This Google-Managed Multi-Cloud Services Data Processing Amendment (this “Amendment”) supplements and amends the Cloud Data Processing Addendum (“CDPA”) solely with respect to the Google-Managed Multi-Cloud Services (“Google-Managed MCS”). Capitalized terms used but not defined in this Amendment have the meaning given to them in the Agreement, including the CDPA and any applicable Service Specific Terms. If the CDPA is the Cloud Data Processing Addendum (Partners), all references in this Amendment to Customer will mean Partner, and to End Users will mean Partner’s Customers and Partner End Users.
If Customer opts to use the Google-Managed MCS, Google-Managed MCS will be deployed on the infrastructure of a third party cloud provider (other than a Google Affiliate) selected by Customer (“Multi-Cloud Service Third-Party Provider”) and this Amendment will apply only to Google’s processing of any Multi-Cloud Customer Data (as defined below) stored in that provider’s infrastructure pursuant to Google’s provision of the Google-Managed MCS. For clarity, this Amendment does not apply to Google’s processing of Multi-Cloud Customer Data stored in Google’s infrastructure pursuant to Google’s provision of the Google-Managed MCS, or to any separate agreement Customer has in place with Customer’s selected Multi-Cloud Service Third-Party Provider governing the Multi-Cloud Service Third-Party Provider’s processing of data on behalf of Customer (“MCS Third-Party Terms").
For the purposes of this Amendment and the CDPA, Customer Data will include data provided by or on behalf of Customer or its End Users via the Google-Managed MCS (“Multi-Cloud Customer Data”).
2.1. Authorization to Engage Multi-Cloud Service Third-Party Provider. If Customer selects a Multi-Cloud Service Third-Party Provider (following the process described in the Documentation for the Google-Managed MCS), Customer specifically authorizes the engagement of that Multi-Cloud Service Third-Party Provider to process the Multi-Cloud Customer Data in connection with Google’s provision of the Google-Managed MCS. If Customer is a processor, Customer warrants that the relevant controller has authorized the engagement of any Multi-Cloud Service Third-Party Providers as described in this Amendment.
2.2. Information about Multi-Cloud Service Third-Party Providers. The available Multi-Cloud Service Third-Party Providers are listed at https://cloud.google.com/terms/mcs-providers (as may be updated by Google from time to time).
2.3. Requirements for Multi-Cloud Service Third-Party Provider Engagement. When engaging Customer’s selected Multi-Cloud Service Third-Party Provider in connection with the Google-Managed MCS, Google will:
a. ensure via a written contract that:
i. the Multi-Cloud Service Third-Party Provider only accesses and uses the Multi-Cloud Customer Data to the extent required to perform the obligations subcontracted to it; and
ii. enter into a data processing agreement with the Multi-Cloud Service Third-Party Provider that imposes the data protection obligations described in Article 28(3) of the GDPR on the Multi-Cloud Service Third-Party Provider in relation to its processing of any personal data within the Multi-Cloud Customer Data; and
b. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Multi-Cloud Service Third-Party Provider related to the provision of the Google-Managed MCS.
2.4. Multi-Cloud Service Third-Party Provider Changes. Customer is responsible for its selection of a Multi-Cloud Service Third-Party Provider to process the Multi-Cloud Customer Data, and may change or revoke its selection at any time. Google will not change Customer’s selected Multi-Cloud Service Third-Party Provider.
3.1. Security Measures.
Where Multi-Cloud Customer Data is processed on the Multi-Cloud Service Third-Party Provider’s infrastructure, the Security Measures described in Appendix 2 (Security Measures) of the CDPA will, to the extent they are dependent on Google’s infrastructure or sole control, be deemed replaced with the security measures implemented and maintained by the Multi-Cloud Service Third-Party Provider.
3.2. Customer’s Audit Rights. Any rights of Customer to directly audit and inspect the Multi-Cloud Service Third-Party Provider will be described in the MCS Third-Party Terms. Section 7.5.2 (Customer’s Audit Rights) of the CDPA only applies to Google’s processing of Multi-Cloud Customer Data stored in Google’s infrastructure pursuant to Google’s provision of the Google-Managed MCS.
To the extent of any conflict or inconsistency between this Amendment and the remaining terms of the Agreement, including the CDPA, this Amendment will govern.