Google-Managed Multi-Cloud Services Data Processing and Security Terms Addendum

For the purposes of this Addendum and the CDPA, Customer Data will include data provided by or on behalf of Customer or Customer End Users to Google via the Google-Managed MCS under the Account (“Multi-Cloud Customer Data”).

2.1. Authorization to Engage Multi-Cloud Service Third-Party Provider. Customer selects the Multi-Cloud Service Third-Party Provider on whose infrastructure the Google-Managed MCS are deployed. The process to make the selection of the Multi-Cloud Service Third-Party Provider will be explicitly documented in the Documentation for the Google-Managed MCS. Customer specifically authorizes the engagement of Customer’s selected Multi-Cloud Service Third-Party Provider and their subprocessors (as referenced in the Multi-Cloud Service Data Processing Terms) to process the Multi-Cloud Customer Data in connection with Google’s provision of the Google-Managed MCS.

2.2. Information about Multi-Cloud Service Third-Party Providers. The available Multi-Cloud Service Third-Party Providers are listed at https://cloud.google.com/terms/mcs-providers (as may be updated by Google from time to time). 

2.3. Requirements for Multi-Cloud Service Third-Party Provider Engagement. When engaging Customer’s selected Multi-Cloud Service Third-Party Provider in connection with the Google-Managed MCS, Google will:

a. ensure via a written contract that the Multi-Cloud Service Third-Party Provider only accesses and uses the Multi-Cloud Customer Data to the extent required to perform the obligations subcontracted to it; 

b. enter into a data processing agreement with the Multi-Cloud Service Third-Party Provider that imposes the data protection obligations described in Article 28(3) of the GDPR on the Multi-Cloud Service Third-Party Provider for its processing of any personal data within the Multi-Cloud Customer Data; and 

c. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Multi-Cloud Service Third-Party Provider in the provision of the Google-Managed MCS.

2.4. Multi-Cloud Service Third-Party Provider Changes. Google will not change Customer’s selected Multi-Cloud Service Third-Party Provider. Customer is responsible for and in control of which Multi-Cloud Service Third-Party Provider may process the Multi-Cloud Customer Data, and may change or revoke its Multi-Cloud Service Third-Party Provider selection at any time. Information about changes to the Multi-Cloud Service Third-Party Provider’s subprocessors is available in the Multi-Cloud Service Third-Party Provider’s data processing terms.

3.1. Security Measures.

a. Google Infrastructure. The Security Measures described in Appendix 2 of the CDPA apply to Customer Data that Google processes pursuant to Google’s provision of the Google-Managed MCS on Google’s infrastructure.

b. Multi-Cloud Service Third-Party Provider Infrastructure. Where Customer Data that Google processes via the Google-Managed MCS is processed on the Multi-Cloud Service Third-Party Provider’s infrastructure, for any security measures described in Appendix 2 that are managed solely by the Multi-Cloud Service Third-Party Provider, such as physical security for the applicable data centers, Google will rely on the security measures implemented and maintained by the applicable Multi-Cloud Service Third-Party Provider.

3.2. Customer’s Audit Rights. The Multi-Cloud Service Data Processing Terms describe Customer’s right to directly audit and inspect the Multi-Cloud Service Third-Party Provider. Section 7.5.2 (Customer’s Audit Rights) of the CDPA only applies to Google’s processing of Multi-Cloud Customer Data stored in Google’s infrastructure pursuant to Google’s provision of the Google-Managed MCS.

To the extent of any conflict or inconsistency between this Addendum and the remaining terms of the Agreement, this Addendum will govern.