Data Processing Addendum for SecOps Consulting Services and Managed Services

This Data Processing Addendum for Consulting Services and Managed Services, including the appendices (the “Terms”), will be effective and replace any previously applicable data processing and security terms for Consulting Services and/or Managed Services, as applicable, when and to the extent there is a direct conflict.

2.1 Unless otherwise defined in these Terms, capitalized terms defined in the Agreement apply to these Terms. In addition, in these Terms:

• Adequate Country means:

(a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate protection under the EU GDPR;

(b) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate protection under the UK GDPR and the Data Protection Act 2018; and/or

(c) for data processed subject to the Swiss FDPA: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under the Swiss FDPA; in each case, other than on the basis of an optional data protection framework.

• Alternative Transfer Solution means a solution, other than SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law, for example a data protection framework recognized as ensuring that participating entities provide adequate protection.
• Consulting Services means the then-current advisory and implementation services described at https://cloud.google.com/terms/secops/services or in an applicable Order Form.
• Customer Data means data provided by or on behalf of Customer or Customer End Users in connection with receiving Consulting Services and/or Managed Services, as applicable, as further described in the applicable Statement of Work.
• Customer Personal Data means the personal data contained within the Customer Data, including any special categories of personal data defined under European Data Protection Law.
• Customer SCCs means the SCCs (Controller-to-Processor), the SCCs (Processor-to-Processor) and/or the SCCs (Processor-to-Controller), as applicable.
• Data Incident means a breach of Google’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data while processed by Google personnel or Subprocessors under the Agreement. For clarity, Data Incidents under this definition exclude previous incidents that are the subject of the Consulting Services and/or Managed Services, as applicable.
• EEA means the European Economic Area.
• EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
• European Data Protection Law means, as applicable: (a) the GDPR; and/or (b) the Swiss FDPA.
• European Law means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data).
• GDPR means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
• Instructions has the meaning given in Section 5.2.1 (Customer’s Instructions).
• Managed Services means the then-current managed detection and response services described at https://cloud.google.com/terms/secops/services or in the applicable Order Form.
• Non-European Data Protection Law means data protection or privacy laws in force outside the EEA, Switzerland and the UK.
• Notification Email Address means the email address(es) designated by Customer in the SOW or Order Form to receive certain notifications from Google. Customer is responsible for notifying Google of any changes to ensure that its Notification Email Address remains current and valid.
• SCCs means the Customer SCCs and/or SCCs (Processor-to-Processor, Google Exporter), as applicable.
• SCCs (Controller-to-Processor) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-c2p .
• SCCs (Processor-to-Controller) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-p2c .
• SCCs (Processor-to-Processor) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-p2p .
• SCCs (Processor-to-Processor, Google Exporter) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-p2p-google-exporter .
• Security Measures has the meaning given in Section 7.1.1 (Google Security Measures).
• Subprocessor means a third party authorized as another processor under Section 11 (Subprocessors) to have access to and process Customer Personal Data to provide parts of the Consulting Services and/or Managed Services, as applicable.
• Supervisory Authority means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR and/or the Swiss FDPA.
• Swiss FDPA means the Federal Data Protection Act of 19 June 1992 (Switzerland).
• Term means the period from the Terms Effective Date until Google’s completion of the Consulting Services and/or Managed Services, as applicable.
• Terms Effective Date means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.
• UK GDPR means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

2.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in these Terms have the meanings given in the GDPR, irrespective of whether European Data Protection Law or Non-European Data Protection Law applies.

Regardless of whether the Agreement has terminated or expired, these Terms will remain in effect until and automatically expire when Customer revokes Google’s access to Customer Personal Data or when Google deletes such data as described in these Terms (whichever occurs first).

4.1 Application of European Law. The parties acknowledge that European Data Protection Law will apply to the processing of Customer Personal Data if, for example:

(a) the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA or the UK; and/or

(b) the Customer Personal Data is personal data relating to data subjects who are in the EEA or the UK and the processing relates to the offering to them of goods or services in the EEA or the UK or the monitoring of their behavior in the EEA or the UK.

4.2 Application of Non-European Law. The parties acknowledge that Non-European Data Protection Law may also apply to the processing of Customer Personal Data.

