If you use Google Cloud to process personal data, a separate Data Processing Addendum (DPA) applies and governs how Google handles that data; you need to review and ensure the DPA meets your legal obligations for data protection.
This analysis describes what Google Cloud's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For any organization processing personal data of EU residents or other protected individuals on GCP, the DPA establishes the legal framework for that processing and determines whether Google acts as a processor under your instruction or in another capacity.
Interpretive note: The specific obligations under the DPA depend on the current version of that document, which is incorporated by reference and not reproduced in the main agreement text; applicable obligations vary significantly by jurisdiction and processing context.
This provision means that data protection obligations, including GDPR compliance for EU personal data, are governed by a separate DPA that is incorporated into the agreement by reference; customers must ensure the DPA is properly executed and configured for their use case.
How other platforms handle this
Cloudflare's current Privacy Policy is incorporated into this Agreement by this reference and is located at https://www.cloudflare.com/privacypolicy/. In addition, by using the Services, you acknowledge and agree that internet transmissions are never completely private or secure.
To the extent that Duo processes any Personal Data (as defined in the Duo Privacy Data Sheet) on behalf of Customer in connection with Customer's use of the Services, the terms of the Duo Data Processing Agreement ('DPA'), which are hereby incorporated by reference into this Agreement, shall apply a...
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
Monitoring
Google Cloud has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"The parties will comply with the Google Cloud Data Processing Addendum ('Cloud DPA'), which is incorporated into the Agreement by reference. To the extent Customer uses the Services to process personal data subject to GDPR or other applicable data protection law, the Cloud DPA governs such processing.— Excerpt from Google Cloud's Google Cloud Terms
1) REGULATORY LANDSCAPE: The incorporation of the Cloud DPA directly implicates GDPR (for EU/EEA personal data), UK GDPR (for UK residents' data), and CCPA (for California residents' data). Customers acting as data controllers are responsible for ensuring that their use of GCP as a processor (or sub-processor) is lawful, that standard contractual clauses or equivalent transfer mechanisms are in place for international data transfers, and that the DPA terms are consistent with their own privacy policies and data subject rights processes. Supervisory authorities in the EU (lead authority determined by establishment) and the UK ICO are the primary enforcement bodies. 2) GOVERNANCE EXPOSURE: High. The DPA is incorporated by reference rather than included in the main agreement text, meaning customers must separately locate, review, and confirm execution of the current DPA version. Failure to have a valid DPA in place for GDPR-regulated processing could constitute a violation of GDPR Article 28, exposing the customer (as controller) to regulatory sanction. 3) JURISDICTION FLAGS: EU/EEA and UK customers face the highest exposure, particularly regarding international data transfer mechanisms following Schrems II. Customers in countries without an EU adequacy decision must rely on standard contractual clauses or other approved mechanisms. US customers processing EU residents' data are subject to GDPR regardless of their own location. Sector-specific regulations (HIPAA for US healthcare, PSD2 for EU payments) may impose additional DPA-level requirements beyond the standard Cloud DPA. 4) CONTRACT AND VENDOR IMPLICATIONS: Legal and procurement teams should confirm that the Google Cloud DPA has been accepted or executed in the correct form for their jurisdiction, that the list of sub-processors has been reviewed, and that the sub-processor notification and objection process is operationally implemented. HIPAA-regulated customers should confirm that a Business Associate Agreement is in place as a supplement to or alongside the DPA. 5) COMPLIANCE CONSIDERATIONS: Data protection officers should conduct a data mapping exercise to identify all personal data processed through GCP and confirm that the DPA covers all relevant processing activities. Where Google acts as a data controller for certain processing (e.g. service improvement), customers should verify that this is disclosed to data subjects in their own privacy notices. Annual reviews of the DPA and sub-processor list are recommended as part of ongoing vendor management.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For any organization processing personal data of EU residents or other protected individuals on GCP, the DPA establishes the legal framework for that processing and determines whether Google acts as a processor under your instruction or in another capacity.
This provision means that data protection obligations, including GDPR compliance for EU personal data, are governed by a separate DPA that is incorporated into the agreement by reference; customers must ensure the DPA is properly executed and configured for their use case.
ConductAtlas has identified this type of provision across 4 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Google Cloud.