7.1 Google’s Security Measures and Assistance.
7.1.1 Google’s Security Measures. Google will implement and maintain technical and organizational measures to protect Partner Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 of the DPA (the “Security Measures“). As described in Appendix 2 of the DPA, the Security Measures include measures: (a) to encrypt personal data; (b) to help ensure the ongoing confidentiality, integrity, availability and resilience of Google’s systems and services; (c) to help restore timely access to personal data following an incident; and (d) for regular testing of effectiveness. Google may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
7.1.2 Access and Compliance. Google will (a) authorize its employees, contractors and Subprocessors to access Partner Personal Information only as strictly necessary to comply with the Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance; and (c) ensure that all persons authorized to process Partner Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.1.3 Google’s Security Assistance. Taking into account the nature of the processing of Partner Personal Information and the information available to Google, Google will assist Partner in ensuring compliance with Partner’s (or, where Partner is a processor, the relevant controller’s) obligations under applicable law regarding security of personal data and Data Incidents, including Partner’s (or, where Partner is a processor, the relevant controller’s) obligations under Applicable State Privacy Laws by:
(a) implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Google’s Security Measures);
(b) complying with the terms of Section 7.2 (Data Incidents); and
(c) providing Partner with the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation) and the information contained in this U.S. State Law Addendum.
7.2 Data Incidents.
7.2.1 Incident Notification. If Google becomes aware of a Data Incident, Google will: (a) notify Partner of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Partner Personal Information.
7.2.2 Details of Data Incident. Notifications made under Section 7.2.1 (Incident Notification) will describe: the nature of the Data Incident, including the Partner resources impacted; the measures Google has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Google recommends that Partner take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Google’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
7.2.3 Delivery of Notification. Google will deliver its notification of any Data Incident to the Notification Email Address or, at Google’s discretion (including if Partner has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Partner is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.
7.2.4 Third Party Notifications. Google will assist with Partner obligations to comply with applicable incident notification laws by providing to Partner the information set out in Section 7.2.2. Partner is solely responsible for complying with incident notification laws applicable to Partner and fulfilling any third-party notification obligations related to any Data Incident.
7.2.5 No Acknowledgement of Fault by Google. Google’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Google of any fault or liability with respect to the Data Incident.
7.3 Partner’s Security Responsibilities and Assessment.
7.3.1 Partner’s Security Responsibilities. Partner agrees that, without prejudice to Google’s obligations under Sections 7.1 (Google’s Security Measures and Assistance) and 7.2 (Data Incidents):
(a) Partner is responsible for its use of the Processor Services, including:
(i) making appropriate use of the Processor Services to ensure a level of security appropriate to the risk to Partner Personal Information; and
(ii) securing the account authentication credentials, systems, and devices Partner uses to access the Processor Services; and
(b) Google has no obligation to protect Partner Personal Information that Partner elects to store or transfer outside of Google’s and its Subprocessors’ systems.
7.3.2 Partner’s Security Assessment. Partner acknowledges the Security Measures implemented and maintained by Google as described in Section 7.1.1 (Google’s Security Measures) provide a level of security appropriate to the risk to Partner Personal Information taking into account the nature, scope, context, and purposes of the processing of Partner Personal Information; the state of the art; the information available to Google; the costs of implementation; and the risks to individuals.
7.4 Security Certification. To evaluate and help ensure the continued effectiveness of the Security Measures, Google will maintain the ISO 27001 Certification or other appropriate measures to demonstrate the effectiveness of the Security Measures.
7.5 Reviews and Audits of Compliance.
7.5.1 Reviews of Security Documentation. To demonstrate compliance by Google with its obligations under this U.S. State Law Addendum, Google will make the Security Documentation available for review by Partner.
7.5.2 Partner’s Audit Rights. Google will allow Partner or a third-party auditor appointed by Partner to conduct audits (including inspections) to verify Google’s compliance with its obligations under this U.S. State Law Addendum in accordance with Section 7.5.3 (Additional Business Terms for Audits). During audits, Google will make available all information necessary to demonstrate such compliance and contribute to the audits as described in Section 7.4 (Security Certification) and this Section 7.5 (Reviews and Audits of Compliance). Partner may also conduct an audit to verify Google’s compliance with its obligations under this U.S. State Law Addendum by reviewing any certificate(s) issued to Google by any third-party auditor(s) (for example, an ISO 27001 Certification, if any).
7.5.3 Additional Business Terms for Audits.
(a) Partner will send any request for an audit under Section 7.5.2(a) or 7.5.2(b) to Google as described in Section 11.1 (Contacting Google).
(b) Following receipt by Google of a request under Section 7.5.3(a), Google and Partner will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit under Section 7.5.2(a) or 7.5.2(b).
(c) Google may charge a fee (based on Google’s reasonable costs) for any audit under Section 7.5.2(a) or 7.5.2(b). Google will provide Partner with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Partner will be responsible for any fees charged by any third-party auditor appointed by Partner to execute any such audit.
(d) Google may object to any third-party auditor appointed by Partner to conduct any audit under Section 7.5.2(a) or 7.5.2(b) if the auditor is, in Google’s reasonable opinion, not suitably qualified or independent, a competitor of Google or otherwise manifestly unsuitable. Any such objection by Google will require Partner to appoint another auditor or conduct the audit itself.
(e) Nothing in this U.S. State Law Addendum will require Google either to disclose to Partner or its third-party auditor, or to allow Partner or its third-party auditor to access:
(i) any data of any other partner or customer of a Google Entity;
(ii) any Google Entity’s internal accounting or financial information;
(iii) any trade secret of a Google Entity;
(iv) any information that, in Google's reasonable opinion, could: (A) compromise the security of any Google Entity’s systems or premises; or (B) cause any Google Entity to breach its obligations under the Applicable State Privacy Laws or its security and/or privacy obligations to Partner or any third party; or
(v) any information that Partner or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Partner’s obligations under the Applicable State Privacy Laws.
7.5.4 Partner Intervention. If Partner reasonably believes that Google is processing Partner Personal Data in a manner that exceeds the scope of the Instructions, Partner may exercise its rights under this Section 7.5 (Reviews and Audits of Compliance) or notify Google of such belief via email to the Notification Email Address, and the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary.