Data Processing Addendum for SecOps Consulting Services and Managed Services
Last modified: October 05, 2023
Covered services: Consulting Services and Managed Services (as defined below)
These Data Processing and Security Terms, including their appendices (the “Terms”) reflect the parties’ agreement with respect to the processing and security of Customer Data for Consulting Services and Managed Services, and are incorporated into the agreement under which Google has agreed to provide such Services to Customer (“the Agreement”).
1. Commencement
These Terms will be effective and replace any previously applicable data processing and security terms from the Terms Effective Date (as defined below) for Consulting Services and/or Managed Services, as applicable, when and to the extent there is a direct conflict.
2. Definitions
2.1 Unless otherwise defined in these Terms, capitalized terms defined in the Agreement apply to these Terms. In addition, in these Terms:
- Adequate Country means:
(a) for data processed subject to the EU GDPR: the EEA, or a country or territory recognized as ensuring adequate protection under the EU GDPR;
(b) for data processed subject to the UK GDPR: the UK, or a country or territory recognized as ensuring adequate protection under the UK GDPR and the Data Protection Act 2018; and/or
(c) for data processed subject to the Swiss FADP: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, if applicable, or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under the Swiss FADP; in each case, other than on the basis of an optional data protection framework.
- Alternative Transfer Solution means a solution, other than SCCs, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law, for example a data protection framework recognized as ensuring that participating entities provide adequate protection.
- Audited Services means the then-current Services indicated as being in-scope for the relevant certification or report at https://cloud.google.com/security/compliance/secops/services-in-scope. Google may not remove a Service from this URL unless that Service has been discontinued in accordance with the Agreement.
- Consulting Services means the then-current advisory and implementation services described at https://cloud.google.com/terms/secops/services or in an applicable Order Form.
- Customer Data means data provided by or on behalf of Customer or Customer End Users in connection with receiving Consulting Services and/or Managed Services, as applicable, as further described in the applicable Statement of Work.
- Customer Personal Data means the personal data contained within the Customer Data, including any special categories of personal data defined under European Data Protection Law.
- Customer SCCs means the SCCs (Controller-to-Processor), the SCCs (Processor-to-Processor) and/or the SCCs (Processor-to-Controller), as applicable.
- Data Incident means a breach of Google’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data while processed by Google personnel or Subprocessors under the Agreement. For clarity, Data Incidents under this definition exclude previous incidents that are the subject of the Consulting Services and/or Managed Services, as applicable.
- EEA means the European Economic Area.
- EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- European Data Protection Law means, as applicable: (a) the GDPR; and/or (b) the Swiss FADP.
- European Law means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data); or (c) the law of Switzerland (if the Swiss FADP applies to the processing of Customer Personal Data).
- GDPR means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
- Instructions has the meaning given in Section 5.2.1 (Customer’s Instructions).
- Managed Services means the then-current managed detection and response services described at https://cloud.google.com/terms/secops/services or in the applicable Order Form.
- Non-European Data Protection Law means data protection or privacy laws in force outside the EEA, Switzerland and the UK.
- Notification Email Address means the email address(es) designated by Customer in the SOW or Order Form to receive certain notifications from Google. Customer is responsible for notifying Google of any changes to ensure that its Notification Email Address remains current and valid.
- SCCs means the Customer SCCs and/or SCCs (Processor-to-Processor, Google Exporter), as applicable.
- SCCs (Controller-to-Processor) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-c2p.
- SCCs (Processor-to-Controller) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-p2c.
- SCCs (Processor-to-Processor) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-p2p.
- SCCs (Processor-to-Processor, Google Exporter) means the terms at: https://cloud.google.com/terms/secops/sccs/eu-p2p-google-exporter.
- Security Documentation means all documents and information made available by Google under Section 7.5.1 (Reviews of Security Documentation).
- Security Measures has the meaning given in Section 7.1.1 (Google Security Measures).