4.3 Application of Terms. Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether European Data Protection Law or Non-European Data Protection Law applies to the processing of Customer Personal Data.

5.1 Roles and Regulatory Compliance; Authorization.

5.1.1 Processor and Controller Responsibilities. If European Data Protection Law applies to the processing of Customer Personal Data:

(a) the subject matter and details of the processing are described in Appendix 1;

(b) Google is a processor of that Customer Personal Data under European Data Protection Law;

(c) Customer is a controller or processor, as applicable, of that Customer Personal Data under European Data Protection Law; and

(d) each party will comply with the obligations applicable to it under European Data Protection Law with respect to the processing of that Customer Personal Data.

5.1.2 Authorization by Third Party Controller. If European Data Protection Law applies to the processing of Customer Personal Data and Customer is a processor:

(a) Customer warrants on an ongoing basis that the relevant controller has authorized: (i) the Instructions, (ii) Customer’s appointment of Google as another processor, and (iii) Google’s engagement of Subprocessors as described in Section 11 (Subprocessors);

(b) Customer will immediately forward to the relevant controller any notice provided by Google under Sections 5.2.3 (Instruction Notifications), 7.2.1 (Incident Notification) or 11.4 (Opportunity to Object to Subprocessor Changes) or that refers to any SCCs; and

(c) Customer may make available to the relevant controller any information made available by Google under Section 11.2 (Information about Subprocessors).

5.1.3 Responsibilities under Non-European Law. If Non-European Data Protection Law applies to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.

5.2 Scope of Processing.

5.2.1 Customer’s Instructions. Customer instructs Google to process Customer Data only: (a) when provided access to such data by Customer; (b) in accordance with applicable law; (c) to provide the Consulting Services and/or Managed Services, as applicable; (d) as documented in the form of the Agreement, including an applicable Order Form, Statement of Work, and these Terms; and (e) as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of these Terms (collectively, the “Instructions”).

5.2.2 Google Compliance with Instructions. Google will comply with the Instructions unless prohibited by European Law.

5.2.3 Instruction Notifications. Google will immediately notify Customer if, in Google’s opinion: (a) European Law prohibits Google from complying with an Instruction; (b) an Instruction does not comply with European Data Protection Law; or (c) Google is otherwise unable to comply with an Instruction, in each case unless such notice is prohibited by European Law. This Section does not reduce either party’s rights and obligations elsewhere in the Agreement.

6.1  General. Taking into account the nature of the processing of Customer Personal Data under these Terms, the parties’ respective rights and obligations with respect to deletion of Customer Personal Data during the Term are addressed in the data processing agreement applicable to the underlying system or platform where such data is stored.

6.2  Customer Data on Google Systems. At the end of the Term, Customer instructs Google to delete all remaining Customer Data (including existing copies) from Google’s systems in accordance with applicable law. After a recovery period of up to 30 days from that date, Google will  comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage.

7.1 Security Measures, Controls and Assistance.

7.1.1 Google Security Measures. Google will implement and maintain technical and organizational measures to protect Customer Personal Data on Google’s infrastructure against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the "Security Measures").

7.1.2 Customer Security Measures, Controls and Assistance (Non-Google Infrastructure). Where Customer Data that Google processes via Consulting Services and/or Managed Services, as applicable, is processed on Customer’s infrastructure or Customer’s third-party infrastructure provider’s infrastructure, for any security measures that are managed solely by the Customer or Customer’s third-party infrastructure provider, such as physical security for the applicable data centers, Customer acknowledges that Google does not control such infrastructure, and Customer will rely on the security measures implemented and maintained by Customer or Customer’s third-party infrastructure provider.

7.1.3 Access and Compliance. Google will: (a) authorize its employees, contractors and Subprocessors to access Customer Personal Data only as strictly necessary to comply with the Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Subprocessors to the extent applicable to their scope of performance, and (c) ensure that all persons authorized to process Customer Personal Data are under an obligation of confidentiality.

