Google-Managed Multi-Cloud Services Data Processing Amendment
Last modified: April 11, 2023
This Google-Managed Multi-Cloud Services Data Processing Amendment (this “Amendment”) supplements and amends the Cloud Data Processing Addendum (“CDPA”) solely with respect to the Google-Managed Multi-Cloud Services (“Google-Managed MCS”). Capitalized terms used but not defined in this Amendment have the meaning given to them in the Agreement, including, without limitation, Section 6 (Google-Managed Multi-Cloud Services Terms) of the Service Specific Terms, General Service Terms.
This Amendment sets out amendments to the CDPA needed to address the multi-cloud delivery model where Customer chooses to use the Google-Managed MCS. The terms of this Amendment apply only to Google’s processing of Multi-Cloud Customer Data (as defined below) stored in Customer’s selected Multi-Cloud Service Third-Party Provider’s infrastructure pursuant to Google’s provision of the Google-Managed MCS. Customer will have a separate agreement in place with Customer’s selected Multi-Cloud Service Third-Party Provider governing the Multi-Cloud Service Third-Party Provider’s processing of Customer’s data on behalf of Customer (“Multi-Cloud Service Data Processing Terms”).
1. Customer Data
For the purposes of this Amendment and the CDPA, Customer Data will include data provided by or on behalf of Customer or Customer End Users to Google via the Google-Managed MCS under the Account (“Multi-Cloud Customer Data”).
2. Multi-Cloud Service Third-Party Providers
2.1. Authorization to Engage Multi-Cloud Service Third-Party Provider. Customer selects the Multi-Cloud Service Third-Party Provider on whose infrastructure the Google-Managed MCS are deployed. The process to make the selection of the Multi-Cloud Service Third-Party Provider will be explicitly documented in the Documentation for the Google-Managed MCS. Customer specifically authorizes the engagement of Customer’s selected Multi-Cloud Service Third-Party Provider and their subprocessors (as referenced in the Multi-Cloud Service Data Processing Terms) to process the Multi-Cloud Customer Data in connection with Google’s provision of the Google-Managed MCS.
2.2. Information about Multi-Cloud Service Third-Party Providers. The available Multi-Cloud Service Third-Party Providers are listed at https://cloud.google.com/terms/mcs-providers (as may be updated by Google from time to time).
2.3. Requirements for Multi-Cloud Service Third-Party Provider Engagement. When engaging Customer’s selected Multi-Cloud Service Third-Party Provider in connection with the Google-Managed MCS, Google will:
a. ensure via a written contract that the Multi-Cloud Service Third-Party Provider only accesses and uses the Multi-Cloud Customer Data to the extent required to perform the obligations subcontracted to it;
b. enter into a data processing agreement with the Multi-Cloud Service Third-Party Provider that imposes the data protection obligations described in Article 28(3) of the GDPR on the Multi-Cloud Service Third-Party Provider for its processing of any personal data within the Multi-Cloud Customer Data; and
c. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Multi-Cloud Service Third-Party Provider in the provision of the Google-Managed MCS.
2.4. Multi-Cloud Service Third-Party Provider Changes. Google will not change Customer’s selected Multi-Cloud Service Third-Party Provider. Customer is responsible for and in control of which Multi-Cloud Service Third-Party Provider may process the Multi-Cloud Customer Data, and may change or revoke its Multi-Cloud Service Third-Party Provider selection at any time. Information about changes to the Multi-Cloud Service Third-Party Provider’s subprocessors is available in the Multi-Cloud Service Third-Party Provider’s data processing terms.
3. Data Security
3.1. Security Measures.
a. Google Infrastructure. The Security Measures described in Appendix 2 of the CDPA apply to Customer Data that Google processes pursuant to Google’s provision of the Google-Managed MCS on Google’s infrastructure.
b. Multi-Cloud Service Third-Party Provider Infrastructure. Where Customer Data that Google processes via the Google-Managed MCS is processed on the Multi-Cloud Service Third-Party Provider’s infrastructure, for any security measures described in Appendix 2 of the CDPA that are managed solely by the Multi-Cloud Service Third-Party Provider, such as physical security for the applicable data centers, Google will rely on the security measures implemented and maintained by the applicable Multi-Cloud Service Third-Party Provider.
3.2. Customer’s Audit Rights. The Multi-Cloud Service Data Processing Terms describe Customer’s right to directly audit and inspect the Multi-Cloud Service Third-Party Provider. Section 7.5.2 (Customer’s Audit Rights) of the CDPA only applies to Google’s processing of Multi-Cloud Customer Data stored in Google’s infrastructure pursuant to Google’s provision of the Google-Managed MCS.
4. Effect of this Amendment
To the extent of any conflict or inconsistency between this Amendment and the remaining terms of the Agreement, this Amendment will govern.