WHAT WE DO G Suite & Google Cloud Platform Commitments to the GDPR Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of G Suite and Google Cloud Platform services. EXPERT KNOWLEDGE, RELIABILITY, AND RESOURCES Data Protection Expertise Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing Google’s security policies. Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google. These teams engage with customers, industry stakeholders, and supervisory authorities to shape our G Suite and Google Cloud Platform services in a manner that helps customers meet their compliance needs. DATA PROTECTION COMMITMENTS Data Processing Agreements Our data processing agreements for G Suite and Google Cloud Platform clearly articulate our privacy commitments to customers. We have evolved these terms over the years based on feedback from our customers and regulators. More recently, we have specifically updated these terms to reflect the GDPR, and have made these updated available well in advance of the entry into force of the GDPR to facilitate our customers’ compliance assessment and GDPR readiness when using Google Cloud services. Our customers can enter into these updated data processing terms now via the opt in process described here for the G Suite Data Processing Amendment and here for the GCP Data Processing and Security Terms, and the updated terms will take effect from 25 May 2018, when the GDPR comes into force. Processing According to Instructions Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements. Personnel Confidentiality Commitments All Google employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Google’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information. PAGE 3