Back to (current) ISA main terms

Information Protection Addendum

v7.2

Last modified:  September 14, 2020 (view archived versions)

Part A:  General Information Security Terms

1.    Introduction.

1.1  Status of the Addendum. This Information Protection Addendum (“IPA”) forms part of the Agreement and incorporates (a) the mandatory terms set out in this Part A (General Information Security Terms), (b) the Supplemental Terms, to the extent applicable, and (c) the Standard Contractual Clauses (as defined below), to the extent applicable.

1.2  Order of Precedence.  Unless otherwise stated in the Agreement, if there is any conflict or inconsistency between this IPA and the rest of the Agreement, this IPA will prevail.

1.3  Supplemental Terms.  In addition to this Part A (General Information Security Terms), the following supplemental terms are part of the IPA to the extent applicable:

• (a)  Part B (GDPR Data Protection Requirements) of this IPA will apply to the extent the Services include access to Personal Information subject to the GDPR.
• (b)  Part C (Business Process Outsourcing Requirements) of this IPA will apply to the extent the Services include outsourced business processes performed from any facility that is not both owned and operated by Google.
• (c)  Part D (HIPAA Business Associate Requirements) of this IPA will apply to the extent the Services include access to Personal Information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
• (d)  Annex 1 (Standard Contractual Clauses) of this IPA will apply only to the extent applicable to the export of Personal Information from the EU, the UK, or Switzerland.
• (e)  Supplemental Supplier and Partner Security Standards at https://g.co/partner-security will apply to the extent Your Services include software or web development services.

2.    Definitions; Interpretation.

2.1  Definitions.  In this IPA:

• (a)  “Access” or “Accessing” means to access, create, collect, acquire, receive, record, consult, use, process, alter, store, retain, maintain, retrieve, disclose, or dispose of. Access also includes “processing” within the meaning of the GDPR.
• (b)  “Alternative Transfer Solution” means a mechanism other than the Standard Contract Clauses that enables the lawful transfer of Personal Information from the EEA, UK, or Switzerland to a third country in accordance with Applicable Data Protection Law, including as applicable, the Swiss-U.S. or UK-U.S. Privacy Shield self-certification programs approved and operated by the U.S. Department of Commerce (“Privacy Shield”).
• (c)  “Applicable Data Protection Laws” means all privacy, data security, and data protection laws, directives, regulations, and rules in any jurisdiction applicable to Your Accessing Personal Information for the Services.
• (d)  “Applicable Standards” means government standards, industry standards, and best practices applicable to Your Accessing Personal Information for the Services, including as required by Alternative Transfer Solutions.
• (e)  “CCPA” means, as applicable: (i) the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), as amended from time to time; and (ii) any other applicable U.S. state data protection laws modeled on the CCPA.
• (f)  “Data Controller” has the same meaning as “controller” in GDPR.
• (g)  “Data Processor” has the same meaning as “processor” in GDPR, and includes any party that constitutes a “service provider” within the meaning of the CCPA.
• (h)  “Data Subject” has the same meaning as “data subject” in GDPR.
• (i)   “GDPR” means (i) the European Union General Data Protection Regulation (EU) 2016/679 on data protection and privacy for all individuals within the European Union (“EU”) and the European Economic Area (“EEA”); (ii) the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced); and (iii) any other applicable data protection laws or regulations modeled on GDPR.
• (j)   “GDPR Personal Information” means Personal Information subject to GDPR.
• (k)  “includes” or “including” means “including but not limited to”.
• (l)   “Personal Information” means (i) any information about an identified or identifiable individual; or (ii) information that is not specifically about an identifiable individual but, when combined with other information, may identify an individual.  Personal Information includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, online identifiers (including IP addresses and cookie identifiers), network and hardware identifiers, and geolocation information, and any information that constitutes “personal data” within the meaning of GDPR, or “personal information” within the meaning of the CCPA.
• (m) “Protected Information” means Personal Information and Google Confidential Information that You or a Third Party Provider may Access in performing Services. Protected Information does not include the parties’ business contact information (specifically, business addresses, phone numbers, and email addresses, including a party’s contact persons’ names used solely to facilitate the parties’ communications for administration of the Agreement).
• (n)  “reasonable” means reasonable and appropriate to (i) the size, scope, and complexity of Your business; (ii) the nature of Protected Information being Accessed; and (iii) the need for privacy, confidentiality, and security of Protected Information.
• (o)  “Regulator” or “Regulatory” means an entity with supervisory or regulatory authority over Google or its affiliate under Applicable Data Protection Laws.
• (p)  “Safeguards” means the technical, organizational, administrative, and physical controls in Section 5 (Safeguards), Section 6 (Encryption Requirements), Section 8.3 (Your Self-Assessment), and Section 9.1 (Security Incident Response Program).
• (q)  “Secondary Use” means Access to Protected Information for purposes other than as necessary to fulfill the Agreement and comply with the specific instructions stated in the Agreement. Secondary Use includes any purpose that would be a considered a “sale” of Personal Information as defined by the CCPA.
• (r)   “Security Incident” means actual or reasonable degree of certainty of unauthorized use, destruction, loss, control, alteration, acquisition, exfiltration, theft, retention, disclosure of, or access to, Protected Information for which You are responsible. Security Incidents do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Protected Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
• (s)  “Services” means any goods or services that You or a Third Party Provider provide(s) to or for Google either (a) under one or more statements of work (SOW) entered under the Agreement; or (b) if no SOW has been entered under the Agreement, under the Agreement itself.
• (t)   “Standard Contractual Clauses” means the Standard Contractual Clauses attached as Annex 1 to this IPA. For purposes of the Standard Contractual Clauses, “data exporter” means Google, and “data importer” means You.
• (u)  “Supplemental Supplier and Partner Security Standards” means the obligations, standards, and requirements set forth at https://g.co/partner-security.
• (v)  “Third Party Provider” means any parent company, subsidiary, agent, contractor, sub-contractor, sub-processor, or other third party You authorize to​ act on Your behalf in connection with processing Personal Information exclusively intended for the Services. “Third Party Provider” includes “subprocessor” within the meaning of the Standard Contractual Clauses.
• (w) “You” or “Your” means the party (including any personnel, contractor, or agent acting on behalf of such party) that performs Services for Google or its affiliates under the Agreement.