7.1.4 Google’s Security Assistance.  Google will (taking into account the nature of the processing of Customer Personal Data and the information available to Google) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under Articles 32 to 34 of the GDPR, by:

a. implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Google’s Security Measures);

b. complying with the terms of Section 7.2 (Data Incidents); and

c. if the subsections a. and b. above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.

7.2 Data Incidents

7.2.1 Incident Notification. Google will notify Customer promptly and without undue delay after becoming aware of a Data Incident; and promptly take reasonable steps to minimize harm and secure Customer Personal Data on Google infrastructure.

7.2.2 Details of Data Incident. Google’s notification of a Data Incident will describe:  the nature of the Data Incident including the Customer resources impacted; the measures Google has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Google recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained.  If it is not possible to provide all such information at the same time, Google’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address.

7.2.4 No Assessment of Customer Data by Google. Google has no obligation to assess Customer Data to identify information subject to any specific legal requirements.

7.2.5 No Acknowledgement of Fault by Google. Google’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Google of any fault or liability with respect to the Data Incident.

7.3 Customer’s Security Responsibilities and Assessment.

7.3.1 Customer’s Security Responsibilities. Without prejudice to Google’s obligations under Sections 7.1.1 (Google Security Measures) and 7.2 (Data Incidents) and elsewhere in the Agreement, Customer is responsible for its use of the Consulting Services and/or Managed Services and its storage of any copies of Customer Data outside Google’s or Google’s Subprocessors’ systems, including, without limitation:

a. administering, managing access to and securing the account authentication credentials, systems, software, networks and devices that Customer uses to receive, or authorizes to be accessed by Google personnel to provide, the Consulting Services and/or Managed Services, as applicable;

b. backing up its Customer Data as appropriate;

c. providing Google with appropriate notice before providing Google with access to Customer Personal Data;

d. minimizing the amount of Customer Personal Data provided by or on behalf of Customer to Google; and

e. to the extent Google’s access to Customer Personal Data is within Customer’s control, revoking that access when Google has completed the Consulting Services and/or Managed Services, as applicable.

7.3.2 Customer’s Security Assessment. Customer agrees that for Consulting Services and/or Managed Services, as applicable, the Security Measures implemented and maintained by Google and Google’s commitments under this Section 7 (Data Security), and Section 11 (Subprocessors) provide a level of security appropriate to the risk to the Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals).

7.4 Review and Audits of Compliance.  Taking into account the nature of the processing of Customer Personal Data under the Agreement, Customer’s audit rights with respect to Customer Personal Data are addressed in the SecOps Data Processing and Security Terms.

Google will (taking into account the nature of the processing and the information available to Google) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under Articles 35 and 36 of the GDPR, by:

a. providing the information contained in the Agreement (including these Terms).

b. if subsection (a) above is insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.

9.1 Access; Rectification; Restricted Processing; Portability. Taking into account the nature of the Services and processing of Customer Personal Data under these Terms, Google will reasonably assist Customer in accessing, rectifying and restricting processing of Customer Personal Data.

9.2 Data Subject Requests. Taking into account the nature of the Services processing of Customer Personal Data under the Agreement, Google will reasonably assist Customer in fulfilling its obligations under Chapter III of the GDPR to respond to requests for exercising the data subject’s rights.

10.1 Data Storage and Processing Facilities. Subject to Google’s data location commitments under the Service Specific Terms and the remainder of this Section 10 (Data Transfers), Customer Data may be processed in any country in which Google or its Subprocessors maintain facilities.

10.2 Restricted European Transfers. The parties acknowledge that European Data Protection Law does not require SCCs or an Alternative Transfer Solution in order for Customer Personal Data to be processed in or transferred to an Adequate Country.  If Customer Personal Data is transferred to any other country and European Data Protection Law applies to the transfers (“Restricted European Transfers”), then:

a. if Google has adopted an Alternative Transfer Solution for any Restricted European Transfers, then Google will inform Customer of the relevant solution and ensure that such Restricted European Transfers are made in accordance with it; and/or

b. if Google has not adopted, or informs Customer that Google is no longer adopting, an Alternative Transfer Solution for any Restricted European Transfers, then:

i. if Google’s address is in an Adequate Country:

A. the SCCs (Processor-to-Processor, Google Exporter) will apply with respect to such Restricted European Transfers from Google to Subprocessors; and

B. in addition, if Customer’s billing address is not in an Adequate Country, the SCCs (Processor-to Controller) will apply (regardless of whether Customer is a controller and/or processor) with respect to such Restricted European Transfers between Google and Customer; or

ii. if Google’s address is not in an Adequate Country, the SCCs (Controller-to-Processor) and/or SCCs (Processor-to-Processor) will apply (according to whether Customer is a controller and/or processor) with respect to such Restricted European Transfers between Google and Customer.

