SECOPS PRIVACY NOTICE
Effective Date: April 18, 2024
This SecOps Privacy Notice (“Privacy Notice”) describes how we collect and process your personal information in relation to the SecOps services described at https://cloud.google.com/terms/secops/services (the “SecOps Services”). This Privacy Notice does not apply to any other Google services.
We offer the SecOps Services to our customers either directly or via our authorized partners. Where we refer to our customers in this notice, we also mean our partners and their customers.
If European Union (EU), UK or Swiss data protection law applies to the processing of personal information relating to you, you can review the European Privacy Standards and GDPR section below to learn more about your rights and Google’s compliance with these laws.
If the California Consumer Privacy Act (CCPA) applies to the processing of personal information relating to you, please review the U.S. State Privacy Law Requirements section below.
This Privacy Notice applies solely to the personal information Google collects or generates during the provision and administration of the SecOps Services and related technical support, excluding Customer Data and Partner Data. Customer Data and Partner Data are defined and governed by our agreement(s) with our customers covering the SecOps Services. For more information about how we process Customer Data and Partner Data, see our Data Processing Addendum for SecOps Consulting Services and Managed Services, Cloud Data Processing Addendum (Customers), and Cloud Data Processing Addendum (Partners). This Privacy Notice also applies to the extent there is personal information in threat intelligence we obtain from third party sources.
The personal information collected under this Privacy Notice consists of:
- Account information. We collect the data you or your organization provide when creating an account for SecOps Services, entering into a contract with us for SecOps Services, or using community features of SecOps Services (usernames, names, contact details, job titles, profiles and comments).
- SecOps payments and transactions. We keep reasonable business records of charges, payments, and billing details and issues.
- SecOps settings and configurations. We record your configuration and settings, including resource identifiers and attributes, and service and security settings for data and other resources.
- Technical and operational details of your usage of SecOps Services. We collect information about usage, operational status, software errors and crash reports, authentication details, quality and performance metrics, and other technical details necessary for us to operate and maintain SecOps Services and related software. This information includes device identifiers, identifiers from cookies or tokens, and IP addresses.
- Your direct communications. We keep records of your communications and interactions with us and our partners (for example, when you provide feedback, ask questions or seek technical support).
- Threat intelligence information. We collect information about confirmed and potential cyber threats, including attackers’ techniques, patterns, and behaviors and information used to carry out the attack (for example, phishing emails, malicious or target IP addresses, and compromised credentials or government-issued identifiers).
Google processes personal information under this Privacy Notice for the following purposes:
- Provide the SecOps Services you request. We use personal information primarily to deliver the SecOps Services that you and our customers request. This includes processing personal information as needed to conduct checks before extending credit to certain customers, to bill for the SecOps Services used, to ensure those services are delivered or working as intended, to detect and avoid outages or other technical problems, and to secure your data and services.
- Make recommendations to optimize use of the SecOps Services. We use personal information to provide you and our customers with recommendations (for example, suggesting ways to better secure your account or data, reduce service charges or improve performance, or optimize your configurations), and providing information about new or related products and features. We also evaluate your responses to our recommendations and other feedback (if you choose to provide it).
- Maintain and improve the SecOps Services. We evaluate personal information to help us improve the performance and functionality of SecOps Services. As we improve SecOps Services for you, this will improve them for our customers, and vice versa.
- Provide and improve other services you request. We use personal information to deliver and improve other services that you and our customers request, including Google or third-party services that are enabled via the SecOps Services, administrative consoles, application programming interfaces (APIs) or command line interfaces (CLIs), or the Google Cloud Platform Marketplace or Google Workspace Marketplace.
- Assist you. We use personal information to provide technical support for SecOps Services that you and our customers request, and to assess whether we have met your needs. We also use personal information to improve our technical support, inform you and our customers about updates to SecOps Services and send other notifications relating to the SecOps Services.
