Partner Information Protection Addendum

(a) Agreement. This Partner Information Protection Addendum (the “PIPA” or “Addendum”) forms part of any agreement, end user license agreement, statement of work, purchase order, and/or other services agreement(s) between You and Google (collectively the “Agreement”) and incorporates the mandatory terms in this Addendum and the Standard Contractual Clauses (as defined below) to the extent applicable.

(b) Order of Precedence. To the extent this Addendum conflicts with the Agreement, this Addendum will govern.

(c) Interpretation. All capitalized terms not defined in the Addendum will have the meanings given to them in the Agreement. Any examples in this Addendum are illustrative and not the sole examples of a particular concept.

(a) “Alternative Transfer Mechanism” means a mechanism other than the Standard Contract Clauses that enables the lawful transfer of Personal Information from the EEA, UK, or Switzerland to a third country in accordance with Applicable Data Protection Law, including as applicable, the Swiss-U.S. or UK-U.S. Privacy Shield self-certification programs approved and operated by the U.S. Department of Commerce (the “Privacy Shield”).

(b) “Applicable Data Protection Laws” means privacy, data security, and data protection laws, directives, and regulations in any jurisdiction applicable to the Personal Information Processed for the Services.

(c) “CCPA” means, as applicable: (i) the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), as amended; and (ii) any other applicable U.S. state data protection laws modeled on the CCPA.

(d) “Data Controller” has the same meaning as “controller” under the GDPR.

(e) “Disclosing Controller” means the Data Controller party that discloses the Personal Information to the other Data Controller party under this Addendum. For purposes of the Standard Contractual Clauses, the Disclosing Controller means the data exporter.

(f) “GDPR” means (i) the European Union General Data Protection Regulation (EU) 2016/679 on data protection and privacy for all individuals within the European Union (“EU”) and the European Economic Area (“EEA”); (ii) the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced); and (iii) any other applicable data protection laws or regulations modeled on the GDPR.

(g) “includes” or “including” means “including but not limited to”.

(h) “individual” or “individual(s)” include Consumer(s) as defined by the CCPA.

(i) “Personal Information” means (i) any information about an identified or identifiable individual; or (ii) information that is not specifically about an identifiable individual but, when combined with other information, may identify an individual. Personal Information includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, online identifiers (including IP addresses and cookie identifiers), network and hardware identifiers, and geolocation information, and any information that constitutes “personal data” within the meaning of the GDPR, or “personal information” within the meaning of the CCPA.

(j) “Process” or “Processing” means to access, create, collect, acquire, receive, record, consult, use, process, alter, store, maintain, retrieve, disclose, or dispose of. Process includes “processing” within the meaning of the GDPR.

(k) “reasonable” means reasonable and appropriate to (i) the size, scope, and complexity of the party’s business; (ii) the nature of the Personal Information being processed; and (iii) the need for privacy, confidentiality, and security of the Personal Information.

(l) “Receiving Controller” means the Data Controller party that receives the Personal Information from the other Data Controller party under this Addendum. For purposes of the Standard Contractual Clauses, the Receiving Controller means the data importer.

(m) “Secondary Use” means processing of Personal Information for purposes other than as necessary to fulfill the Agreement and comply with the specific instructions stated in the Agreement, or for any purpose that would be considered a “sale” or “disclosure” of Personal Information as defined by the CCPA.

(n) “Services” means any goods or services that You or a Third-Party Provider provide(s) to or for Google under the Agreement, including any statement(s) of work.

(o) “Standard Contractual Clauses” means the European Commission’s standard contractual clauses at business.safety.google/gdprcontrollerterms/sccs, which are standard data protection terms for the transfer of personal data to controllers established in third countries that do not ensure an adequate level of data protection, as described in Article 46 of the EU GDPR and as be amended from time-to-time.

(p) “Third-Party Provider” means any agent or other third party that a party to this Agreement authorizes to act on its behalf in connection with the Services. “Third-Party Provider” includes any “sub-processor” within the meaning of the GDPR.

(q) “You” or “Your” means the party (including any personnel, contractor, or agent acting on behalf of that party) that partners with or provides Services for Google or its affiliates under the Agreement.

(a) is an independent controller and third party to the other with respect to the Personal Information and will not Process the Personal Information as joint controllers; and

(b) has provided all notices, obtained all consents, or has otherwise determined that it has a lawful basis to transfer Personal Information under Applicable Data Protection Laws before making a disclosure of Personal Information to the other party; and

(c) will individually determine the purposes and means of its Processing of Personal Information received from the Disclosing Controller as described in the Agreement.

(a) providing all required notices or obtaining all required consents from individuals before Processing the Personal Information, including before disclosing it to the other party;

(b) providing individuals with rights in connection with Personal Information in a timely manner, including the ability of individuals to: (i) access or receive their Personal Information in an agreed upon format; and (ii) correct, amend, or delete Personal Information where it is inaccurate, or has been Processed in violation of Applicable Data Protection Laws; and

(c) responding to enquiries from data subjects or entities with supervisory or regulatory authority over either party concerning its Processing of Personal Information.