10.3 Termination. If Customer concludes, based on its current or intended use of the Services, that the Alternative Transfer Solution and/or SCCs, as applicable, do not provide appropriate safeguards for Customer Personal Data, then Customer may immediately terminate the Agreement for convenience by notifying Google.

11.1 Consent to Subprocessor Engagement. As of the effective date of these Terms, Customer specifically authorizes the engagement as Subprocessors of: (a) any third party entity listed as a subcontractor in an applicable Order Form, Statement of Work, or other confirmation provided to Customer before commencement of Consulting Services and/or Managed Services, as applicable; and (b) all other Google Affiliates from time to time.  In addition, without prejudice to Section 11.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement of other third parties as Subprocessors (“New Subprocessor(s)”).

11.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, will be made available to Customer at Customer’s request.

11.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Google will:

a. ensure via a written contract that:

i. the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Addendum); and

ii. if the processing of Customer Personal Data is subject to European Data Protection Law, the data protection obligations described in this Addendum (as referred to in Article 28(3) of the GDPR, if applicable), are imposed on the Subprocessor; and

b. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

11.4 Opportunity to Object to Subprocessor Changes.

a. When any New Subprocessor is engaged during the Term, Google will, at least 30 days before the New Subprocessor starts processing any Customer Data, notify Customer of the engagement (including the name, location and activities of the New Subprocessor).

b. Customer may, within 90 days after being notified of the engagement of a New Subprocessor, object by immediately terminating the Agreement for convenience by notifying Google.

12.1 Google Cloud’s Data Protection Team. Google Cloud’s Data Protection Team will provide prompt and reasonable assistance with any Customer queries related to processing of Customer Data under the Agreement and can be contacted at https://support.google.com/cloud/contact/dpo (and/or via such other means as Google may provide from time to time).

12.2  Google’s Processing Records.  Google will keep appropriate documentation of its processing activities as required by the GDPR. To the extent the GDPR requires Google to collect and maintain records of certain information relating to Customer, Customer will supply such information to Google promptly after the Terms Effective Date, and give Google timely notice of any changes to such information to ensure that Google’s records remain accurate and up-to-date. Google may make any such information available to the supervisory authorities if required by the GDPR.

12.3 Controller Requests. During the Term, if Google’s Cloud Data Protection Team receives a request or instruction from a third party purporting to be a controller of Customer Personal Data, Google will advise the third party to contact Customer.

13.1 Precedence. To the extent of any conflict or inconsistency between:

a. these Terms and the remainder of the Agreement, these Terms will prevail; and

b. any Customer SCCs and the Agreement (including these Terms), the Customer SCCs will prevail.

13.2 No Modification of SCCs. Nothing in the Agreement (including these Terms) is intended to modify or contradict any SCCs or prejudice the fundamental rights or freedoms of data subjects under European Data Protection Law.

Subject Matter

Google’s provision of the Consulting Services and/or Managed Services, as applicable, to Customer as described in the Cloud Master Agreement General Terms and applicable Statement of Work.

Duration of the Processing of Customer Personal Data

The Term plus the period from the end of the Term until Customer revokes Google’s access to Customer Data or Google deletes such data in accordance with the Terms.

Nature and Purpose of the Processing

Google will process Customer Personal Data for the purpose of providing the Consulting Services and/or Managed Services, as applicable, in accordance with these Terms.

Categories of Data

Data relating to individuals provided to Google by (or at the direction of) Customer to receive the Consulting Services and/or Managed Services, as applicable.

Data Subjects

Data subjects include the individuals about whom data is provided to Google by (or at the direction of) Customer to receive the Consulting Services and/or Managed Services, as applicable.