U.S. State Law Processor Addendum to Google Data Processing Addendum

1.Introduction

This U.S. State Law Addendum reflects the parties’ agreement on the processing of Partner Personal Information in connection with: (i) the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations (the “CCPA”); (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq; (iii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq.; (iv) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; (v) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.; and (vi) data privacy or data protection laws modeled on any of the foregoing, each as may be in effect and applicable to the processing of Partner of Personal Information (together “Applicable State Privacy Laws”).

2.Definitions and Interpretation

2.1 The terms “business”, “business purpose”, “consumer”, “controller”, “personal data”, “personal information”, “processing”, “processor”, “sale”, “sell”, “service provider”, “share” and “sharing” as used in this U.S. State Law Addendum have the meanings given in Applicable State Privacy Laws.

2.2 “Data Incident” means “breach of security”, “breach of the security of the system”, “breach of system security”, “security breach”, or other analogous term, each only when defined by applicable laws with respect to the Partner Personal Information at issue.

2.3 “Partner Personal Information” means personal information of data subjects who are residents of the states that are subject to Applicable State Privacy Laws that is processed by Google on behalf of the Partner in Google’s provision of the Processor Services.

2.4 References to “controller”, “data subject”, “personal data” and “processor” include “business”, “consumer”, “personal information” and “service provider”, respectively, as defined by Applicable State Data Privacy Laws.

2.5 Capitalized terms used but not defined in this U.S. State Law Addendum will have the meanings given in the DPA.

3.Duration of this U.S. State Law Addendum

This U.S. State Law Addendum will take effect on the Terms Effective Date and, regardless of whether the Term has expired, will remain in effect until, and automatically expire when Google deletes all Partner Personal Information as described in this U.S State Law Addendum.

4.Application of this U.S. State Law Addendum

4.1 Application to Processor Services. This U.S. State Law Addendum will only apply to the Processor Services for which the parties agreed to this U.S. State Law Addendum (for example: (a) the Processor Services for which Partner clicked to accept the DPA and by reference the U.S. State Law Addendum; or (b) if the Agreement incorporates this U.S. State Law Addendum or the DPA by reference, the Processor Services that are the subject of the Agreement) and then only when Google processes Partner Personal Information.

4.2 No Modification to the DPA. Unless expressly stated in this U.S. State Law Addendum, nothing contained in this U.S. State Law Addendum will be construed to modify the parties’ obligations set forth in the DPA.

5.Processing of Personal Information

5.1 Roles and Compliance; Authorization.

5.1.1 Processor and Controller Responsibilities. The parties acknowledge and agree that:

(a) Appendix 1 of the DPA describes the subject matter and details of the processing of Partner Personal Information;

(b) Google is a Processor of Partner Personal Information under Applicable State Privacy Laws;

(c) Partner is a controller or processor, as applicable, of Partner Personal Information under Applicable State Privacy Laws; and

(d) each party will comply with the obligations applicable to it under Applicable State Privacy Laws with respect to the processing of Partner Personal Information.

5.1.2 Processor Partners. If Partner is a processor:

(a) Partner warrants on an ongoing basis that the relevant controller has authorized (i) the Instructions, (ii) Partner’s appointment of Google as another processor, and (iii) Google’ engagement of Subprocessors as described in Section 10 (Subprocessors);

(b) Partner will immediately forward to the relevant controller or business any notice provided by Google under Sections 5.4 (Instruction Notifications), 7.2.1 (Incident Notification), and 10.4 (Opportunity to Object to Subprocessor Changes); and

(c) Partner may make available to the relevant controller any information made available by Google.

5.2 Partner’s Instructions. Partner instructs Google to process Partner Personal Information only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified through Partner’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including this U.S State Law Addendum; and (d) as further documented in any other written instructions given by Partner and acknowledged by Google as constituting instructions for purposes of this U.S. State Law Addendum (collectively, the “Instructions”).

5.3 Google’s Compliance with Instructions. Google will comply with the Instructions unless prohibited by applicable law.

5.4 Instruction Notifications. Google will immediately notify Partner if, in Google’s opinion: (a) Applicable State Privacy Laws prohibit Google from complying with an Instruction; (b) an Instruction does not comply with Applicable State Privacy Laws; or (c) Google is otherwise unable to comply with an Instruction or Applicable State Privacy Laws, in each case unless such notice is prohibited by Applicable State Privacy Laws. This Section 5.4 (Instruction Notifications) does not reduce either party’s rights and obligations elsewhere in the Agreement.

