Chronicle Data Processing and Security Terms
(Customers)
Last modified: September 21, 2022 | Previous Versions
The customer agreeing to these terms (“Customer”), and Chronicle
LLC, Chronicle Security Ireland Limited, or any other entity that directly or
indirectly controls, is controlled by, or is under common control with
Chronicle LLC (as applicable, “Chronicle”), have entered into an
agreement under which Chronicle has agreed to provide the Services and related
technical support to Customer (as amended from time to time, the “Agreement”).
These
Data Processing and Security Terms, including their appendices (the “Terms”)
are incorporated into the Agreement. These Terms will be effective and replace
any previously applicable data processing and security terms from the Terms
Effective Date (as defined below). Where the Agreement was entered into offline
with Chronicle, these Terms supersede the “Data Privacy and Security” Clause,
the “DPA”, and “Security Terms” in that agreement (if applicable).
1.1 Capitalized
terms defined in the Agreement apply to these Terms. In addition, in these
Terms:
● Additional Security Controls means security resources, features, functionality
and/or controls that Customer may use at its option and/or as it determines,
including encryption, logging, monitoring, and security scanning.
● Adequate Country means:
(a) for data processed subject to the EU GDPR: the
EEA, or a country or territory recognized as ensuring adequate protection under
the EU GDPR;
(b) for data processed subject to the UK GDPR: the
UK, or a country or territory recognized as ensuring adequate protection under
the UK GDPR and the Data Protection Act 2018; and/or
(c) for data processed subject to the Swiss FDPA:
Switzerland, or a country or territory that is (i) included in the list of the
states whose legislation ensures adequate protection as published by the Swiss
Federal Data Protection and Information Commissioner, or (ii) recognized as
ensuring adequate protection by the Swiss Federal Council under the Swiss FDPA;
in each case, other than on the basis of
an optional data protection framework.
● Alternative Transfer Solution means a solution, other than SCCs,
that enables the lawful transfer of personal data to a third country in
accordance with European Data Protection Law, for example a data protection
framework recognized as ensuring that participating entities provide adequate
protection.
● Chronicle’s Third Party Auditor means a Chronicle-appointed,
qualified and independent third party auditor, whose then-current identity
Chronicle will disclose to Customer.
● Customer Data has the meaning given in the Agreement or, if no such
meaning is given, means data provided by or on behalf of Customer or Customer
End Users via the Services under the Account.
● Customer End Users has the meaning given in the Agreement or, if no such
meaning is given, has the meaning given to “End User(s)” in the Agreement.
● Customer Personal Data means the personal data contained within the
Customer Data, including any special categories of personal data defined under
European Data Protection Law.
● Customer SCCs means the SCCs (Controller-to-Processor), the SCCs (Processor-to-Processor)
and/or the SCCs (Processor-to-Controller), as applicable.
● Data Incident means a breach of Chronicle’s
security leading to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, Customer Data on systems managed by
or otherwise controlled by Chronicle.
● EEA means the European Economic Area.
● EMEA means Europe, the Middle East and
Africa.
● EU GDPR means Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC.
● European Data Protection Law means, as applicable: (a) the
GDPR; and/or (b) the Swiss FDPA.
● European Law means, as applicable: (a) EU or
EU Member State law (if the EU GDPR applies to the processing of Customer
Personal Data); and (b) the law of the UK or a part of the UK (if the UK GDPR
applies to the processing of Customer Personal Data).
● GDPR means, as applicable: (a) the EU GDPR;
and/or (b) the UK GDPR.
● Instructions has the meaning given in
Section 4.2.1 (Customer’s Instructions).
● Non-European Data Protection Law means data protection or
privacy laws in force outside the EEA, the UK and Switzerland.
● Notification Email Address means the email address(es)
designated by Customer in the Order Form
to receive certain notifications from Chronicle. Customer is responsible
for ensuring that its Notification Email Address remains current and valid.
● SCCs means the Customer SCCs and/or SCCs (Processor-to-Processor,
Chronicle Exporter), as applicable.
● SCCs (Controller-to-Processor) means the terms at: https://chronicle.security/legal/sccs/eu-c2p.
● SCCs (Processor-to-Controller) means the terms at: https://chronicle.security/legal/sccs/eu-p2c.
● SCCs (Processor-to-Processor) means the terms at: https://chronicle.security/legal/sccs/eu-p2p.