- Subprocessor means a third party authorized as another processor under Section 11 (Subprocessors) to have access to and process Customer Personal Data to provide parts of the Consulting Services and/or Managed Services, as applicable.
- Supervisory Authority means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR or the Swiss FADP.
- Swiss FADP means, as applicable, the Federal Data Protection Act of 19 June 1992 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 14 June 1993) or the revised Federal Act on Data Protection of 25 September 2020 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 31 August 2022).
- Term means the period from the Terms Effective Date until Google’s completion of the Consulting Services and/or Managed Services, as applicable.
- Terms Effective Date means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.
- UK GDPR means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
2.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in these Terms have the meanings given by European Data Protection Law or, if such law does not apply, by the EU GDPR.
3. Duration
Regardless of whether the Agreement has terminated or expired, these Terms will remain in effect until and automatically expire when Customer revokes Google’s access to Customer Personal Data or when Google deletes such data as described in these Terms (whichever occurs first).
4. Scope of Data Protection Law
4.1 Application of European Law. The parties acknowledge that European Data Protection Law will apply to the processing of Customer Personal Data if, for example:
(a) the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA or the UK; and/or
(b) the Customer Personal Data is personal data relating to data subjects who are in the EEA or the UK and the processing relates to the offering to them of goods or services in the EEA or the UK or the monitoring of their behavior in the EEA or the UK.
4.2 Application of Non-European Law. The parties acknowledge that Non-European Data Protection Law may also apply to the processing of Customer Personal Data.
4.3 Application of Terms. Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether European Data Protection Law or Non-European Data Protection Law applies to the processing of Customer Personal Data.
5. Processing of Data
5.1 Roles and Regulatory Compliance; Authorization.
5.1.1 Processor and Controller Responsibilities. If European Data Protection Law applies to the processing of Customer Personal Data:
(a) the subject matter and details of the processing are described in Appendix 1;
(b) Google is a processor of that Customer Personal Data under European Data Protection Law;
(c) Customer is a controller or processor, as applicable, of that Customer Personal Data under European Data Protection Law; and
(d) each party will comply with the obligations applicable to it under European Data Protection Law with respect to the processing of that Customer Personal Data.
5.1.2 Authorization by Third Party Controller. If European Data Protection Law applies to the processing of Customer Personal Data and Customer is a processor:
(a) Customer warrants on an ongoing basis that the relevant controller has authorized: (i) the Instructions, (ii) Customer’s appointment of Google as another processor, and (iii) Google’s engagement of Subprocessors as described in Section 11 (Subprocessors);
(b) Customer will immediately forward to the relevant controller any notice provided by Google under Sections 5.2.3 (Instruction Notifications), 7.2.1 (Incident Notification) or 11.4 (Opportunity to Object to Subprocessor Changes) or that refers to any SCCs; and
(c) Customer may make available to the relevant controller any information made available by Google under Section 11.2 (Information about Subprocessors).
5.1.3 Responsibilities under Non-European Law. If Non-European Data Protection Law applies to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.
5.2 Scope of Processing.
5.2.1 Customer’s Instructions. Customer instructs Google to process Customer Data only: (a) when provided access to such data by Customer; (b) in accordance with applicable law; (c) to provide the Consulting Services and/or Managed Services, as applicable; (d) as documented in the form of the Agreement, including an applicable Order Form, Statement of Work, and these Terms; and (e) as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions for purposes of these Terms (collectively, the “Instructions”).
5.2.2 Google Compliance with Instructions. Google will comply with the Instructions unless prohibited by European Law.
5.2.3 Instruction Notifications. Google will immediately notify Customer if, in Google’s opinion: (a) European Law prohibits Google from complying with an Instruction; (b) an Instruction does not comply with European Data Protection Law; or (c) Google is otherwise unable to comply with an Instruction, in each case unless such notice is prohibited by European Law. This Section does not reduce either party’s rights and obligations elsewhere in the Agreement.
6. Data Deletion
6.1 General. Taking into account the nature of the processing of Customer Personal Data under the Agreement, the parties’ respective rights and obligations with respect to deletion of Customer Personal Data during the Term are addressed in the data processing agreement applicable to the underlying system or platform where such data is stored.
6.2 Customer Data on Google Systems. At the end of the Term, Customer may instruct Google to return or delete all remaining Customer Personal Data (including existing copies) from Google systems in accordance with applicable law. After a recovery period of up to 30 days from the date of receipt of the Instruction, Google will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage.
7. Data Security
7.1 Security Measures, Controls and Assistance.
7.1.1 Google Security Measures. Google will implement and maintain technical and organizational measures to protect Customer Personal Data on Google’s infrastructure against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the "Security Measures").
7.1.2 Customer Security Measures, Controls and Assistance (Non-Google Infrastructure). Where Customer Data that Google processes via Consulting Services and/or Managed Services, as applicable, is processed on Customer’s infrastructure or Customer’s third-party provider’s infrastructure, for any security measures that are managed solely by the Customer or Customer’s third-party infrastructure provider, such as physical security for the applicable data centers, Customer acknowledges that Google does not control such infrastructure, and Customer will rely on the security measures implemented and maintained by Customer or Customer’s third-party infrastructure provider.
7.1.3 Access and Compliance. Google will: (a) authorize its employees, contractors and Subprocessors to access Customer Personal Data only as strictly necessary to comply with the Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Subprocessors to the extent applicable to their scope of performance, and (c) ensure that all persons authorized to process Customer Personal Data are under an obligation of confidentiality.
7.1.4 Google’s Security Assistance. Google will (taking into account the nature of the processing of Customer Personal Data and the information available to Google) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under Articles 32 to 34 of the GDPR, by:
a. implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Google Security Measures);
b. complying with the terms of Section 7.2 (Data Incidents); and
c. if the subsections a. and b. above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.
7.2 Data Incidents
7.2.1 Incident Notification. Google will notify Customer promptly and without undue delay after becoming aware of a Data Incident; and promptly take reasonable steps to minimize harm and secure Customer Personal Data on Google infrastructure.
7.2.2 Details of Data Incident. Google’s notification of a Data Incident will describe: the nature of the Data Incident including the Customer resources impacted; the measures Google has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Google recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Google’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address.
7.2.4 No Assessment of Customer Data by Google. Google has no obligation to assess Customer Data to identify information subject to any specific legal requirements.
7.2.5 No Acknowledgement of Fault by Google. Google’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Google of any fault or liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities and Assessment.
7.3.1 Customer’s Security Responsibilities. Without prejudice to Google’s obligations under Sections 7.1.1 (Google Security Measures) and 7.2 (Data Incidents) and elsewhere in the Agreement, Customer is responsible for its use of the Consulting Services and/or Managed Services and its storage of any copies of Customer Data outside Google’s or Google’s Subprocessors’ systems, including, without limitation:
a. administering, managing access to and securing the account authentication credentials, systems, software, networks and devices that Customer uses to receive, or authorizes to be accessed by Google personnel to provide, the Consulting Services and/or Managed Services, as applicable;
b. backing up its Customer Data as appropriate;
c. providing Google with appropriate notice before providing Google with access to Customer Personal Data;
d. minimizing the amount of Customer Personal Data provided by or on behalf of Customer to Google; and
e. to the extent Google’s access to Customer Personal Data is within Customer’s control, revoking that access when Google has completed the Consulting Services and/or Managed Services, as applicable.
7.3.2 Customer’s Security Assessment. Customer agrees that for Consulting Services and/or Managed Services, as applicable, the Security Measures implemented and maintained by Google and Google’s commitments under this Section 7 (Data Security), and Section 11 (Subprocessors) provide a level of security appropriate to the risk to the Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals).
7.4 Compliance Certification. Google maintains the following for the Audited Services in order to evaluate the continued effectiveness of the Security Measures: https://cloud.google.com/security/compliance/secops/services-in-scope (the “Compliance Certification(s)”). Google may at any time (a) add standards, certificates or reports or (b) replace a Compliance Certification with an equivalent or enhanced alternative.
