google End Controller that receives Personal Information from the Google End Controller or You under this PIPA as applicable. For purposes of the Controller-Controller SCCs, the data importer means the Receiving Controller.

(r) “Regulator” or “Regulatory” means an entity with supervisory or regulatory authority over Google under Applicable Data Protection Laws.

(s) “Sale” and “Share” have the meanings given under U.S. State Data Protection Laws.

(t) “Services” means any services, operations, or activities in connection with which You Process Personal Information under the Agreement.

(u) “U.S. State Data Protection Laws” means privacy, data security, and data protection laws and regulations within the United States applicable to the personal information processed by a party under the Agreement and includes (i) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (ii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq.; (iii) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; (iv) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.; (v) the California Consumer Privacy Act of 2018 (as amended, including as amended by the California Privacy Rights Act of 2020) together with all implementing regulations (the “CCPA”); and (vi) data privacy or data protection laws modeled on any of the foregoing, each as may be in effect and applicable to the parties’ Processing of Personal Information.

(v) “You” or “Your” means the party to the Google Cloud Marketplace Vendor Agreement.

The parties represent and warrant that each:

(a) is an independent Data Controller with respect to the Personal Information, and

(b) will individually determine the purposes and means of its Processing of Personal Information received from the Disclosing Controller as described in the Agreement.

You will comply as an independent business with Applicable Data Protection Laws, including to the extent applicable:

(a) Processing Personal Information only where You maintain a lawful basis of Processing;

(b) providing all required notices and obtaining all required consents from individuals before Processing Personal Information, or disclosing Personal Information;

(c) providing individuals with rights in connection with Personal Information in a timely manner, including the ability of individuals to: (i) access or receive their Personal Information in an agreed upon format; and (ii) correct, amend, or delete Personal Information where it is inaccurate, or has been Processed in violation of Applicable Data Protection Laws;

(d) responding to individual requests or a Regulator concerning the party’s Processing of Personal Information;

(e) Processing Deidentified Data received by Google in a manner that complies with applicable U.S. State Data Protection Laws.

(a) Restrictions. You will Process Personal Information solely as necessary to provide the Product to the Customer unless You have collected express consent under Applicable Data Protection Law from the individual about whom the Personal Information relates to process the Personal Information for other purposes. In all cases, you will Process such data solely in accordance with (i) Your Product EULA with the applicable Customer, (ii) a designated privacy policy or privacy statement used in connection with the Products (the “Vendor Privacy Policy”), which must be clear, conspicuous, and legally compliant, and (iii) Applicable Data Protection Laws. Notwithstanding anything to the contrary in your Product EULA or Vendor Privacy Policy, You will not (x) Process Personal Information for purposes of advertising or personalization; (y) Sell or Share Personal Information; or (z) use Personal Information for “targeted advertising,” as defined by U.S. State Data Protection Laws. You acknowledge that Google intends to disclose Personal Information only under an applicable exception to Sale and Sharing.

(b) Safeguards. You will maintain for the duration of this Agreement reasonable technical and organizational measures to protect Personal Information against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. You will ensure that such measures provide a level of security reasonable to the risk represented by the Processing and the nature of the data to be protected. 

(c) Security Incident Response; Statements. You will promptly inform Google of any security incident or data protection breach concerning Personal Information. Except as required by law, You will not make (or permit any Third-Party Provider under Your control to make) any statement concerning the security incident that directly or indirectly references Google unless Google provides its written authorization. 

(d) Assessments of Compliance with this PIPA. Upon Google’s written request to assess Your compliance with the PIPA, You will, as reasonable and relevant to the Processing, provide certifications, audit reports, or other reports regarding Your compliance with this PIPA.

Without reducing either party’s obligations under the PIPA, each party acknowledges that: (a) the other party’s Affiliates or clients may be End Controller; and (b) the other party may act as a processor on behalf of its End Controller. The Google End Controllers are: (i) for Personal Information subject to the EU GDPR and Processed by Google, Google Ireland Limited and, where the Agreement is with a different Google Affiliate, that Affiliate will be the Google End Controller responsible for Processing Personal Information subject to the EU GDPR in connection with billing for the Services only; and (ii) for Personal Information subject to the UK GDPR and Processed by Google, Google LLC. Each party will ensure that its End Controllers comply with this PIPA, including (where applicable) the Controller SCCs.

Each party may transfer Personal Information if it complies with applicable provisions on the transfer of Personal Information required by Applicable Data Protection Laws.

(a) To the extent a Disclosing Controller transfers Personal Information relating to individuals within the UK, EEA, or Switzerland to a Receiving Controller that is not: (i) subject to the binding obligations of a valid Alternative Transfer Solution; or (ii) located within the EEA or a location that is subject to a valid adequacy decision (as determined by the Applicable Data Protection Laws the parties expressly agree to the Controller-Controller SCCs including the warranties and undertakings contained therein as the “data exporter” and “data importer” as applicable to the transfer of Personal Information contemplated by the parties.

(b) To the extent the Disclosing Controller transfers Personal Information to the Receiving Controller in accordance with an Alternative Transfer Solution, the Receiving Controller will: (i) provide at least the same level of protection for the Personal Information as is required by the Agreement and the applicable Alternative Transfer Solution; (ii) promptly notify the Disclosing Controller in writing if the Receiving Controller determines that it can no longer provide at least the same level of protection for the Personal Information as is required by the Agreement and applicable Alternative Transfer Solution; and (iii) upon making such a determination, cease Processing Personal Information until the Receiving Controller is able to continue providing at least the same level of protection as required by the Agreement and the applicable Alternative Transfer Solution.

(c) Google LLC has certified under the Privacy Shield on behalf of itself and certain wholly-owned US subsidiaries. Google’s certification and status is available at https://www.commerce.gov/page/eu-us-privacy-shield.

(d) Where Google is not the Google Controller, Google will ensure that it is authorized by the Google Controller to (i) enter into the Controller-Controller SCCs on behalf of the Google Controller; and (ii) exercise all rights and obligations on behalf of the Google Controller, each as if it were the Data Controller.

In addition to the suspension and termination rights in the Agreement, either party may terminate the Agreement if it reasonably determines that (a) the other party has failed to cure material noncompliance with the PIPA within a reasonable time; or (b) it needs to do so to comply with Applicable Data Protection Laws.

This PIPA will survive expiration or termination of the Agreement as long as You continue to Process Personal Information.

Google may change any link or URL referenced in this PIPA and the content at any such URL, except that Google may only:

(a) change the Controller-Controller SCCs in accordance with Section 11 (Changes to the PIPA) or to incorporate any new version of the Controller-Controller SCCs that may be adopted under Applicable Data Protection Laws, in each case in a manner that does not affect the validity of the Controller-Controller SCCs; and

(b) make available an Alternative Transfer Solution in accordance with Section 11 (Changes to the PIPA) or to incorporate any new versions of Alternative Transfer Solutions that may be adopted under Applicable Data Protection Laws. For the purposes of this Section 10(b), Google may add a new URL and amend the content of such URL in order to make available such Alternative Transfer Solution.

In addition to any modification rights set forth in the Agreement, Google may change this PIPA if the change:

(a) is permitted by this PIPA, including as described in Section 10(a) (Changes to URLs);

(b) reflects a change in the name or form of a legal entity;

(c) is necessary to comply with an Applicable Data Protection Law, or a binding Regulatory or court order; or

(d) does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, either party’s right to use or otherwise Process the data in scope of the PIPA; and (iii) otherwise have a material adverse impact on the parties’ rights under this PIPA, as reasonably determined by Google.