2.2       Interpretation. All capitalized terms that are not expressly defined in the IPA will have the meanings given to them in the Agreement. Any examples in this IPA are illustrative and not the sole examples of a particular concept.

3.    Compliance with Laws; Use Limitation.

3.1  Compliance with Applicable Data Protection Laws and Applicable Standards.  When You Access Protected Information under the Agreement, You will at all times comply with all Applicable Data Protection Laws and Applicable Standards, including any requirements applicable to the transfer of Personal Information out of the EEA, Switzerland, or the UK. You will assist Google in complying with lawful requests of individuals regarding the Processing of Personal Information under Applicable Data Protection Law. You will promptly notify Google if You believe compliance with this IPA will interfere with your obligations under Applicable Data Protection Laws.

3.2  Use Limitation.  You will Access Protected Information only on behalf of Google and in accordance with the limited and specified purposes stated in the Agreement. You will not Access Protected Information for any Secondary Use.

4.    Third Party Providers.  You may not subcontract the performance of any part of the Services to any Third Party Provider without Google’s prior written consent or general written authorization. If and to the extent Google gives prior consent or authorization, You will:

• (a)   carry out adequate due diligence of Your Third Party Provider to ensure its capability of providing the level of security and privacy required by the Agreement;
• (b)   contractually require Your Third Party Provider to prevent Secondary Use and protect Protected Information using at least the same level of protection required of You under this IPA;
• (c)   retain oversight of and be responsible for Your Third Party Providers’ acts and omissions in connection with this Agreement; and
• (d)   send any requests for Google’s consent to the subcontracting of any part of the Services to a Third Party Provider to subprocessor-compliance@google.com or the following external webform  (https://sites.google.com/corp/view/subprocessor-notifications/home).

5.    Safeguards.  At all times that You Access Protected Information, You will maintain reasonable technical, organizational, administrative, and physical controls and comply with this IPA, Applicable Standards, and Applicable Data Protection Laws, including the following:

5.1  Physical Controls. You will maintain physical controls designed to secure relevant facilities, including layered controls covering perimeter and interior barriers, individual physical access controls, strongly-constructed facilities, suitable locks with key management procedures, access logging, and intruder alarms/alerts and response procedures.