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation. Google will make the Compliance Certification(s) available for review by Customer to demonstrate compliance by Google with its obligations under these Terms.
7.5.2 Additional Business Terms for Reviews and Audits.
a. Customer must send any requests for reviews of the Compliance Certification(s) under Section 7.5.1 to Google’s Cloud Data Protection Team as described in Section 12 (Cloud Data Protection Team; Processing Records).
b. Following receipt by Google of a request under Section 7.5.2(a), Google and Customer will discuss and agree in advance on the reasonable date(s) of and security and confidentiality controls applicable to any review of the Compliance Certification(s) under Section 7.5.1.
8. Impact Assessments and Consultations
Google will (taking into account the nature of the processing and the information available to Google) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under European Data Protection Law with respect to data protection impact assessments or prior regulatory consultations by:
a. providing the information contained in the Agreement (including these Terms).
b. if subsection (a) above is insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.
9. Access etc.; Data Subject Rights
9.1 Access; Rectification; Restricted Processing; Portability. Taking into account the nature of the Services and processing of Customer Personal Data under the Agreement, Google will reasonably assist Customer in accessing, rectifying and restricting processing of Customer Personal Data.
9.2 Data Subject Requests. Taking into account the nature of the Services and processing of Customer Personal Data under the Agreement, Google will reasonably assist Customer in fulfilling its obligations under European Data Protection Law to respond to requests for exercising the data subject’s rights.
10. Data Transfers
10.1 Data Storage and Processing Facilities. Subject to Google’s data location commitments under the Service Specific Terms and the remainder of this Section 10 (Data Transfers), Customer Data may be processed in any country in which Google or its Subprocessors maintain facilities.
10.2 Restricted European Transfers. The parties acknowledge that European Data Protection Law does not require SCCs or an Alternative Transfer Solution in order for Customer Personal Data to be processed in or transferred to an Adequate Country. If Customer Personal Data is transferred to any other country and European Data Protection Law applies to the transfers (“Restricted European Transfers”), then:
a. if Google has adopted an Alternative Transfer Solution for any Restricted European Transfers, then Google will inform Customer of the relevant solution and ensure that such Restricted European Transfers are made in accordance with it; and/or
b. if Google has not adopted, or informs Customer that Google is no longer adopting, an Alternative Transfer Solution for any Restricted European Transfers, then:
i. if Google’s address is in an Adequate Country:
A. the SCCs (Processor-to-Processor, Google Exporter) will apply with respect to such Restricted European Transfers from Google to Subprocessors; and
B. in addition, if Customer’s billing address is not in an Adequate Country, the SCCs (Processor-to Controller) will apply (regardless of whether Customer is a controller and/or processor) with respect to such Restricted European Transfers between Google and Customer; or
ii. if Google’s address is not in an Adequate Country, the SCCs (Controller-to-Processor) and/or SCCs (Processor-to-Processor) will apply (according to whether Customer is a controller and/or processor) with respect to such Restricted European Transfers between Google and Customer.
10.3 Information about Alternative Transfer Solution. Google will provide Customer with information about Google’s adoption of an Alternative Transfer Solution at https://cloud.google.com/terms/alternative-transfer-solution
10.4 Termination. If Customer concludes, based on its current or intended use of the Services, that the Alternative Transfer Solution and/or SCCs, as applicable, do not provide appropriate safeguards for Customer Personal Data, then Customer may immediately terminate the Agreement for convenience by notifying Google.
11. Subprocessors
11.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement as Subprocessors those entities disclosed under Section 11.2 (Information about Subprocessors) as of the Terms Effective Date. In addition, without prejudice to Section 11.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement of other third parties as Subprocessors (“New Subprocessor(s)”).