- Protect you, our users, customers, the public, and Google. We use personal information to detect, prevent, and respond to fraud, abuse, security risks, and technical issues that could harm you, other users, our customers, the public, or Google, making our services safer, more reliable, and enabling them to provide better security.
- Comply with legal obligations. We use personal information to comply with our legal obligations (for example, where we’re responding to legal process or an enforceable governmental request, or meeting our financial record-keeping obligations).
We’ll ask for your consent before using your personal information for a purpose that isn’t covered in this Privacy Notice.
To achieve these processing purposes, we use algorithms to recognize patterns, engage in manual review (such as when you interact directly with our billing or support teams or when analysts evaluate threat intelligence to derive threat detection rules), aggregation or anonymization to eliminate personal information (such as to enable publication of information about attackers), and combination with information from other Google products and services. We also use personal information for internal reporting and analysis of applicable product and business operations.
We maintain servers around the world, and information about you may be processed on servers located outside of the country where our users and customers are located. Data protection laws vary among countries, with some providing more protection than others.
Regardless of where your information is processed, we apply the same protections described in this privacy notice. We also comply with certain legal frameworks relating to the transfer of data, such as the frameworks described below.
- Adequacy decisions
The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal information, which means that information can be transferred from the European Union (EU) and Norway, Liechtenstein, and Iceland to that third country without any further safeguard being necessary. The UK and Switzerland have approved similar adequacy decisions. We rely on the following adequacy decisions in some cases:
1. European Commission adequacy decisions
- Standard contractual clauses
Standard contractual clauses (SCCs) are written commitments between parties that can be used as a ground for data transfers from the EU to third countries by providing appropriate data protection safeguards. SCCs have been approved by the European Commission and can’t be modified by the parties using them (you can see the SCCs adopted by the European Commission here, here, and here). Such clauses have also been approved for transfers of data to countries outside the UK and Switzerland. We rely on SCCs for our data transfers where required. If you want to obtain a copy of the SCCs, you can contact us.
- Data Privacy Frameworks
As described in our certifications, we comply with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries (including EEA member countries), Switzerland and the UK respectively.
As relevant to the SecOps Services, Google LLC has certified its adherence to the DPF. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on its behalf, as described in the How We Share Your Information section of this notice. To learn more about the DPF, please visit the DPF website.
If you have an inquiry regarding our relevant DPF certifications, we encourage you to contact us. Google is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the DPF Principles.
We build SecOps Services with strong security features to protect your data. The insights we gain from providing our services help us detect and automatically block security threats from ever reaching you. We work hard to protect the personal information we hold from unauthorized access, alteration, disclosure, or destruction, including by:
- Encrypting personal information at rest and while in transit between our facilities;
- Regularly reviewing our personal information collection, storage, and processing practices, including our physical security measures, to prevent unauthorized access to our systems; and
- Restricting access to personal information to Google employees, contractors, and agents who need it in order to process that information for us. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
We instruct our affiliates to process personal information for the purposes listed under Why We Process Your Information above, in compliance with this Privacy Notice and appropriate confidentiality and security measures.
We do not share personal information with companies, organizations, or individuals outside of Google except in the following cases:
- When you procure third-party services
We share your information outside of Google when you or our customer choose(s) to procure a third-party service through Google Cloud Platform, the Google Cloud Platform Marketplace or the Google Workspace Marketplace, or use a third-party application that requests access to your information.
- With your consent
We’ll share your information outside of Google where we have obtained your consent.
- With your administrators and authorized resellers
When you use the SecOps Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain personal information. For example, they may be able to:
1. View account and billing information, activity and statistics
2. Change your account password
3. Suspend or terminate your account access
4. Access your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request
5. Restrict your ability to delete or edit your information or your privacy settings.
- For external processing
We do not sell your personal information to any third parties.
We share your information with trusted third party providers to process it for us as we instruct them and in compliance with this Privacy Notice and appropriate confidentiality and security measures. In particular, we share your information with our third party providers when you request technical support services (we share the information you provide in the support ticket, and those providers may communicate with you or your administrator in that ticket, including providing updates and closing the ticket) and professional services (we share your contact details to enable communication and collaboration).