5.2  Technical Controls.   To the extent You Access Protected Information using Your systems, You will:

• (a)       establish and enforce access control policies and measures to ensure that only individuals who have a legitimate need to Access Protected Information will have such access, including multi-factor authentication;
• (b)      promptly terminate an individual’s access to Protected Information when such access is no longer required for performance under the Agreement;
• (c)       maintain reasonable and up-to-date anti-malware, anti-spam, and similar controls on Your networks, systems, and devices;
• (d)      log the appropriate details of access to Protected Information on Your systems and equipment, plus alarms for attempted access violations, and retain such records for no less than 90 days;
• (e)       maintain controls and processes designed to ensure that all operating system and application security patches are installed within the timeframe recommended or required by the issuer of the patch; and
• (f)       implement reasonable user account management procedures to securely create, amend, and delete user accounts on networks, systems, and devices through which You Access Protected Information, including monitoring redundant accounts and ensuring that information owners properly authorize all user account requests.

5.3  Personnel Security. You will maintain personnel policies and practices restricting access to Protected Information, including having appropriate use guidelines, written confidentiality agreements, and performing background checks in accordance with Applicable Data Protection Laws on all personnel who Access Protected Information or who implement, maintain, or administer Your Safeguards.

5.4  Training and Supervision. You will provide reasonable ongoing privacy and information security training and supervision for all Your personnel who Access Protected Information.

5.5  Supplemental Supplier and Partner Security Standards. To the extent Your Services include software or web development services, You will comply with the Supplemental Supplier and Partner Security Standards.

6.    Encryption Requirements.  Using a reasonable encryption standard, You will encrypt all Protected Information that is (a) stored on portable devices or portable electronic media; (b) maintained outside of Google’s or Your facilities; (c) transferred across any external network not solely managed by You; and (d) where required by Applicable Data Protection Law, including Personal Information at rest on Your systems.

7.    Use of Google Networks, Systems, or Devices.  To the extent that You access Google-owned or Google-managed networks, systems, or devices (including Google APIs, corporate email accounts, equipment, or facilities) to Access Protected Information, You must comply with Google’s written instructions, system requirements, and policies made available to You.                       

8.    Assessments; Audits; Corrections

8.1  Google’s Security Assessment.  On Google’s written request You will promptly and accurately complete Google’s written privacy and security questionnaire regarding any network, application, system, or device, or Safeguard applicable to Your access to Protected Information. You will provide any additional assistance and cooperation that Google may reasonably require during any assessment of Your Safeguards, including providing Google with reasonable access to personnel, information, documentation, infrastructure and application software, to the extent any of the foregoing is involved in Your access to Protected Information.

8.2  Penetration Testing.  If You Access Protected Information from systems, or Your systems connect to Google’s internal systems, then in addition to Section 8.1 (Google’s Security Assessment), the following may apply:

• (a)    Google Conducted Penetration Test. Upon reasonable notice, in coordination with You (or Google’s independent third party assessor that is not Your competitor) Google may perform annual penetration testing or other security assessment on Your systems used to Access Protected Information. Google reserves the right to perform more frequent testing in connection with material changes to Services, or as a result of any Material Vulnerability or Security Incident notified to Google.
• (b)    Third Party Conducted Penetration Test. Instead of a Google-conducted penetration test under Section 8.2(a), at Google’s sole discretion Google may accept the written results of penetration testing (and the status of Your efforts to remediate findings, if any) performed by Your accredited third party vulnerability tester and at Your own cost following commonly accepted guidelines consistent with Google’s then current Testing Guidelines (https://partner-security.withgoogle.com/docs/pentest_guidelines). The Penetration Testing report must be in English or accompanied by an English translation. Google will treat the information You disclose in connection with Section 8 as Your confidential information.

8.3  Your Continuous Self-Assessment.  You will continuously monitor risk to Protected Information and ensure that the Safeguards are properly designed and maintained to protect the confidentiality, integrity, and availability of Protected Information. As part of Your continuous self-assessment program You will at a minimum do the following: (1) periodically (but no less than once per year) ensure third party penetration tests and other appropriate vulnerability tests are conducted, and document the effectiveness of Your Safeguards; (2) promptly fix high and critical severity findings; and (3) promptly apply any high or critical severity security patches to Your production servers, endpoints, and endpoint management systems.

8.4  Audits and Certifications; Regulatory Audits.

• (a)   Audits and Certifications. Upon written request by Google, not more than once per year, Google may conduct an audit of Your architecture, systems and procedures relevant to the protection of Personal Information at locations where Personal Information is Accessed. You will work cooperatively with Google to agree on an audit plan in advance of any audit. Provided, however, if the scope of the audit is addressed in a SSAE 16/SOC1, SOC2, ISO 27001, NIST, PCI DSS, HIPAA or similar audit report performed by a qualified third party auditor within the prior twelve (12) months, and You confirm there are no known material changes in the controls audited, Google may agree to accept those reports in lieu of requesting an audit of the controls covered by the report.
• (b)   Regulatory Audit. Notwithstanding Section 8.4(a), if a Regulator requires an audit of the data processing facilities from which You process Personal Information in order to ascertain or monitor Google’s compliance with Applicable Data Protection Law, You will cooperate with such audit.