(a) Limitation on Secondary Use. Where required by Applicable Data Protection Laws, before Processing Personal Information for any Secondary Use, the Receiving Controller will provide explicit notice to individuals in writing of the Secondary Use and maintain a mechanism enabling individuals to opt out of the Secondary Use at any time.

(b) Safeguards. The Receiving Controller will have in place reasonable technical and organizational measures to protect Personal Information against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access. The Receiving Controller will ensure that such measures provide a level of security reasonable to the risk represented by the processing and the nature of the data to be protected including:

(c) Security Incident Response; Statements.The Receiving Controller will maintain a reasonable incident response program to respond to security incidents. The Receiving Controller will promptly inform the Disclosing Controller if any security incident requires notice to end users.

(d) Third-Party Providers. The Receiving Controller will contractually require each Third-Party Provider that Processes Personal Information to protect the privacy, confidentiality, and security of Personal Information using all reasonable measures as required by this Addendum and Applicable Data Protection Laws. The Receiving Controller will regularly assess its Third-Party Providers’ compliance with these contractual requirements.

(e) Owned or Managed Systems. To the extent the Receiving Controller accesses the Disclosing Controller’s owned or managed networks, systems, or devices (including APIs, corporate email accounts, equipment, or facilities) to Process the Disclosing Controller’s Personal Information, the Receiving Controller will comply with the Disclosing Controller’s written instructions.

(f) PCI Compliance. To the extent the Receiving Controller receives, processes, transmits, or stores any Cardholder Data for or on behalf of the Disclosing Controller, the Receiving Controller will at all times meet or exceed all Applicable Data Protection Laws and Applicable Standards related to the collection, storage, accessing, and transmission of such data, including those established by Payment Card Industry Data Security Standards. In this section, “Cardholder Data” means any primary account number, cardholder name, expiration date and/or service code, and security-related information (including card validation codes/values, full track data, PINs and PIN blocks) used to authenticate cardholders or authorize payment card transactions.

(g) Assessments of Compliance with this Addendum. Within 15 days of the Disclosing Controller’s written request to assess Receiving Controller’s compliance with the Addendum, the Receiving Controller will, as relevant, provide certification, audit reports, or other reports regarding the Receiving Controller’s compliance with the Safeguards and applicable standards as defined by the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), or Statement on Standards for Attestation Engagements (SSAE) and International Standard on Assurance Engagements (ISAE) as published by the American Institute of Certified Public Accountants (AICPA), Payment Card Industry Data Security Standards, and International Auditing and Assurance Standards Board (IAASB), respectively. Examples of acceptable reports on Safeguards include: (1) SOC 1 Type II (based on SSAE 16, 18 or ISAE 3402); (2) SOC 2 Type II (based on SSAE 16, 18 or ISAE 3402); (3) ISO/IEC 27001:2013 certification; and (4) PCI DSS certification.

(a) Transfers of Data Out of the EEA, Switzerland, and the UK. Either party may transfer Personal Information outside the EEA, Switzerland, or the UK (or other jurisdictions as applicable) if the transferring party complies with the provisions on the transfer of personal data to third countries.

(b) Transfers Under Standard Contractual Clauses. To the extent Standard Contractual Clauses are applicable to the transfer of Personal Information, the parties expressly agree that their execution of the Agreement will be deemed as their respective acceptance and execution of the Standard Contractual Clauses including the warranties and undertakings contained therein as the data exporter and data importer as applicable.

(c) Alternative Transfer Mechanisms. To the extent the Receiving Controller Processes Personal Information that was originally transferred to the DIsclosing Controller in reliance on an Alternative Transfer Mechanism, the Receiving Controller will: (i) provide at least the same level of protection for Personal Information as is required by the Agreement and the applicable Alternative Transfer Mechanism for as long as the Receiving Controller Processes the GDPR Personal Information; and (ii) promptly notify the Disclosing Controller in writing if the Receiving Controller determines that it can no longer provide at least the same level of protection for Personal Information as is required by the Agreement and applicable Alternative Transfer Mechanism and, upon making such a determination, cease Processing Personal Information or take other reasonable and appropriate remediation steps.

(d) Google’s Alternative Transfer Mechanism Certification. To the extent Google LLC has certified under the Privacy Shield on behalf of itself and certain wholly-owned US subsidiaries, Google’s certification and status is available at https://www.commerce.gov/page/eu-us-privacy-shield.

(a) the other party has failed to cure material noncompliance with the Addendum within a reasonable time; or

(b) it needs to do so to comply with Applicable Data Protection Laws.

(a) Changes to URLs. From time to time, Google may change any URL referenced in this Addendum and the content at any such URL, except that Google may only:

(b) Changes to the Addendum. Google may change the Addendum if the change: