If a business uploads or processes data on Google Cloud, that data is not covered by this privacy notice. Instead, it is governed by a separate contract between Google and that business.
This analysis describes what Google Cloud's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision means that individuals whose personal data is processed through a Google Cloud-powered application have no direct rights under this public notice; their protections depend entirely on what the deploying business negotiated with Google.
End users of business applications built on Google Cloud cannot rely on this notice to understand how their personal data is handled; the operative rules are contained in a private agreement between the business and Google that is not publicly disclosed in this document.
How other platforms handle this
Miro's processing of personal data on behalf of customers is governed by the Customer Data Processing Addendum, which is incorporated into these Terms by reference. A current list of subprocessors used by Miro is available at miro.com/legal/subprocessors-list/ and is updated from time to time.
We may access, preserve, and share information with regulators, law enforcement, or others if we believe it is reasonably necessary to: detect, prevent, and address fraud and other illegal activity; protect ourselves, you, and others, including as part of investigations; and prevent death or imminen...
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Monitoring
Google Cloud has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"This Privacy Notice does not apply to Customer Data — content that customers provide to Google Cloud for processing on their behalf. The handling of Customer Data is instead governed by the applicable agreement between Google Cloud and the customer, which includes data processing terms.— Excerpt from Google Cloud's Google Cloud Privacy
REGULATORY LANDSCAPE: This provision directly implicates GDPR Article 28, which requires that processing on behalf of a controller be governed by a binding contract specifying the processor's obligations. The Cloud Data Processing Addendum is the operative instrument for GDPR compliance in the B2B context. EU data protection authorities and the UK ICO are the primary enforcement bodies. The CCPA similarly distinguishes service provider relationships from direct business obligations, requiring a written contract. GOVERNANCE EXPOSURE: High. Organizations deploying Google Cloud to process personal data of their customers or employees must independently evaluate the Cloud Data Processing Addendum for GDPR, CCPA, and sector-specific compliance. Failure to review the CDPA may result in incomplete data processing agreements, creating exposure under GDPR Article 28 and equivalent national laws. JURISDICTION FLAGS: EU/EEA organizations face the highest exposure given GDPR's strict processor agreement requirements. California-based organizations must ensure the CDPA includes CCPA-compliant service provider restrictions. UK organizations must assess post-Brexit CDPA terms against UK GDPR requirements. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must treat the Cloud Data Processing Addendum as a mandatory contract exhibit rather than an optional supplement. The assertion that Customer Data is governed by the customer agreement shifts primary privacy accountability to the deploying business, which may not align with assumptions made during vendor due diligence. COMPLIANCE CONSIDERATIONS: Legal teams should obtain and review the current version of the Google Cloud Data Processing Addendum, map all personal data flows into Google Cloud services, and verify that sub-processor disclosure lists are current. Organizations should also confirm that Google's standard contractual clauses or equivalent transfer mechanisms are in place for any cross-border data flows.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision means that individuals whose personal data is processed through a Google Cloud-powered application have no direct rights under this public notice; their protections depend entirely on what the deploying business negotiated with Google.
End users of business applications built on Google Cloud cannot rely on this notice to understand how their personal data is handled; the operative rules are contained in a private agreement between the business and Google that is not publicly disclosed in this document.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Google Cloud.