- For legal reasons
We share personal information outside of Google when we have a good-faith belief that access to or disclosure of that information is reasonably necessary to:
1. Comply with applicable law, regulation, legal process, or enforceable governmental request.
2. Enforce applicable agreements, including investigation of potential violations.
3. Detect, prevent, or otherwise address fraud, security, or technical issues.
4. Protect against harm to the rights, property or safety of Google, our customers, users, and the public as required or permitted by law.
If Google is involved in a reorganization, merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of the personal information covered by this Privacy Notice and give affected users notice before such information becomes subject to a different privacy notice.
Your organization may allow you to access and export your data in order to back it up or transfer it to a service outside of Google. Some SecOps Services may enable you to directly access and download the data you have stored in the services.
You and your organization’s administrator may be able to access certain types of data directly from the SecOps Services, such as your account information, billing contact information, payment and transaction information, or certain product and communication settings and configurations.
If you’re otherwise unable to access your data, you can always request it here.
We retain personal information for different periods of time depending on the type of data, how we use it, and how you configure your settings. When we no longer need such personal information, we delete or anonymize it.
For each type of personal information and processing operation, we set retention timeframes based on the purposes for which we process it, and ensure that the information is kept for no longer than necessary. We retain most types of personal information for a set period of up to 180 days (the exact number depends on the specific type of data). However, some information may be kept for longer periods where there is a business need. We generally have longer retention periods (which can be over a year) for personal information that is kept for the following purposes:
- Security, fraud and abuse prevention. We retain personal information to protect Google, users, customers, and the public from security threats (including when it is necessary to protect against fraudulent attempts to gain access to user accounts), or to investigate violations of applicable SecOps Services agreements. Usually, the personal information retained where there is reason to suspect fraud or abuse would include device identifiers, identifiers from cookies or tokens, and IP addresses, as well as log data about usage of the SecOps Services.
- Complying with legal or regulatory requirements. We retain personal information when required by an enforceable legal process, such as when Google receives a lawful subpoena.
- Complying with tax, accounting or financial requirements. When Google processes a payment for you, or when you make a payment to Google, we retain personal information about those transactions (including billing information), typically for a minimum of five years, as required for tax or accounting purposes, or to comply with applicable financial regulations.
At the end of the applicable retention period, we follow detailed protocols to make sure that the personal information is securely and completely deleted from our active systems (the servers Google uses to run applications and store data) or retained only in anonymized form. After completion of these steps, copies of the data will remain for a limited period in our encrypted backup systems (which we maintain to protect this information from accidental or malicious deletion and for outage and disaster recovery purposes), before being overwritten by new backup copies.
You may delete your SecOps Services community account, including your comments made in the community, using available account tools. If you delete your community account, comments that you do not delete will no longer be attributed to you, but are retained to protect the security and integrity of the community.
Exercising your data protection rights
If European Union (EU), UK or Swiss data protection law applies to the processing of personal information relating to you, you have certain rights, including the rights to access, correct, delete and export that information, and to object to or request that we restrict processing of your personal information.
Google Cloud EMEA Ltd will be the data controller responsible for your personal information. However, where our customer has entered into an agreement covering SecOps Services with a different Google affiliate, that affiliate will be the data controller responsible for processing your personal information in connection with billing for the SecOps Services only.
If you want to exercise your data protection rights with regard to personal information we process in accordance with this Privacy Notice, and you are not able to do so via the tools available to you or your organization’s administrator, you can contact us at our contact email address.
You can always contact your local data protection authority if you have concerns regarding your rights under local law.
Our grounds for processing your personal information
When we process personal information for the purposes described in this Privacy Notice (see Why We Process Your Information above), we rely on the following legal grounds:
Purpose | Types of Personal information Processed | Legal Grounds |
---|---|---|
Provide SecOps Services you request. |
The following types of personal information, as necessary for the purpose:
|
Where necessary for our legitimate interests in fulfilling the contractual obligations which we owe to our customer to provide the SecOps Services. |
Make recommendations to optimize use of SecOps Services. |
The following types of personal information, as necessary for the purpose:
|
When we’re pursuing legitimate interests in offering the best service we can, and ensuring our customers know how to get the most out of our services. In some cases we will seek your consent to send you marketing communications. |
Maintain and improve SecOps Services. |
The following types of personal information, as necessary for the purpose:
|
Where necessary for our legitimate interests in offering the best services we can, and continuing to improve the SecOps Services to meet our customers’ needs. |
Provide and improve other services you request. |
The following types of personal information, as necessary for the purpose:
|
Where necessary for our legitimate interests in fulfilling the contractual obligations we owe to our customer to provide the SecOps Services, and where necessary for our legitimate interests in offering the best services we can, and continuing to improve the SecOps Services to meet our customers’ needs. |
Assist you. |
The following types of personal information, as necessary for the purpose:
|
Where necessary for our legitimate interests in fulfilling the contractual obligations we owe to our customer to provide the SecOps Services. |
Protect you, our users, customers, the public, and Google. |
The following types of personal information, as necessary for the purpose:
|
Where necessary for Google’s legitimate interest to protect against harm to the rights, property and safety of Google, and where necessary for Google’s and third parties’ legitimate interests to protect against harm to our users, our customers and the public, including criminal acts and rights violations. |
Comply with legal obligations. |
Depending on the specific legal obligations, following types of personal information:
|
When we have a legal obligation to do so. For example, where we’re responding to legal process or an enforceable governmental request, or retaining information relating to your purchases and communications to meet our record-keeping obligations. |
Additional information (Switzerland)
If Swiss data protection law applies to the processing of your personal information, the following additional information is relevant.
We also disclose your personal information to service providers, partners and other recipients (see How We Share Your Information) that are located or process information in any country in the world.
We comply with certain legal frameworks relating to the transfer of information as described in the Where We Store Your Information section. We may also transfer your information to a third country based on an exception provided for by the Swiss Federal Data Protection Act.
An exception may apply in the event of legal proceedings abroad, in cases of overriding public interest or if the performance of a contract with you or in your interest requires disclosure, if you have consented, if the information has been made generally available by you and you have not objected to the processing, or the disclosure is necessary in order to protect the life or the physical integrity of you or a third party and we can't get consent within a reasonable period of time, or the information originates from a register provided for by Swiss law which is accessible to the public or to persons with a legitimate interest, provided that the legal conditions for the consultation of such register has been met in the specific case.
If Brazilian data protection law applies to the processing of your personal information, you have certain rights, including the rights to access, correct, delete or export that information, as well as to object to or request that we restrict processing of that information. You also have the right to object to the processing of your information or to export your information to another service.
For users based in Brazil, the data controller responsible for information we collect under this Privacy Notice is Cloud Brasil Computação e Serviços de Dados Ltda. If you want to exercise your data protection rights with regard to personal information we process in accordance with this Privacy Notice and are not able to do so via the tools available to you or your organization’s administrator, you can always contact us via our contact email address. And you can contact your data protection authority if you have concerns regarding your rights under Brazilian law.
In addition to the purposes and grounds described in this Privacy Notice, we may process personal information on the following legal grounds:
- Where necessary for the performance of a contract with you
We may process your information where necessary for us to enter into a contract with you or to comply with our contractual commitments to you.
- When we’re complying with legal obligations
We’ll process your information when we have a legal obligation to do so.
- When we’re pursuing legitimate interests
We may process personal information based on our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information in the interests of providing SecOps Services you request; making recommendations to optimize use of SecOps Services; maintaining and improving SecOps Services; providing and improving other services you request; assisting you; and protecting against harm to the rights, property or safety of Google, our users, our customers, and the public, as required or permitted by law.