8.5  Correcting Vulnerabilities.  If either party discovers that Your Safeguards contain a vulnerability, You will promptly correct or mitigate at Your own cost (a) any vulnerability within a reasonable period, and (b) any material vulnerability within a period not to exceed 60 days. If You are unable to correct or mitigate the vulnerabilities within the specified time period, You must promptly notify Google and propose reasonable remedies.  Compliance with this Section will not reduce or suspend Your obligations under Section 9 (Security Incident Response), or reduce or suspend Google’s rights under Section 12 (Suspension; Termination), and 13 (Records; Destruction; Sanitization).  

9.    Security Incident Response.

9.1  Security Incident Response Program.  You will maintain a reasonable Security Incident response program.

9.2  Security Incident Notification.

• (a)   If You become aware of a Security Incident, You will promptly: (i) stop the unauthorized access; (ii) secure Protected Information; (iii) notify Google (in no event more than 24 hours after discovery of the Security Incident) by sending an email to external-incidents@google.com with the information described in Subsection (b) below. This notification is required even if You have not conclusively established the nature or extent of the Security Incident; and (iv) assist Google in complying with its Security Incident notification or cure obligations under Applicable Data Protection Laws and as otherwise reasonably requested.
• (b)   You will provide reasonable information about the Security Incident, including: (i) a description of Protected Information subject to the Security Incident (including the categories and number of data records and Data Subjects concerned) and the likely consequences of the Security Incident; (ii) the date and time of the Security Incident; (iii) a description of the circumstances that led to the Security Incident (e.g., loss, theft, copying); (iv) a description of the measures You have taken and propose to take to address the Security Incident; and (v) relevant contact people who will be reasonably available until the parties mutually agree that the Security Incident has been resolved.  For Security Incidents involving Personal Information, “reasonably available” means 24 hours per day, 7 days per week.

9.3  Remediation; Investigation.  At Your cost, You will take appropriate steps to promptly remediate the root cause(s) of any Security Incident, and will reasonably cooperate with Google with respect to the investigation and remediation of such incident, including providing such assistance as required to enable Google to satisfy its obligation to notify individuals and cure an alleged violation related to a Security Incident. You will promptly provide Google the results of the investigation and any remediation already undertaken. You will not engage in any action or inaction that unreasonably prevents Google from curing an alleged violation of Applicable Data Protection Law.

9.4  No Unauthorized Statements.  Except as required by Applicable Data Protection Laws, You will not make (or permit any third party to make) any statement concerning the Security Incident that directly or indirectly references Google, unless Google provides its explicit written authorization.

10.    Legal Process. If You or anyone to whom You provide access to Protected Information becomes legally compelled by a court or other government authority to disclose Protected Information, then to the extent permitted by law, You will promptly inform Google of any request and reasonably cooperate with Google’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action as Google may deem appropriate.  Unless required by Applicable Data Protection Laws, You will not respond to such request, unless Google has authorized You to do so.

11.    PCI Compliance. To the extent You receive, process, transmit, or store any Cardholder Data for or on behalf of Google, You will at all times meet or exceed all Applicable Data Protection Laws and Applicable Standards related to the collection, storage, accessing, and transmission of such data, including those established by Payment Card Industry Data Security Standards. “Cardholder Data” means any primary account number, cardholder name, expiration date and/or service code, and security-related information (including but not limited to card validation codes/values, full track data, PINs and PIN blocks) used to authenticate cardholders or authorize payment card transactions.

12.    Suspension; Termination. In addition to Google's suspension and termination rights in the Agreement, Google may: (a) immediately suspend Your access to Protected Information if (i) Google reasonably determines that You are not complying with this IPA; (ii) You are reasonably determined to be out of compliance with Applicable Data Protection Law;  or (iii) You have engaged in conduct that unreasonably prevents Google from timely curing an alleged violation of Applicable Data Protection Law; or (b) terminate the Agreement if (i) Google reasonably determines that You have failed to cure material noncompliance with this IPA within a reasonable time; or (ii) Google reasonably believes it needs to do so to comply with Applicable Data Protection Laws or Applicable Standards.

13.    Records; Destruction; Responding to Access Requests; Sanitization

13.1  Records.  You will keep at Your normal place of business detailed, accurate, and up-to-date records relating to Your access to Protected Information and sufficient to meet your obligations under this IPA. You will make such records available to Google on request.

13.2  Return or Deletion of Information.  Upon the termination or expiration of the Agreement or the relevant statement of work for the Services, You will promptly return to Google all copies, whether in written, electronic or other form or media, of Personal Information in Your possession or the possession of Third Party Provider; where permitted delete and render Protected Information unreadable in the course of disposal, securely dispose of all such hard copies, and where requested certify in writing Your compliance.

13.3  Subject Access Requests. Upon Google’s request, You will (i) promptly provide to Google a particular individual’s Personal Information in an agreed upon format, and (ii) securely delete, modify, or correct a particular individual’s Personal Information from Your records. In the event You are unable to delete the Personal Information for reasons permitted under the Applicable Data Protection Laws, You will (i) promptly inform Google of the reason(s) for Your refusal, including the legal basis of such refusal, (ii) ensure the ongoing privacy, confidentiality, and security of such Personal Information, and (iii) delete the Personal Information promptly after the expiry of the reason(s) for Your refusal.

13.4  Sanitization.  You will use a media sanitization process that deletes and destroys data in accordance with the US Department of Commerce’s National Institute of Standards and Technology’s guidelines in NIST Special Publication 800-88 or equivalent standard.

14.    Survival.  Your obligations under this IPA will survive expiration or termination of the Agreement and completion of the Services as long as You continue to have access to Protected Information.

15.    Certification of Understanding. By signing or executing the Agreement, You hereby certify, represent, and warrant that You understand and will comply with all restrictions imposed upon Your Access to Protected Information under this Agreement and restrictions on Secondary Use.

---

Part B:   GDPR Data Protection Requirements

1.  Introduction. This Part B will only apply to the extent the Services requires that You Access Personal Information subject to GDPR.

2.    Types and Categories of Personal Information. The purchase order(s) or statement(s) of work associated with the Services will specify the subject matter and duration of the processing, the categories of Data Subjects, and the types and categories of Personal Information Accessed.

3.    Roles and Responsibilities.

3.1  General. If GDPR applies to the Services, the parties acknowledge and agree that: 

• (a)   the subject matter and details to the processing are as described in the Agreement;
• (b)   Google or its affiliate is a controller of the Personal Information;
• (c)   You are a processor of the Personal Information; and
• (d)   You will comply with Google’s written instructions with respect to the Personal Information.

3.2  Your Obligations as a Data Processor. You will:

• (a)   Access Personal Information only on behalf of Google and in accordance with Google’s documented instructions unless You are otherwise required by GDPR, in which case You will inform Google of that legal requirement before Accessing the Personal Information, unless informing Google is prohibited by law on important grounds of public interest. You will immediately inform Google if, in Your opinion, Google’s instructions infringe GDPR.
• (b)   implement and maintain appropriate technical and organizational measures to meet Your obligations under Applicable Data Protection Laws and this IPA;
• (c)   promptly correct, amend, or delete the Personal Information at Google’s direction;
• (d)   where requested, reasonably assist Google in the conduct of data protection impact assessments and prior consultations with Regulatory Authorities or other competent data privacy authorities, which Google reasonably considers to be required prior to Accessing Personal Information;
• (e)   not appoint or change any subprocessor without Google’s prior written consent, which Google will grant or deny without unreasonable delay, and if granted, You will enter into a contract with each new subprocessor in accordance with Part A, Section 4(b) of this IPA;
• (f)    on request, provide Google with information about any authorized Third Party Provider, including a summary or copy of Your contractual terms with such parties, if required by Applicable Data Protection Laws;
• (g)   promptly notify Google of any Data Subjects’ request to exercise their legal rights or to access, correct, amend, delete, or restrict that person’s Personal Information, to object to the Accessing of Personal Information or exercise the right to data portability in respect of Personal Information. Provided, however, You will not respond to such requests without Google’s prior written consent;
• (h)   cooperate with and assist Google in investigating Data Subjects’ exercise of their legal rights;
• (i)    appoint a Data Protection Officer if legally required, and notify Google of the Data Protection Officer’s contact information on Google’s request; and
• (j)    maintain adequate records of processing activities as set out more fully in Art. 30 of the GDPR.

4.    Data Transfers.

4.1  Transfers of Data Out of the EEA, Switzerland, and the UK. You may transfer Personal Information outside the EEA, Switzerland, or the UK (as applicable) if You comply with the provisions on the transfer of personal data to third countries under Applicable Data Protection Laws.

4.2  Transfers Under Standard Contractual Clauses. To the extent Standard Contractual Clauses are applicable to the transfer of Personal Information from the EEA, Switzerland, or the UK (as applicable), You expressly agree that Your signature on the Agreement will be deemed as Your acceptance and execution of the Standard Contractual Clauses including the warranties and undertakings contained therein as the “data importer.”

4.3  Alternative Transfer Solutions. To the extent You will Access Personal Information transferred to Google in reliance on an Alternative Transfer Solution, You will:

• (a)   provide at least the same level of protection for the Personal Information as is required by the Agreement and the applicable Alternative Transfer Solution for as long as You Access the Personal Information; and
• (b)   promptly notify Google in writing if You determine that You can no longer provide at least the same level of protection for the Personal Information as is required by the Agreement and applicable Alternative Transfer Solution and, upon making such a determination, cease Accessing the Personal Information or take other reasonable and appropriate remediation steps.

4.4  Google’s Alternative Transfer Solution Certification. To the extent Google LLC has certified under the Privacy Shield on behalf of itself and certain wholly-owned US subsidiaries, Google’s certification and status is available at https://www.commerce.gov/page/eu-us-privacy-shield.

---

The following Parts C (“Process Outsourcing Requirements”), D (“HIPAA Business Associate Requirements”) and E (“Reverse Logistics (Service and Repair) Requirements”), will apply to the extent applicable to the Services performed.

Part C:  Process Outsourcing Requirements

1.    Introduction. To the extent Your Services include outsourced business processes that You perform on behalf of Google from any facility that is not both owned and operated by Google, You will comply with not only Part A, but also Part C of this IPA.

2.    Additional Security Requirements.

2.1  Minimum Security Measures. You will implement the following minimum security requirements for any Services You perform:

• (a)   an electronic, centrally-managed access control system with perimeter alarms on all doors giving access to the segregated area used to perform Services;
• (b)   a badging process that identifies only personnel with a business need to access areas in which Services are performed;
• (c)   access control systems to record and store entry and exit details for all personnel and visitors to Your facilities for at least 30 days for common areas and 45 days for areas in which Services are performed;
• (d)   a CCTV system with coverage sufficient to capture images of all Google assets and access/egress points, including emergency exits with lighting during hours of darkness;
• (e)   dedicated 24 hour on-site guarding at Your facilities performing Services; and
• (f)    forced door alarms, and door held alarms with default settings of 30 seconds or more.

2.2  Clean Room Security Measures. On Google’s written request, You will perform Services in an enclosed area that is physically and logically separated from other workflow processes (including other Google workflows) and limited to specially authorized personnel (“Clean Room”) and You will apply the following security requirements, in addition to those listed in Part C, Section 2.1, to any Clean Room:

• (a)   You will physically secure any Clean Room, including workspaces, from access by individuals not authorized by You to provide Services;
• (b)   You will logically separate networks, systems, and devices used for Services performed within a Clean Room from Your networks, systems, and devices used for other purposes;
• (c)   You will not remove any Google-managed hardware, software, or documentation from a Clean Room, except as required to perform Services and with Google’s prior written approval;
• (d)   You will maintain reasonable logs of individuals with authorized access to any Clean Room;
• (e)   on request, You will give Google access to relevant access logs and CCTV images;
• (f)    You will not permit personal property in the Clean Room, including closed containers, bags, papers, purses, dongles, cameras, mobile phones, or other electronic devices;
• (g)   You may bring business equipment, including hardware or electronic devices into and out of the Clean Room only with prior written approval from the Google project manager identified in the statement of work for the Services, and only to the extent necessary to (i) secure and maintain any approved non-Google information technology; and (ii) reasonably comply with the Agreement; and
• (h)   You will otherwise comply with the Clean Room Standards as indicated in Google’s written instructions in any applicable statement of work or other documentation (as may be updated from time-to-time).

3.    Additional Internal Access Controls. You will limit access to Protected Information to Your personnel and Third Party Providers who (i) have completed all Google-required training under the Agreement, including any training legally mandated to perform Services; and (ii) have agreed in writing at least once every calendar year to Your provider’s confidentiality agreement.