● SCCs (Processor-to-Processor,
Chronicle Exporter)
means the terms at: https://chronicle.security/legal/sccs/eu-p2p-chronicle-exporter.
● Security Documentation means all documents and
information made available by Chronicle under Section 6.5.1 (Reviews of
Security Documentation).
● Security Measures has the meaning given in Section
6.1.1 (Chronicle’s Security Measures).
● Subprocessor means a third party authorized
as another processor under these Terms to have logical access to and process
Customer Data in order to provide parts of the Services and Chronicle TSS.
● Supervisory Authority means, as applicable: (a) a
“supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner”
as defined in the UK GDPR; and/or the Swiss FDPA.
● Swiss FDPA means the Federal Data
Protection Act of 19 June 1992 (Switzerland).
● Term means the period from the Terms Effective
Date until the end of Chronicle’s provision of the Services, including, if
applicable, any period during which provision of the Services may be suspended
and any post-termination period during which Chronicle may continue providing
the Services for transitional purposes.
● Terms Effective Date means the date on which Customer
accepted, or the parties otherwise agreed to, these Terms.
● UK GDPR means the EU GDPR as amended and
incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and
applicable secondary legislation made under that Act.
1.2 The terms “personal data”,
“data subject”, “processing”, “controller” and “processor” as used in these
Terms have the meanings given in the GDPR irrespective of whether European Data
Protection Law or Non-European Data Protection Law applies.
Regardless of
whether the Agreement has terminated or expired, these Terms will remain in
effect until, and automatically expire when, Chronicle deletes all Customer
Data as described in these Terms.
3.1 Application
of European Law. The parties acknowledge that European Data Protection Law
will apply to the processing of Customer Personal Data if, for example:
3.2 Application
of Non-European Law. The parties acknowledge that Non-European Data Protection
Law may also apply to the processing of Customer Personal Data.
3.3 Application
of Terms. Except to the extent these Terms state otherwise, these Terms
will apply irrespective of whether European Data Protection Law or Non-European
Data Protection Law applies to the processing of Customer Personal Data.
4.1 Roles and
Regulatory Compliance; Authorization.
4.1.1 Processor
and Controller Responsibilities. If European Data Protection Law applies to
the processing of Customer Personal Data:
4.1.2 Processor
Customers. If European Data Protection Law applies to the processing of Customer
Personal Data and Customer is a processor:
a. Customer warrants on an
ongoing basis that the relevant controller has authorized: (i) the
Instructions, (ii) Customer’s appointment of Chronicle as another processor,
and (iii) Chronicle’s engagement of Subprocessors as described in Section 10
(Subprocessors);
b. Customer will
immediately forward to the relevant controller any notice provided by Chronicle
under Sections 4.2.3 (Instruction Notifications), 6.2.1 (Incident
Notification), 8.2.1 (Responsibility for Requests), 10.4 (Opportunity to Object
to Subprocessor Changes) or that refers to any SCCs; and
c. Customer may:
i. request access
for the relevant controller to the SOC Reports in accordance with Section
6.5.3(a); and
ii. make available
to the relevant controller any other information made available by Chronicle under
Sections 9.4 (Supplementary Measures and Information), 9.6 (Data Center
Information) and 10.2 (Information about Subprocessors).
4.1.3 Responsibilities
under Non-European Law. If Non-European Data Protection Law applies to
either party’s processing of Customer Personal Data, the relevant party will
comply with any obligations applicable to it under that law with respect to the
processing of that Customer Personal Data.
4.2 Scope of
Processing.
4.2.1 Customer’s
Instructions. Customer instructs Chronicle to process Customer Data only in
accordance with applicable law: (a) to provide, secure, and monitor the
Services and Chronicle TSS; (b) as further specified via Customer’s use of any
of the functionality of the Services and Chronicle TSS; (c) as documented in
the form of the Agreement (including these Terms); and (d) as further
documented in any other written instructions given by Customer and acknowledged
by Chronicle as constituting instructions for purposes of these Terms
(collectively, the “Instructions”).
4.2.2 Chronicle’s
Compliance with Instructions. Chronicle will comply with the Instructions
unless prohibited by European Law.
4.2.3 Instruction
Notifications. Chronicle will immediately notify Customer if, in
Chronicle’s opinion: (a) European Law prohibits Chronicle from complying with
an Instruction; (b) an Instruction does not comply with European Data
Protection Law; or (c) Chronicle is otherwise unable to comply with an
Instruction, in each case unless such notice is prohibited by European Law.
