7.1 Google’s Security Measures, Controls and Assistance.
7.1.1 Google’s Security Measures. Google will
implement and maintain technical, organizational and
physical measures to protect Partner Data against
accidental or unlawful destruction, loss, alteration,
unauthorized disclosure or access as described in Appendix
2 (the “Security Measures”). The Security Measures
include measures to encrypt Partner Data; to help ensure
ongoing confidentiality, integrity, availability and
resilience of Google’s systems and services; to help
restore timely access to Partner Data following an
incident; and for regular testing of effectiveness. Google
may update the Security Measures from time to time
provided that such updates do not result in a material
reduction of the security of the Services.
7.1.2 Access and Compliance. Google will: (a)
authorize its employees, contractors and Subprocessors to
access Partner Data only as strictly necessary to comply
with Instructions; (b) take appropriate steps to ensure
compliance with the Security Measures by its employees,
contractors and Subprocessors to the extent applicable to
their scope of performance; and (c) ensure that all
persons authorized to process Partner Data are under an
obligation of confidentiality.
7.1.3 Additional Security Controls. Google
will make Additional Security Controls available to: (a)
allow Partner to take steps to secure Partner Data; and
(b) provide Partner with information about securing,
accessing and using Partner Data.
7.1.4 Google’s Security Assistance. Google
will (taking into account the nature of the processing of
Partner Personal Data and the information available to
Google) assist Partner in ensuring compliance with its
(or, where Partner is a processor, the relevant
controller’s) obligations under Articles 32 to 34 of the
a. implementing and
maintaining the Security Measures in accordance with
Section 7.1.1 (Google’s Security Measures);
b. making Additional Security
Controls available to Partner in accordance with Section
7.1.3 (Additional Security Controls);
c. complying with the terms
of Section 7.2 (Data Incidents);
d. providing Partner with the
Security Documentation in accordance with Section 7.5.1
(Reviews of Security Documentation) and the information
contained in the Agreement (including this Addendum); and
e. if subsections (a)-(d)
above are insufficient for Partner (or the relevant
controller) to comply with such obligations, upon
Partner’s request, providing Partner with additional
reasonable cooperation and assistance.
7.2 Data Incidents.
7.2.1 Incident Notification. Google will
notify Partner promptly and without undue delay after
becoming aware of a Data Incident, and promptly take
reasonable steps to minimize harm and secure Partner Data.
7.2.2 Details of Data Incident. Google’s
notification of a Data Incident will describe: the nature
of the Data Incident including the Partner resources
impacted; the measures Google has taken, or plans to take,
to address the Data Incident and mitigate its potential
risk; the measures, if any, Google recommends that Partner
take to address the Data Incident; and details of a
contact point where more information can be obtained. If
it is not possible to provide all such information at the
same time, Google’s initial notification will contain the
information then available and further information will be
provided without undue delay as it becomes available.
7.2.3 Delivery of Notification.
Notification(s) of any Data Incident(s) will be delivered
to the Notification Email Address.
7.2.4 No Assessment of Partner Data by Google.
Google has no obligation to assess Partner Data in order
to identify information subject to any specific legal
7.2.5 No Acknowledgement of Fault by Google.
Google’s notification of or response to a Data Incident
under this Section 7.2 (Data Incidents) will not be
construed as an acknowledgement by Google of any fault or
liability with respect to the Data Incident.
7.3 Partner’s Security Responsibilities and Assessment.
7.3.1 Partner’s Security Responsibilities.
Without prejudice to Google’s obligations under Sections
7.1 (Google’s Security Measures, Controls and Assistance)
and 7.2 (Data Incidents) and elsewhere in the Agreement,
as between Google and Partner, Partner is responsible for
its and its Customers’ use of the Services and its and
their storage of any copies of Partner Data outside
Google’s or Google’s Subprocessors’ systems, including:
a. using the Services and
Additional Security Controls to ensure a level of security
appropriate to the risk to the Partner Data;
b. securing the account
authentication credentials, systems and devices Partner
and its Customers use to access the Services; and
c. backing up Partner Data as
7.3.2 Partner’s Security Assessment.
Partner agrees that the Services, Security Measures
implemented and maintained by Google, Additional Security
Controls and Google’s commitments under this Section 7
(Data Security) provide a level of security appropriate to
the risk to Partner Data (taking into account the state of
the art, the costs of implementation and the nature,
scope, context and purposes of the processing of Partner
Personal Data as well as the risks to individuals).
7.4 Compliance Certifications and SOC Reports.
Google will maintain at least the following for the
Audited Services in order to evaluate the continued
effectiveness of the Security Measures: (a) certificates
for ISO 27001, ISO 27017 and ISO 27018 and a PCI DSS
Attestation of Compliance (the
“Compliance Certifications”); and (b) SOC 2 and SOC
3 reports produced by Google’s Third Party Auditor and
updated annually based on an audit performed at least once
every 12 months (the “SOC Reports”). Google may add
standards at any time. Google may replace a Compliance
Certification or SOC Report with an equivalent or enhanced
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation.
Google will make the Compliance Certifications and the SOC
Reports available for review by Partner to demonstrate
compliance by Google with its obligations under this
7.5.2 Partner’s Audit Rights.
a. If European Data
Protection Law applies to the processing of Partner
Personal Data, Google will allow Partner or an independent
auditor appointed by Partner to conduct audits (including
inspections) to verify Google’s compliance with its
obligations under this Addendum in accordance with Section
7.5.3 (Additional Business Terms for Reviews and Audits).
During an audit, Google will make available all
information necessary to demonstrate such compliance and
contribute to the audit as described in Section 7.4
(Compliance Certifications and SOC Reports) and this
Section 7.5 (Reviews and Audits of Compliance).
b. If Partner SCCs apply as
described in Section 10.2 (Restricted European Transfers),
Google will allow Partner (or an independent auditor
appointed by Partner) to conduct audits as described in
those SCCs and, during an audit, make available all
information required by those SCCs, both in accordance
with Section 7.5.3 (Additional Business Terms for Reviews
c. Partner may conduct an
audit to verify Google’s compliance with its obligations
under this Addendum by reviewing the Security
Documentation (which reflects the outcome of audits
conducted by Google’s Third Party Auditor).
7.5.3 Additional Business Terms for Reviews and Audits.
a. Partner must send any
requests for reviews of the SOC 2 report under Section
5.1.2(c)(i) or 7.5.1, or audits under Section 7.5.2(a) or
7.5.2(b), to Google’s Cloud Data Protection Team as
described in Section 12 (Cloud Data Protection Team;
b. Following receipt by
Google of a request under Section 7.5.3(a), Google and
Partner will discuss and agree in advance on: (i) the
reasonable date(s) of and security and confidentiality
controls applicable to any review of the SOC 2 report
under Section 5.1.2(c)(i) or 7.5.1; and (ii) the
reasonable start date, scope and duration of and security
and confidentiality controls applicable to any audit under
Section 7.5.2(a) or 7.5.2(b).
c. Google may charge a fee
(based on Google’s reasonable costs) for any audit under
Section 7.5.2(a) or 7.5.2(b). Google will provide Partner
with further details of any applicable fee, and the basis
of its calculation, in advance of any such audit. Partner
will be responsible for any fees charged by any auditor
appointed by Partner to execute any such audit.
d. Google may object in
writing to an auditor appointed by Partner to conduct any
audit under Section 7.5.2(a) or 7.5.2(b) if the auditor
is, in Google’s reasonable opinion, not suitably qualified
or independent, a competitor of Google, or otherwise
manifestly unsuitable. Any such objection by Google will
require Partner to appoint another auditor or conduct the