5.5 Additional Products. If Partner uses any Additional Product, the Processor Services may allow that Additional Product to access Partner Personal Information as required for the interoperation of the Additional Product with the Processor Services. As necessary, the parties will enter into a separate contract to address how the Additional Product will process Partner Personal Information.

5.6 Prohibitions. With respect to Google’s processing of Partner Personal Data in accordance with the CCPA, Google will not, unless as may otherwise be permitted for service providers under the CCPA, as reasonably determined by Google, (a) sell or share Partner Personal Data; (b) retain, use or disclose Partner Personal Data (i) other than for a business purpose under the CCPA on behalf of Partner and the specific purpose of performing the Processor Services, unless otherwise permitted under the CCPA, or (ii) outside of the direct business relationship between Google and Partner; and (c) combine Partner Personal Data with personal information that Google (i) receives from or on behalf of a third party or (ii) collects from its own interactions with the consumer.

6.Data Deletion

6.1 Deletion During Term.

6.1.1 Processor Services With Deletion Functionality. During the Term, if:

(a) the functionality of the Processor Services includes the option for Partner to delete Partner Personal Information;

(b) Partner uses the Processor Services to delete certain Partner Personal Information; and

(c) the deleted Partner Personal Information cannot be recovered by Partner (for example, from the “trash”),

then Google will delete Partner Personal Information from its systems as soon as reasonably practicable, unless applicable laws require storage.

6.1.2 Processor Services Without Deletion Functionality. During the Term, if the functionality of the Processor Services does not include the option for Partner to delete Partner Personal Information, then Google will comply with any reasonable request from Partner to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless applicable laws require storage. Google may charge a fee (based on Google’s reasonable costs) for any data deletion under this Section 6.1.2 (Processor Services Without Deletion Functionality). Google will provide Partner with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.

6.2 Deletion When the Term Expires. When the Term expires, Partner instructs Google to delete all Partner Personal Information (including existing copies) from Google’s systems in accordance with applicable law. Google will comply with this instruction as soon as reasonably practicable unless applicable laws require storage.

7.Data Security

7.1 Google’s Security Measures and Assistance.

7.1.1 Google’s Security Measures. Google will implement and maintain technical and organizational measures to protect Partner Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 of the DPA (the “Security Measures“). As described in Appendix 2 of the DPA, the Security Measures include measures: (a) to encrypt personal data; (b) to help ensure the ongoing confidentiality, integrity, availability and resilience of Google’s systems and services; (c) to help restore timely access to personal data following an incident; and (d) for regular testing of effectiveness. Google may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.

7.1.2 Access and Compliance. Google will (a) authorize its employees, contractors and Subprocessors to access Partner Personal Information only as strictly necessary to comply with the Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance; and (c) ensure that all persons authorized to process Partner Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.1.3 Google’s Security Assistance. Taking into account the nature of the processing of Partner Personal Information and the information available to Google, Google will assist Partner in ensuring compliance with Partner’s (or, where Partner is a processor, the relevant controller’s) obligations under applicable law regarding security of personal data and Data Incidents, including Partner’s (or, where Partner is a processor, the relevant controller’s) obligations under Applicable State Privacy Laws by:

(a) implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Google’s Security Measures);

(b) complying with the terms of Section 7.2 (Data Incidents); and

(c) providing Partner with the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation) and the information contained in this U.S. State Law Addendum.

7.2 Data Incidents.

7.2.1 Incident Notification. If Google becomes aware of a Data Incident, Google will: (a) notify Partner of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Partner Personal Information.

7.2.2 Details of Data Incident. Notifications made under Section 7.2.1 (Incident Notification) will describe: the nature of the Data Incident, including the Partner resources impacted; the measures Google has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Google recommends that Partner take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Google’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

7.2.3 Delivery of Notification. Google will deliver its notification of any Data Incident to the Notification Email Address or, at Google’s discretion (including if Partner has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Partner is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.

7.2.4 Third Party Notifications. Google will assist with Partner obligations to comply with applicable incident notification laws by providing to Partner the information set out in Section 7.2.2. Partner is solely responsible for complying with incident notification laws applicable to Partner and fulfilling any third-party notification obligations related to any Data Incident.

7.2.5 No Acknowledgement of Fault by Google. Google’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Google of any fault or liability with respect to the Data Incident.

7.3 Partner’s Security Responsibilities and Assessment.

7.3.1 Partner’s Security Responsibilities. Partner agrees that, without prejudice to Google’s obligations under Sections 7.1 (Google’s Security Measures and Assistance) and 7.2 (Data Incidents):

(a) Partner is responsible for its use of the Processor Services, including:

(i) making appropriate use of the Processor Services to ensure a level of security appropriate to the risk to Partner Personal Information; and

(ii) securing the account authentication credentials, systems, and devices Partner uses to access the Processor Services; and

(b) Google has no obligation to protect Partner Personal Information that Partner elects to store or transfer outside of Google’s and its Subprocessors’ systems.