This Section does not reduce either party’s rights and obligations elsewhere in
the Agreement.
5.1 Deletion by
Customer. Chronicle will enable Customer to delete Customer Data upon
request during the Term in a manner consistent with the functionality of the
Services. If Customer requests deletion of any Customer Data during the Term
and that Customer Data cannot be recovered by Customer, this request will
constitute an Instruction to Chronicle to delete the relevant Customer Data
from Chronicle’s systems in accordance with applicable law. Chronicle will
comply with this Instruction as soon as reasonably practicable and within a
maximum period of 180 days, unless European Law requires storage.
5.2 Return or
Deletion on Termination at the end of the Term; Data Export. On expiry of
the Term, Customer instructs Chronicle to delete all remaining Customer Data
(including existing copies) from Chronicle’s systems at the end of the Term in
accordance with applicable law. After a recovery period of up to 30 days from
that date, Chronicle will comply with
this Instruction as soon as reasonably practicable and within a maximum period
of 180 days, unless European Law requires storage. Customer is responsible for
notifying Chronicle before the Term expires of any Customer Data that Customer
wishes to export and, if Customer does so, Chronicle will assist Customer in
exporting such Customer Data.
6.1 Chronicle
Security Measures, Controls and Assistance.
6.1.1 Chronicle
Security Measures. Chronicle will implement and maintain technical and
organizational measures to protect Customer Data against accidental or unlawful
destruction, loss, alteration, unauthorized disclosure or access as described
in Appendix 2 (the “Security Measures”). The Security Measures include measures
to encrypt Customer Data; to help ensure ongoing confidentiality, integrity,
availability and resilience of Chronicle’s systems and services; to help
restore timely access to Customer Data following an incident; and for regular
testing of effectiveness. Chronicle may update the Security Measures from time
to time provided that such updates do not result in a material reduction of the
security of the Services.
6.1.2 Access and
Compliance. Chronicle will: (a) authorize its employees, contractors and
Subprocessors to access Customer Data only as strictly necessary to comply with
Instructions; (b) take appropriate steps to ensure compliance with the Security
Measures by its employees, contractors and Subprocessors to the extent
applicable to their scope of performance, and (c) ensure that all persons
authorized to process Customer Data are under an obligation of confidentiality.
6.1.3 Additional
Security Controls. Chronicle may make Additional Security Controls
available to: (a) allow Customer to take steps to secure Customer Data; and (b)
provide Customer with information about securing, accessing and using Customer
Data.
6.1.4 Chronicle
Security Assistance. Chronicle will (taking into account the nature of the
processing of Customer Personal Data and the information available to
Chronicle) assist Customer in ensuring compliance with its (or, where Customer
is a processor, the relevant controller’s) obligations under Articles 32 to 34
of the GDPR, by:
6.2 Data
Incidents.
6.2.1 Incident
Notification. Chronicle will notify Customer promptly and without undue
delay after becoming aware of a Data Incident, and promptly take reasonable
steps to minimize harm and secure Customer Data.
6.2.2 Details of
Data Incident. Chronicle’s notification of a Data Incident will
describe: the nature of the Data Incident
including the Customer resources impacted;, the measures Chronicle has taken or
plans to take, to address the Data Incident and mitigate its potential risk;
the measures, if any, Chronicle recommends that Customer take to address the
Data Incident and details of a contact point where more information can be
obtained. If it is not possible to provide all such information at the same
time, Chronicle’s initial notification will contain the information then
available and further information will be provided without undue delay as it
becomes available.
6.2.3 Delivery
of Notification. Notification(s) of any Data Incident(s) will be delivered
to the Notification Email Address.
6.2.4 No
Assessment of Customer Data by Chronicle. Chronicle has no obligation to assess
Customer Data in order to identify information subject to any specific legal
requirements.
6.2.5 No
Acknowledgement of Fault by Chronicle. Chronicle’s notification of or
response to a Data Incident under this Section 6.2 (Data Incidents) will not be
construed as an acknowledgement by Chronicle of any fault or liability with respect
to the Data Incident.
6.3 Customer’s
Security Responsibilities and Assessment.
6.3.1 Customer’s
Security Responsibilities. Without prejudice to Chronicle’s obligations under
Sections 6.1 (Chronicle Security Measures, Controls and Assistance) and 6.2
(Data Incidents), and elsewhere in the Agreement, Customer is responsible for
its use of the Services and its storage of any copies of Customer Data outside
Chronicle or Chronicle’s Subprocessors’ systems, including:
6.3.2 Customer’s
Security Assessment. Customer agrees that the Services, Security Measures
implemented and maintained by Chronicle, Additional Security Controls and
Chronicle’s commitments under this Section 6 (Data Security) provide a level of
security appropriate to the risk to Customer Data (taking into account the
state of the art, the costs of implementation and the nature, scope, context
and purposes of the processing of Customer Personal Data as well as the risks
to individuals).
6.4 Compliance
Certification and SOC Report. Chronicle will maintain at least the
following for the Services in order to evaluate the continued effectiveness of
the Security Measures: ISO 27001 certification (the “Compliance Certification”)
and SOC 2 Type 2 accreditation (the “SOC Report”). Chronicle may add standards
at any time. Chronicle may replace a Compliance Certification or SOC Report
with an equivalent or enhanced alternative.
6.5 Reviews and Audits
of Compliance.
6.5.1 Reviews of
Security Documentation. Chronicle will make the Compliance Certification
and the SOC Report available for review by Customer to demonstrate compliance
by Chronicle with its obligations under these Terms.
6.5.2 Customer’s
Audit Rights.
6.5.3 Additional
Business Terms for Reviews and Audits.
Chronicle will (taking into account the nature
of the processing and the information available to Chronicle) assist Customer
in ensuring compliance with its (or, where Customer is a processor, the
relevant controller’s) obligations under Articles 35 and 36 of the GDPR, by:
8.1 Access; Rectification; Restricted Processing. During
the Term, Chronicle will enable Customer, in a manner consistent with the functionality
of the Services, to access, rectify and restrict processing of Customer Data,
including via the deletion functionality provided by Chronicle as described in
Section 5.1 (Deletion by Customer). If Customer becomes aware that any Customer Personal Data is
inaccurate or outdated, Customer will be responsible for notifying Chronicle and Chronicle will assist Customer in rectifying or deleting that data if required by
applicable European Data Protection Law.
8.2 Data Subject
Requests.
8.2.1 Responsibility
for Requests. During the Term, if Chronicle’s Cloud Data Protection Team
receives a request from a data subject that relates to Customer Personal Data,
and identifies Customer, Chronicle will: (a) advise the data subject to submit
their request to Customer; (b) promptly notify Customer; and (c) not otherwise
respond to that data subject’s request without authorization from Customer.
Customer will be responsible for responding to any such request including,
where necessary, by using the functionality of the Services.
8.2.2 Chronicle’s Data Subject Request
Assistance. Chronicle will (taking into account the nature of the
processing of Customer Personal Data) assist Customer in fulfilling its (or,
where Customer is a processor, the relevant controller’s) obligations under Chapter
III of the GDPR to respond to requests for exercising the data subject’s rights
by:
9.1 Data Storage
and Processing Facilities. Subject to Chronicle’s data location commitments
under the Chronicle Service Specific Terms and to the remainder of this Section
9 (Data Transfers), Customer Data may be processed in any country in which Chronicle
or its Subprocessors maintain facilities.
9.2 Restricted
European Transfers. The parties acknowledge that European Data Protection Law
does not require SCCs or an Alternative Transfer Solution in order for Customer
Personal Data to be processed in or transferred to an Adequate Country. If Customer
Personal Data is transferred to any other country and European Data Protection Law
applies to the transfers if Customer’s address is outside EMEA (“Restricted
European Transfers”), then:
A.
the SCCs (Processor-to-Processor, Chronicle Exporter) will apply
with respect to such Restricted European Transfers from Chronicle to
Subprocessors; and
B.
in addition, if Customer’s address is not in an Adequate
Country, the SCCs (Processor-to-Controller) will apply (regardless of whether
Customer is a controller and/or processor) with respect to such Restricted European
Transfers between Chronicle and Customer; or
9.4 Supplementary
Measures and Information. Chronicle will provide Customer with information
relevant to Restricted European Transfers, including information about
Additional Security Controls and other supplementary measures to protect
Customer Personal Data as described in Section 6.5.1 (Reviews of Security
Documentation).
9.5 Termination.
If Customer concludes, based on its current or intended use of the Services,
that the Alternative Transfer Solution and/or SCCs, as applicable, do not
provide appropriate safeguards for Customer Personal Data, then Customer may
immediately terminate the Agreement for convenience by notifying Chronicle.
9.6 Data Center
Information. Information about the locations of Chronicle’s and its
Affiliate Subprocessors’ facilities is available at https://cloud.google.com/about/locations/ (as may be updated from time to
time).
10.1 Consent to Subprocessor Engagement.
Customer specifically authorizes the engagement as Subprocessors of those entities
listed as of the Terms Effective Date at the URLs specified in Section 10.2
(Information about Subprocessors). In addition, without prejudice to Section
10.4 (Opportunity to Object to Subprocessor Changes), Customer generally
authorizes the engagement as Subprocessors of any other third parties (“New
Subprocessors”).
10.2 Information
about Subprocessors. Information about Subprocessors,
including their functions and locations, is available at https://cloud.google.com/terms/subprocessors
and https://chronicle.security/legal/subprocessors,
as may be updated from time to time in accordance with these Terms.
10.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Chronicle
will:
10.4 Opportunity to Object to Subprocessor
Changes.
11.1 Chronicle’s
Cloud Data Protection Team. Chronicle’s Cloud Data Protection Team will provide prompt and
reasonable assistance with any Customer queries related to processing of Customer
Data under the Agreement and can be contacted by raising a ticket with
the Chronicle Support Team via the Customer Support Portal at support.chronicle.security (and/or
via such other means as Chronicle may provide from time to time).
11.2 Chronicle’s
Processing Records. Chronicle will keep appropriate documentation of its
processing activities as required by the GDPR. To the extent the GDPR requires
Chronicle to collect and maintain records of certain information relating to
Customer, Customer will supply such information and keep it accurate and up-to-date.
Chronicle may make any such information available to the Supervisory
Authorities if required by the GDPR.
11.3 Controller
Requests. During the Term, if Chronicle’s Cloud Data Protection Team
receives a request or instruction from a third party purporting to be a
controller of Customer Personal Data, Chronicle will advise the third party to
contact Customer.
12.1
Precedence. To the extent of any conflict or inconsistency between:
12.2
Legacy UK SCCs. The supplementary terms for UK GDPR transfers in the SCCs
will, as of 21 September 2022, supersede and terminate any standard contractual
clauses approved under the UK GDPR or Data Protection Act 2018 and previously
entered into by Customer and Chronicle.
12.3
No Modification of SCCs. Nothing in the Agreement (including these Terms)
is intended to modify or contradict any SCCs or prejudice the fundamental
rights or freedoms of data subjects under European Data Protection Law.
Subject Matter
Chronicle’s provision of the Services and Chronicle TSS to Customer.
Duration of the Processing
The Term plus the period from the end of the Term until deletion of all
Customer Data by Chronicle in accordance with the Terms.
Nature and Purpose of the Processing
Chronicle will process Customer Personal Data
for the purposes of providing the Services and Chronicle TSS to Customer in
accordance with the Terms.
Categories of Data
Data relating to individuals provided to Chronicle
via the Services, by (or at the direction of) Customer or by Customer End
Users.
Data Subjects
Data subjects include the individuals about
whom data is provided to Chronicle via the Services by (or at the direction of)
Customer or by Customer End Users.
As from the Terms
Effective Date, Chronicle will implement and maintain the Security Measures
described in this Appendix 2.
1. Subprocessor Security
Before onboarding Subprocessors,
Chronicle conducts an audit of the security and privacy practices of
Subprocessors to ensure they provide a level of security and privacy appropriate
to their access to data and the scope of the services they are engaged to
provide. Once Chronicle has assessed the risks presented by the Subprocessor,
then subject to the requirements described in Section 10.3 (Requirements for
Subprocessor Engagement) of these Terms, the Subprocessor is required to enter
into appropriate security, confidentiality and privacy contract terms.
2. Infrastructure Security
Chronicle
is built on core infrastructure provided by Google LLC and other Chronicle
Affiliate Suprocessors (hereinafter “Google”). Chronicle will ensure that, as
from the Terms Effective Date, Google will implement and maintain the additional
Security Measures described in this Appendix 2.
(a) Data Center and Network Security
(i) Data Centers.
Infrastructure. Google maintains geographically
distributed data centers. Google stores all production data in Google’s
physically secure data centers.
Redundancy. Infrastructure systems have
been designed to eliminate single points of failure and minimize the impact of
anticipated environmental risks. Dual circuits, switches, networks or other
necessary devices help provide this redundancy. The Services are designed to
allow Google to perform certain types of preventative and corrective
maintenance without interruption. All environmental equipment and facilities
have documented preventative maintenance procedures that detail the process for
and frequency of performance in accordance with the manufacturer’s or internal
specifications. Preventative and corrective maintenance of the data center equipment
is scheduled through a standard change process according to documented
procedures.
Power. The data center electrical
power systems are designed to be redundant and maintainable without impact to
continuous operations, 24 hours a day, 7 days a week. In most cases, a primary
as well as an alternate power source, each with equal capacity, is provided for
critical infrastructure components in the data center. Backup power is provided
by various mechanisms such as uninterruptible power supplies (UPS) batteries,
which supply consistently reliable power protection during utility brownouts,
blackouts, over voltage, under voltage, and out-of-tolerance frequency
conditions. If utility power is interrupted, backup power is designed to
provide transitory power to the data center, at full capacity, for up to 10
minutes until the backup generator systems take over. The backup generators are
capable of automatically starting up within seconds to provide enough emergency
electrical power to run the data center at full capacity typically for a period
of days.
Server Operating
Systems. Google
servers use a Linux based implementation customized for the application
environment. Data is stored using proprietary algorithms to augment data
security and redundancy. Google employs a code review process to increase the
security of the code used to provide the Services and enhance the security
products in production environments.
Businesses
Continuity.
Google has designed and regularly plans and tests its business continuity planning/disaster
recovery programs.
(ii) Networks
and Transmission.
Data
Transmission.
Data centers are typically connected via high-speed private links to provide
secure and fast data transfer between data centers. This is designed to prevent
data from being read, copied, altered or removed without authorization during
electronic transfer or transport or while being recorded onto data storage
media. Google transfers data via Internet standard protocols.
External Attack Surface. Google employs multiple layers
of network devices and intrusion detection to protect its external attack
surface. Google considers potential attack vectors and incorporates appropriate
purpose built technologies into external facing systems.
Intrusion
Detection.
Intrusion detection is intended to provide insight into ongoing attack
activities and provide adequate information to respond to incidents. Google’s
intrusion detection involves:
Incident
Response. Google
monitors a variety of communication channels for security incidents, and
Google’s security personnel will react promptly to known incidents.
Encryption
Technologies.
Google makes HTTPS encryption (also referred to as SSL or TLS connection)
available. Google servers support ephemeral elliptic curve Diffie-Hellman
cryptographic key exchange signed with RSA and ECDSA. These perfect forward
secrecy (PFS) methods help protect traffic and minimize the impact of a
compromised key, or a cryptographic breakthrough.
(b) Access and Site Controls
(i) Site Controls.
On-site Data
Center Security Operation. Google’s data centers maintain an on-site security operation
responsible for all physical data center security functions 24 hours a day, 7
days a week. The on-site security operation personnel monitor closed circuit TV
(CCTV) cameras and all alarm systems. On-site security operation personnel
perform internal and external patrols of the data center regularly.
Data Center
Access Procedures.
Google maintains formal access procedures for allowing physical access to the
data centers. The data centers are housed in facilities that require electronic
card key access, with alarms that are linked to the on-site security operation.
All entrants to the data center are required to identify themselves as well as
show proof of identity to on-site security operations. Only authorized
employees, contractors and visitors are allowed entry to the data centers. Only
authorized employees and contractors are permitted to request electronic card
key access to these facilities. Data center electronic card key access requests
must be made through e-mail, and require the approval of the requestor’s
manager and the data center director. All other entrants requiring temporary
data center access must: (i) obtain approval in advance from the data center
managers for the specific data center and internal areas they wish to visit;
(ii) sign in at on-site security operations; and (iii) reference an approved
data center access record identifying the individual as approved.
On-site Data
Center Security Devices. Google’s data centers employ a dual authentication access
control system that is linked to a system alarm. The access control system
monitors and records each individual’s electronic card key and when they access
perimeter doors, shipping and receiving, and other critical areas. Unauthorized
activity and failed access attempts are logged by the access control system and
investigated, as appropriate. Authorized access throughout the business
operations and data centers is restricted based on zones and the individual’s
job responsibilities. The fire doors at the data centers are alarmed. CCTV
cameras are in operation both inside and outside the data centers. The
positioning of the cameras has been designed to cover strategic areas including,
among others, the perimeter, doors to the data center building, and
shipping/receiving. On-site security operations personnel manage the CCTV
monitoring, recording and control equipment. Secure cables throughout the data
centers connect the CCTV equipment. Cameras record on site via digital video
recorders 24 hours a day, 7 days a week. The surveillance records are retained
for up to 30 days based on activity.
(ii) Access
Control.
Infrastructure
Security Personnel.
Google has, and maintains, a security policy for its personnel, and requires
security training as part of the training package for its personnel. Google’s
infrastructure security personnel are responsible for the ongoing monitoring of
Google’s security infrastructure, the review of the Services, and responding to
security incidents.
Access Control
and Privilege Management. Customer’s administrators and Customer End Users must
authenticate themselves via a central authentication system or via a single
sign on system in order to use the Services.
Internal Data
Access Processes and Policies – Access Policy. Google’s internal data access
processes and policies are designed to prevent unauthorized persons and/or
systems from gaining access to systems used to process Customer Data. Google
designs its systems to (i) only allow authorized persons to access data they
are authorized to access; and (ii) ensure that Customer Data cannot be read,
copied, altered or removed without authorization during processing, use and
after recording. The systems are designed to detect any inappropriate access.
Google employs a centralized access management system to control personnel
access to production servers, and only provides access to a limited number of
authorized personnel. Google’s authentication and authorization systems utilize
SSH certificates and security keys, and are designed to provide Google with
secure and flexible access mechanisms. These mechanisms are designed to grant
only approved access rights to site hosts, logs, data and configuration
information. Google requires the use of unique user IDs, strong passwords, two
factor authentication and carefully monitored access lists to minimize the
potential for unauthorized account use. The granting or modification of access
rights is based on: the authorized personnel’s job responsibilities; job duty
requirements necessary to perform authorized tasks; and a need to know basis. The
granting or modification of access rights must also be in accordance with Google’s
internal data access policies and training. Approvals are managed by workflow
tools that maintain audit records of all changes. Access to systems is logged
to create an audit trail for accountability. Where passwords are employed for
authentication (e.g., login to workstations), password policies that follow at
least industry standard practices are implemented. These standards include
restrictions on password reuse and sufficient password strength. For access to
extremely sensitive information (e.g., credit card data), Google uses hardware
tokens.
(c) Data
(i) Data
Storage, Isolation and Logging. Google stores data in a multi-tenant environment on
Google-owned servers. Subject to any Instructions to the contrary (e.g., in the
form of a data location selection), Google replicates Customer Data between multiple
geographically dispersed data centers. Google also logically isolates Customer
Data. Customer will be given control over specific data sharing policies. Those
policies, in accordance with the functionality of the Services, will enable
Customer to determine the product sharing settings applicable to Customer End
Users for specific purposes.
(ii) Decommissioned
Disks and Disk Erase Policy. Disks containing data may experience performance issues,
errors or hardware failure that lead them to be decommissioned (“Decommissioned
Disk”). Every Decommissioned Disk is subject to a series of data destruction
processes (the “Disk Erase Policy”) before leaving Google’s premises either for
reuse or destruction. Decommissioned Disks are erased in a multi-step process
and verified complete by at least two independent validators. The erase results
are logged by the Decommissioned Disk’s serial number for tracking. Finally,
the erased Decommissioned Disk is released to inventory for reuse and
redeployment. If, due to hardware failure, the Decommissioned Disk cannot be
erased, it is securely stored until it can be destroyed. Each facility is audited
regularly to monitor compliance with the Disk Erase Policy.
(d) Personnel Security
Google personnel
are required to conduct themselves in a manner consistent with the company’s
guidelines regarding confidentiality, business ethics, appropriate usage, and
professional standards. Google conducts reasonably appropriate backgrounds
checks to the extent legally permissible and in accordance with applicable
local labor law and statutory regulations.
Personnel are
required to execute a confidentiality agreement and must acknowledge receipt
of, and compliance with, Google’s confidentiality and privacy policies.
Personnel are provided with security training. Personnel handling Customer Data
are required to complete additional requirements appropriate to their role
(e.g., certifications). Google’s personnel will not process Customer Data
without authorization.