11.2 Information about Subprocessors. Names, locations and activities of Subprocessors are described, at https://cloud.google.com/terms/secops/subprocessors (as may be updated by Google from time to time in accordance with these Terms).
11.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Google will:
a. ensure via a written contract that:
i. the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including these Terms); and
ii. if the processing of Customer Personal Data is subject to European Data Protection Law, the data protection obligations described in these Terms (as referred to in Article 28(3) of the GDPR, if applicable), are imposed on the Subprocessor; and
b. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
11.4 Opportunity to Object to Subprocessor Changes.
a. When any New Subprocessor is engaged during the Term, Google will, at least 30 days before the New Subprocessor starts processing any Customer Data, notify Customer of the engagement (including the name, location and activities of the New Subprocessor).
b. Customer may, within 90 days after being notified of the engagement of a New Subprocessor, object by immediately terminating the Agreement for convenience by notifying Google.
12. Data Protection Team; Processing Records
12.1 Google Cloud’s Data Protection Team. Google Cloud’s Data Protection Team will provide prompt and reasonable assistance with any Customer queries related to processing of Customer Data under the Agreement and can be contacted at https://support.google.com/cloud/contact/dpo (and/or via such other means as Google may provide from time to time).
12.2 Google’s Processing Records. Google will keep appropriate documentation of its processing activities as required by European Data Protection Law. To the extent European Data Protection Law requires Google to collect and maintain records of certain information relating to Customer, Customer will supply such information to Google promptly after the Terms Effective Date, and give Google timely notice of any changes to such information to ensure that Google’s records remain accurate and up-to-date. Google may make any such information available to the supervisory authorities if required by European Data Protection Law.
12.3 Controller Requests. During the Term, if Google’s Cloud Data Protection Team receives a request or instruction from a third party purporting to be a controller of Customer Personal Data, Google will advise the third party to contact Customer.
13. Interpretation
13.1 Precedence. To the extent of any conflict or inconsistency between:
a. these Terms and the remainder of the Agreement, these Terms will prevail; and
b. any Customer SCCs and the Agreement (including these Terms), the Customer SCCs will prevail.
13.2 No Modification of SCCs. Nothing in the Agreement (including these Terms) is intended to modify or contradict any SCCs or prejudice the fundamental rights or freedoms of data subjects under European Data Protection Law.
Appendix 1: Subject Matter and Details of the Data Processing
Subject Matter
Google’s provision of the Consulting Services and/or Managed Services, as applicable, to Customer as described in the Cloud Master Agreement General Terms and applicable Statement of Work.
Duration of the Processing of Customer Personal Data
The Term plus the period from the end of the Term until Customer revokes Google’s access to Customer Data or Google deletes such data in accordance with the Terms.
Nature and Purpose of the Processing
Google will process Customer Personal Data for the purpose of providing the Consulting Services and/or Managed Services, as applicable, in accordance with these Terms.
Categories of Data
Data relating to individuals provided to Google by (or at the direction of) Customer to receive the Consulting Services and/or Managed Services, as applicable.
Data Subjects
Data subjects include the individuals about whom data is provided to Google by (or at the direction of) Customer to receive the Consulting Services and/or Managed Services, as applicable.
Appendix 2: Additional Technical and Organizational Measures
1. Customer-Controlled Environment. Google will only access and process Customer Personal Data provided by or on behalf of Customer to Google via a Customer-controlled or Customer-approved account or environment.
2. Data Access Processes and Policies – Access Policy. Google’s data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Google (i) only allows persons to access data they are authorized to access; and (ii) takes steps to ensure that personal data cannot be read, copied, altered or removed without authorization during processing and use. Google’s granting or modification of access rights is based on Customer’s provision to Google of end user access to its account or environment.
3. Personnel Security. Google personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Google conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Google’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications). Google’s personnel will not process Customer Personal Data without authorization.
4. Additional Security Measures. Google and Customer may agree to additional security measures in the applicable Order Form, including any attached Statement of Work, for the Consulting Services and/or Managed Services, as applicable.