Some U.S. state privacy laws require specific disclosures.
These laws may include
- California Consumer Privacy Act (CCPA);
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act (CPA);
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA); and
- Utah Consumer Privacy Act (UCPA)
This Privacy Notice is designed to help you understand how Google handles personal information in relation to the SecOps Services:
- We explain the categories of personal information Google collects and the sources of that information in Personal Information We Collect.
- We explain the purposes for which Google collects and uses personal information in Why We Process Your Information.
- We explain when Google may disclose information in How We Share Your Information. Google does not sell your personal information to any third parties. Google also does not “share” your personal information as that term is defined in the CCPA.
- We explain how Google retains personal information in Retention and Deletion of Personal Information. Google may also de-identify personal information about you so that the information can no longer be linked to you. When we de-identify personal information, we maintain policies and technical measures to avoid re-identifying that information.
U.S. state privacy laws also provide the right to request information about how Google collects, uses, and discloses your personal information. And they give you the right to access your personal information, sometimes in a portable format; to correct your personal information; and to request that Google delete that information. They also provide the right to not be discriminated against for exercising these rights. Finally, the CCPA treats certain kinds of information, like account credentials and government-issued identifiers, as sensitive; when we collect this information, we only use it for purposes permitted by the CCPA, like to protect against security threats, abuse, and illegal activity.
We provide the information and tools described in Access to Your Information so you can exercise your access rights via the SecOps Services, and access your other rights by contacting Google. When you make a request, we’ll validate your request by verifying your identity (for example, by confirming that you’re signed in to your SecOps Services account).
If you have questions or requests related to your rights under U.S. state privacy laws, you (or your authorized agent) can also contact us. And if you disagree with the decision on your request, you can ask us to reconsider it by responding to our email.
Some U.S. state privacy laws require a description of personal information practices using specific categories. This table uses these categories to organize the information in this Privacy Notice.
Categories of personal information we collect | Business purposes for which personal information may be used or disclosed | Parties to whom personal information may be disclosed |
---|---|---|
Identifiers and similar information such as your username, name, phone number, address, and job titles, as well as unique identifiers tied to the browser, application, or device you’re using. Demographic information, such as your preferred language and age. Commercial information such as records of charges, payments, and billing details and issues. Technical and operational details of your usage of SecOps Services, such as information about your usage, operational status, software errors and crash reports, authentication details, quality and performance metrics, and other technical details necessary for us to operate and maintain the SecOps Services and related software. This includes device identifiers, identifiers from cookies or tokens, and IP addresses. Approximate location data, as may be determined by IP address, depending in part on your device and account settings. Audio, electronic, visual, and similar information, such as audio recording of your calls with our technical support providers. Inferences drawn from the above, like aggregated performance metrics for a new product feature to determine product strategy. |
Protecting against security threats, abuse, and illegal activity. Google uses and may disclose personal information to detect, prevent and respond to fraud, abuse, security risks, and for protecting against other malicious, deceptive, fraudulent, or illegal activity. For example, to protect our services, our customers, or the public, we may receive or disclose information about IP addresses that malicious actors have compromised. Auditing and measurement. Google uses personal information for analytics and measurement to understand how our services are used, and to provide you and our customers with recommendations and tips. We may disclose non-personally identifiable information publicly and with partners, including for auditing purposes. Provide and maintain our services, and to assist you. Google uses personal information to provide SecOps Services and related technical support, and other services you request, and ensure they are working as intended, such as tracking outages or troubleshooting bugs and other issues that you report to us. Improve the SecOps Services and other services you request. Google uses personal information to improve SecOps Services and other services you request, and to develop new products, features and technologies that benefit our users and customers. Use of service providers. Google shares personal information with service providers to perform services on our behalf, in compliance with this Privacy Notice and other appropriate confidentiality and security measures. For example, we may rely on service providers to help provide technical support. Legal reasons. Google also uses personal information to satisfy applicable laws or regulations, and discloses information in response to legal process or enforceable government requests, including to law enforcement. |
