Availability, Integrity, and Resilience Google designs the components of our platform to be highly redundant. Google’s data centers are geographically distributed to minimize the effects of regional disruptions on global products such as natural disasters and local outages. In the event of hardware, software, or network failure, services are automatically and instantly shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss. Testing Google conducts disaster recovery testing on an annual basis to provide a coordinated venue for infrastructure and application teams to test communication plans, fail- over scenarios, operational transition, and other emergency responses. All teams that participate in the disaster recovery exercise develop testing plans and post mortems which document the results and lessons learned from the tests. Encryption 010010101110 Google uses encryption to protect data in transit and at rest. Data in transit to 010101011110 G Suite is protected using HTTPS, which is activated by default for all users. 011011001001 G Suite and Google Cloud Platform services encrypt customer content stored at 011101101011 rest, without any action required from customers, using one or more encryption mechanisms. A detailed discussion of how we encrypt data can be found in our Encryption Whitepaper. Access Controls For Google employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Google’s security policies. Vulnerability Management We scan for software vulnerabilities using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration testing, quality assurance processes, software security reviews, and external audits. We also rely on the broader security research community and greatly value their help identifying vulnerabilities in G Suite, Google Cloud Platform, and other Google products. Our Vulnerability Reward Program encourages researchers to report design and implementation issues that may put customer data at risk. PAGE 5