7.3.2 Partner’s Security Assessment. Partner acknowledges the Security Measures implemented and maintained by Google as described in Section 7.1.1 (Google’s Security Measures) provide a level of security appropriate to the risk to Partner Personal Information taking into account the nature, scope, context, and purposes of the processing of Partner Personal Information; the state of the art; the information available to Google; the costs of implementation; and the risks to individuals.

7.4 Security Certification. To evaluate and help ensure the continued effectiveness of the Security Measures, Google will maintain the ISO 27001 Certification or other appropriate measures to demonstrate the effectiveness of the Security Measures.

7.5 Reviews and Audits of Compliance.

7.5.1 Reviews of Security Documentation. To demonstrate compliance by Google with its obligations under this U.S. State Law Addendum, Google will make the Security Documentation available for review by Partner.

7.5.2 Partner’s Audit Rights. Google will allow Partner or a third-party auditor appointed by Partner to conduct audits (including inspections) to verify Google’s compliance with its obligations under this U.S. State Law Addendum in accordance with Section 7.5.3 (Additional Business Terms for Audits). During audits, Google will make available all information necessary to demonstrate such compliance and contribute to the audits as described in Section 7.4 (Security Certification) and this Section 7.5 (Reviews and Audits of Compliance). Partner may also conduct an audit to verify Google’s compliance with its obligations under this U.S. State Law Addendum by reviewing any certificate(s) issued to Google by any third-party auditor(s) (for example, an ISO 27001 Certification, if any).

7.5.3 Additional Business Terms for Audits.

(a) Partner will send any request for an audit under Section 7.5.2(a) or 7.5.2(b) to Google as described in Section 11.1 (Contacting Google).

(b) Following receipt by Google of a request under Section 7.5.3(a), Google and Partner will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit under Section 7.5.2(a) or 7.5.2(b).

(c) Google may charge a fee (based on Google’s reasonable costs) for any audit under Section 7.5.2(a) or 7.5.2(b). Google will provide Partner with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Partner will be responsible for any fees charged by any third-party auditor appointed by Partner to execute any such audit.

(d) Google may object to any third-party auditor appointed by Partner to conduct any audit under Section 7.5.2(a) or 7.5.2(b) if the auditor is, in Google’s reasonable opinion, not suitably qualified or independent, a competitor of Google or otherwise manifestly unsuitable. Any such objection by Google will require Partner to appoint another auditor or conduct the audit itself.

(e) Nothing in this U.S. State Law Addendum will require Google either to disclose to Partner or its third-party auditor, or to allow Partner or its third-party auditor to access:

(i) any data of any other partner or customer of a Google Entity;

(ii) any Google Entity’s internal accounting or financial information;

(iii) any trade secret of a Google Entity;

(iv) any information that, in Google's reasonable opinion, could: (A) compromise the security of any Google Entity’s systems or premises; or (B) cause any Google Entity to breach its obligations under the Applicable State Privacy Laws or its security and/or privacy obligations to Partner or any third party; or

(v) any information that Partner or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Partner’s obligations under the Applicable State Privacy Laws.

7.5.4 Partner Intervention. If Partner reasonably believes that Google is processing Partner Personal Data in a manner that exceeds the scope of the Instructions, Partner may exercise its rights under this Section 7.5 (Reviews and Audits of Compliance) or notify Google of such belief via email to the Notification Email Address, and the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary.

8.Data Protection Assessments

Taking into account the nature of the processing and the information available to Google, Google will assist Partner in ensuring compliance with Partner’s (or where Partner is a processor, the relevant controller’s) obligations regarding data protection impact assessments required by Applicable State Privacy Laws by:

(a) providing the Security Documentation in accordance with Section 7.5.1 (Reviews of Security Documentation);

(b) providing the information contained in this U.S. State Law Addendum; and

(c) providing or otherwise making available, in accordance with Google’s standard practices, other materials concerning the nature of the Processor Services and the processing of Partner Personal Information (for example, help center materials).

9.Data Subject Rights

9.1 Responses to Data Subject Requests. If Google receives a request from a data subject in relation to Partner Personal Information, Partner authorizes Google to, and Google hereby notifies Partner that it will:

(a) respond directly to the data subject’s request in accordance with the standard functionality of the Data Subject Tool (if the request is made through a Data Subject Tool); or

(b) advise the data subject to submit their request to Partner, and Partner will be responsible for responding to such request (if the request is not made through a Data Subject Tool).

9.2 Google’s Data Subject Request Assistance. Google will assist Partner (or, where Partner is a processor, the relevant controller) in fulfilling its obligations under Applicable State Privacy Laws to respond to requests for exercising the data subject’s rights, in all cases taking into account the nature of the processing of Partner Personal Information and, if applicable, by:

(a) providing the functionality of the Processor Services;

(b) complying with the commitments in Section 9.1 (Responses to Data Subject Requests); and

(c) if applicable to the Processor Services, making available Data Subject Tools.

9.3 Rectification. If Partner becomes aware that any Partner Personal Information is inaccurate or outdated, Partner will be responsible for rectifying or deleting that data if required by the Applicable State Privacy Laws, including (where available) by using the functionality of the Processor Services.

10.Subprocessors

10.1 Consent to Subprocessor Engagement. Partner specifically authorizes the engagement of the Subprocessors listed in Section 10.2 (Information about Subprocessors) as of the Terms Effective Date. In addition, Partner generally authorizes the engagement of any other third parties as Subprocessors (“New Subprocessors”), subject to Section 10.4 (Opportunity to Object to Subprocessor Changes).

10.2 Information about Subprocessors. Information about Subprocessors is available at business.safety.google/sub-processors.

10.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Google will:

(a) ensure through a written contract that:

(i) the Subprocessor only accesses and uses Partner Personal Information to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this U.S. State Law Addendum); and

(ii) the processing of Partner Personal Information by the Subprocessor is subject to Applicable State Privacy Laws and the obligations in this U.S. State Law Addendum; and

(b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

10.4 Opportunity to Object to Subprocessor Changes.

(a) If any New Subprocessor is engaged during the Term, then at least 30 days before the New Subprocessor processes any Partner Personal Information, Google will inform Partner of the engagement (including the name and location of the relevant sub-processor and the activities it will perform) by sending an email to the Notification Email Address.

(b) Partner may object to any New Subprocessor by terminating the Agreement for convenience immediately upon written notice to Google, on condition that Partner provides such notice within 90 days of being informed of the engagement of the New Subprocessor as described in Section 10.4(a).

11.Contacting Google; Processing Records

11.1 Contacting Google. When exercising its rights under this U.S. State Law Addendum, Partner may contact Google at legal-notices@google.com or through such other means as may be provided by Google.

11.2 Google’s Processing Records. Google will keep appropriate documentation of its processing activities as required by Applicable State Privacy Laws. Upon reasonable request, Partner will provide appropriate documentation of its processing activities to Google through the user interface of the Processor Services or by such other means as may be provided by Google, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.

11.3 Controller Requests. If Google receives a request or instruction from a third party purporting to be a controller of Partner Personal Information, Google will advise the third party to contact Partner.

12.Liability

If the Agreement is governed by the laws of:

(a) a state of the United States of America, then, regardless of anything else in the Agreement, the total liability of either party towards the other party under or in connection with this U.S. State Law Addendum will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (and therefore any exclusion of confidentiality or indemnification claims from the Agreement’s limitation of liability will not apply to claims under the Agreement relating to the Applicable State Privacy Laws); or

(b) a jurisdiction that is not a state of the United States, then the total combined liability of the parties and their affiliates under or in connection with this U.S. State Law Addendum will be subject to Section 12.1 of the DPA (Liability Cap).

13.No Effect on Controller Terms

This U.S. State Law Addendum will not affect any separate terms between Google and Partner reflecting a controller-controller relationship for a service other than the Processor Services.

14.Changes to this U.S. State Law Addendum

14.1 Google may change this U.S. State Law Addendum if the change:

(a) is expressly permitted by this U.S. State Law Addendum;

(b) reflects a change in the name or form of a legal entity;

(c) is required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency, or reflects Google’s adoption of an Alternative Transfer Solution; or

(d) does not (i) result in a degradation of the overall security of the Processor Services; (ii) expand the scope of or remove any restrictions on, (x) Google’s rights to use or otherwise process the data in scope of the Additional Terms for Non-Applicable State Privacy Laws or (y) in the case of the remainder of this U.S. State Law Addendum, Google’s processing of Partner Personal Information, as described in Section 5.3 (Google’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Partner’s rights under this U.S. State Law Addendum, as reasonably determined by Google.

14.2 Notification of Changes. If Google intends to change this U.S. State Law Addendum under Section 14.1(c) or (d), Google will inform Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Partner through the user interface for the Processor Services. If Partner objects to any such change, Partner may terminate the Agreement for convenience by giving written notice to Google within 90 days of being informed by Google of the change.

12 December 2022