speciically—prohibited—by—law—or—court—order. Third-party suppliers Google directly conducts virtually all data processing activities to provide our services. However, Google may engage some third-party suppliers to provide services related to G Suite, including customer and technical support. Prior to onboarding third-party suppliers, Google conducts an assessment of the security and privacy practices of third-party suppliers to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Google has assessed the risks presented by the third-party supplier, the—supplier—is—required—to—enter—into—appropriate—security,—conidentiality,— and privacy contract terms. Regulatory Compliance Our customers have varying regulatory compliance needs. Our clients operate across regulated industries, including inance,—pharmaceutical—and—manufacturing. Google contractually commits to the following: • Google will maintain adherence to ISO 27001, ISO 27018 and SOC 2/3 audits during the term of the agreement; •—Deined—Security—Standards.—Google—will—deine—how—data—is—processed,— stored,—and—protected—through—speciic—deined—security—standards; •—Access—to—our—Data—Privacy—Oicer.—Customers—may—contact—Google’s— Data—Privacy—Oicer—for—questions—or—comments; • Data Portability. Administrators can export customer data in standard formats at any time during the term of the agreement. Google does not charge a fee for exporting data. Data processing amendment Google takes a global approach to our commitments on data processing. Google and many of our customers operate in a global environment. G Suite ofers—a—Data Processing Amendment and EU Model Contract Clauses to facilitate—compliance—with—jurisdictional-speciic—laws—or—regulations.—Your— organization can opt into our data processing amendment by following the instructions in our Help Center. 14