4.    Protected Information Incident Reimbursement.

4.1  Investigation and Remediation Costs.  To the extent that You, Your personnel, or Your Third Party Providers are responsible for a Security Incident, including any breach of this Agreement or failure to notify Google, You will reimburse Google for any direct losses and expenses due to those acts or omissions, and pay Google its actual costs incurred to investigate and remediate the Security Incident.

4.2  Third Party Assessment.  If more than one reportable Security Incident occurs within 90 calendar days, Google may require You to retain at Your cost a Google-approved, third-party security firm to assess Your Safeguards.  You will provide the assessment report to Google.  You will correct any vulnerabilities identified in any such assessment.

4.3  Service Transition Costs.  If Google determines that Your failure to comply with this IPA creates reasonable grounds to suspend Your access to Protected Information, information technology, or facilities, or to terminate the Agreement, You will reimburse Google for its reasonable costs in transitioning Services to another provider.

4.4  Incident Notices.  If Google decides in its sole discretion to notify individuals affected by a Security Incident, You will reimburse Google for the reasonable costs of such notification, including (a) preparing and delivering notices; (b) establishing a call center hotline or other incident response communications procedures; (c) costs for one year of commercially reasonable credit-monitoring services that is acceptable to Google for affected individuals (or any alternative service required by Applicable Data Protection Law, advisable under Applicable Standards, or requested by Regulatory Authorities); and (d) reasonable attorneys’ and consultants’ fees and expenses.

5.    Process Outsourcing Assessment.  In addition to any other assessments permitted under the Agreement, Google may assess the adequacy of Your Safeguards under this Section 5.

5.1  Vulnerability Scans.  If You are approved to Access Protected Information using non-Google network addresses, You must permit Google to perform regular vulnerability scans of all such addresses on a reasonable, recurring basis, at least once every 7 days. You will maintain an up-to-date list of non-Google network addresses and notify Google promptly of any changes to the list, including a written notice 15 days before releasing or transferring any such address to another tenant or owner.

5.2  Direct Tests.  If Google decides, in its reasonable judgment, to directly test any non-Google information technology used by You or Your Third Party Provider to perform Services, Google and You will promptly develop a mutually-agreeable protocol that permits Google to adequately assess Your Safeguards.

6.    Process Outsourcing Audits and Monitoring.  You expressly acknowledge and consent to auditing and monitoring by Google of all Your networks, applications, facilities, and workstreams used to perform Services, including all communication methods that You and Your Third Party Providers use to contact individual users in performing Services, including in-person, telephones, computers, electronic devices, and any other information technology.  Google’s auditing and monitoring may include random on-site inspections of Your facilities, equipment, networks, or applications used to perform Services, and placing quality control calls to confirm Your compliance with the Agreement.

---

Part D: HIPAA Business Associate Requirements

1.    Introduction. To the extent Your Services require access to Protected Information that is health information protected under the Health Insurance Portability and Accountability Act (“HIPAA”), You will comply with not only Part A, but also Part D of this IPA.

2.    Definitions. In this Part, all capitalized terms not otherwise defined in the Agreement will have the definitions given to them by HIPAA, including the following:

• (a)   “Breach” has the same meaning as the term “breach” at 45 C.F.R. § 164.402.
• (b)   “PHI” has the same meaning as the term “protected health information” at 45 C.F.R. § 160.103.
• (c)   “Security Incident” has the same meaning as the term “security incident” at 45 C.F.R. §164.304.

3.    HIPAA Business Associate Obligations.  If You are permitted to Access PHI to perform Services or as required by law, You will:

• (a)   not use or disclose PHI other than to perform Services in accordance with the Agreement or as required by law;
• (b)   use reasonable administrative, technical, and physical safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided by the Agreement;
• (c)   report to Google any use or disclosure of PHI not provided for by the Agreement or any Breach or Security Incident of which You become aware;
• (d)   ensure that any Third Party Providers that Access PHI on behalf of Google contractually agree to the same terms that apply to You with respect to such PHI;
• (e)   provide access to PHI maintained in a Designated Record Set in accordance with 45 C.F.R. § 164.524 and Google’s specified timeframes;
• (f)    on Google’s request, amend the PHI maintained in a Designated Record Set in accordance with 45 C.F.R. § 164.526;
• (g)   assist Google in responding to an Individual’s request for an accounting of PHI disclosures in accordance with 45 C.F.R. § 164.528 and Google’s specified timeframes;
• (h)   make Your internal practices and records available to the Secretary of the Department of Health and Human Services to determine HIPAA compliance; and
• (i)    return or destroy (and retain no copies of) all PHI received from Google once such PHI is not needed to perform Services.

---

Annex 1: Standard Contractual Clauses

STANDARD CONTRACTUAL CLAUSES

(PROCESSORS)

Standard Contractual Clauses (processors)

For the purposes of Article 46(2) of Regulation 2016/679, including any successor regulation thereto, the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Introduction

Data transfer agreement

Between Google on behalf of itself and its affiliates as defined in the Agreement between the parties.

hereinafter “data exporter”

And You

(with address and country of establishment as stated in the Agreement)

hereinafter “data importer”

(together, the “Parties”).

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a)             'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', and 'data subject' shall have the same meaning as in Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the ‘GDPR’”).  References to Directive 95/46/EC shall be construed as references to the equivalent operative provisions of the GDPR;

(b)          'the data exporter' means the controller who transfers the personal data;

(c)             'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 45(3) of the GDPR;

(d)         ‘Member State’ or ‘State’ means (i) the Member State in which the data exporter is established, (ii) if the data exporter is established in Switzerland, Switzerland, or (iii) if the data exporter is established in the UK effective as of the date of its exit from the European Union, the UK.

(e)         ‘the data protection supervisory authority’ means (i) the data protection supervisory authority of the Member State in which the data exporter is established, (ii) if the data  exporter is established in Switzerland, the Federal Data Protection and Information Commissioner, or (iii) if the data exporter is established in the UK, the Information Commissioner’s Office;

(f)              'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(g)          'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in (i) the Member State in which the data exporter is established, (ii) if the data exporter is established in Switzerland, Switzerland, or (iii) if the data exporter is established in the UK effective as of the date of its exit from the European Union, the UK.

(h)            'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1.            The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2.            The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.            The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4.            The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)          that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)          that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c)          that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)          that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)          that it will ensure compliance with the security measures;

(f)           that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)          to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)          to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)           that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)           that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a)          to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)          that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)          that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)          that it will promptly notify the data exporter about:

(i)           any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)          any accidental or unauthorised access, and

(iii)          any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)          to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)           at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)          to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)          that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i)           that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j)           to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1.            The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2.            If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3.            If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1.            The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)          to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)        to refer the dispute to the courts of the Member State in which the data exporter is established.

2.            The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1.            The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.            The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3.            The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of  the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1.            The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

2.            The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3.            The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of  the Member State in which the data exporter is established.

4.            The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1.            The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.            The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full):                     

Position:                      

Address:                      

Other information necessary in order for the contract to be binding (if any):                      

Signature……………………………………….

On behalf of the data importer:

Name (written out in full):                     

Position:                      

Address:                      

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

 APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

Data Exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all affiliates (as defined in the Agreement) established within the European Economic Area (EEA), Switzerland, and the UK (effective as of the date of its exit from the European Union) that have Accessed Personal Information in connection with this Agreement.

Data importer

The purchase order(s) or statement(s) of work associated with Your Services will specify the activities relevant to the transfer and duration of the processing of Personal Information Accessed.

Data subjects

The personal data transferred may concern any of the following categories of data subjects:

1.   Prospects, customers, business partners, and vendors of the data exporter (who are natural persons)

2.   Employees or contact persons of the data exporter’s prospects, customers, business partners and vendors

3.   Employees, agents, advisors, and freelancers of the data exporter (who are natural persons)

4.   Individuals authorized by the data exporter to use the Services

Categories of data

The personal data transferred may include any of the following data as described in the Services to be provided under the Agreement or applicable statements of work between the parties:

●    First and last name

●    Title

●    Position

●    Employer

●    Contact information (company, email, phone, physical business address)

●    ID data

●    Professional life data

●    Personal life data

●    Connection data (meta or other data that includes connection detail)

●    Geo-Localisation data

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): The processing activities performed by the data importer will be as described in the Services to be provided under the Agreement or applicable statements of work between the parties.

 

DATA EXPORTER

Name: Google               

Authorised Signature ……………………

 

DATA IMPORTER

Name:………………………………           

Authorised Signature ……………………

 

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Personal Information, as described in the Agreement applicable to the specific Services provided to the data exporter. Where the data exporter authorizes the data importer to subcontract the services, the data importer will not decrease the overall security of the Services during a relevant term.