We do not disclose personal information to companies, organizations, or individuals outside of Google except in the following cases: When you procure third-party services. We disclose personal information outside of Google when you or our customers choose(s) to procure a third-party service through Google Cloud Platform, the Google Cloud Platform Marketplace or the Google Workspace Marketplace, or use a third-party application that requests access to your information. With your consent. We’ll disclose your personal information outside of Google when we have obtained your consent. With your administrators and authorized resellers. When you use SecOps Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain personal information. For external processing. We disclose personal information to trusted third party providers to process it for us as we instruct them and in compliance with this Privacy Notice and appropriate confidentiality and security measures. In particular, we disclose your information to our third party providers when you request technical support services (we disclose the information you provide in the support ticket) and professional services (we disclose your contact details to enable communication and collaboration). For legal reasons. We disclose personal information outside of Google when we have a good-faith belief that access to or disclosure of that information is reasonably necessary to:
|
If Japanese data protection law (the Act on the Protection of Personal Information, “APPI”) applies to the processing of your personal information, we provide the following additional information for users of the SecOps Services residing in Japan.
Controller of your information. Personal information provided to or gathered by Google under this Privacy Notice is controlled primarily by Google LLC, located at 1600 Amphitheatre Parkway Mountain View, CA 94043 United States, representative is Sundar Pichai, CEO.
Purpose of collection and use of personal information. We collect and use your information for the purposes set out here and here.
Measures undertaken to protect retained personal information.
Establishment of general policy
We establish and publish this Privacy Notice outlining our general policy relating to personal information processed in relation to the SecOps Services.
Establishment of internal policy relating to handling of personal information
Google establishes internal policies about handling measures and persons in charge and their responsibility etc. with regard to the acquisition, utilization, records, provision, deletion etc. of personal information.
Internal organization as security control action
Google has large security and privacy teams responsible for developing, implementing, and reviewing internal personal information handling processes. Google employees are trained to report suspected incidents involving personal information, which may be done through various channels such as through dedicated email addresses or digital platforms. A dedicated team assesses reported incidents, and as appropriate a coordinated team is assigned to manage the overall incident, including liaising with Legal and the product team as part of the investigation and response. The team on-call for an incident is assigned on a daily rotation. Incident responses may follow either a standard or an expedited route, depending on the severity and priority assigned to the incident.
Personnel measures as security control action
Google conducts periodical training for our employees about matters to consider when handling personal information.
Physical measures as security control action
Google takes measures to prevent unauthorized persons from accessing personal information in any situation and to prevent theft or loss of devices and electronic media for handling personal information.
Technical measures as security control action
Please see here and here for further information on the security measures undertaken to secure, retain and delete your information.
Research of external environment
Data protection laws vary among countries, with some providing more protection than others. Google has established a personal information protection system to ensure your information is accorded protections equivalent to APPI, as described in this Privacy Notice. Regardless of where your information is processed, Google applies the same personal information protection measures globally. We also comply with certain legal frameworks relating to the transfer of data, such as the European frameworks. For more detail, please see here.
Contact information. For any inquiries or requests about your personal information under this Privacy Notice and related rights under applicable law, please email appi-inquiries-external@google.com.
This Privacy Notice applies to the SecOps Services. This Privacy Notice doesn’t apply to:
- Products, sites, or services which are covered under a different privacy notice;
- The information practices of other companies and organizations that advertise the SecOps Services, or
- Services offered by companies or individuals other than Google.
We may update this Privacy Notice from time to time. We will not make any significant changes without notifying you in advance by posting a prominent notice on this page describing the changes or by sending you a direct communication. We encourage you to regularly review this Privacy Notice, and we will always indicate the date the last changes were published.
SecOps Service | Contact Email |
---|---|
Mandiant Services and GTI | privacy@mandiant.com |
Google Security Operations | chronicle-support@google.com |