Google Cloud Data Residency and GDPR: Negotiating Compliance Terms

Why Google's Standard Contract Falls Short on Data Residency

Google Cloud's commercial Master Agreement is not a data processing agreement. It governs service delivery, pricing, and liability — but it does not, by default, impose enforceable obligations on where your data is processed, who can access it, or what happens to it when you exit the relationship. The data residency commitments that most enterprise procurement teams assume are in place simply are not present unless explicitly negotiated and documented.

Google does offer a Cloud Data Processing Addendum (CDPA), updated in 2025 to align with the EU Data Act. However, the standard CDPA is a permissive document that gives Google significant operational latitude. Accepting it without modification does not provide the control over data location that regulated industries require. The modifications needed depend on your regulatory environment, but the starting point is always the same: understand what the standard document actually says before accepting it.

This article connects to the broader Google Cloud contract terms negotiation guide and should be read alongside our coverage of Google Cloud exit rights and data portability, which addresses what happens to your data when you want to leave.

Understanding Google's Data Processing Framework

Google's data processing framework for enterprise cloud customers has three main components: the Cloud Data Processing Addendum, the Standard Contractual Clauses (SCCs), and service-specific technical controls. Understanding each component — and their limitations — is essential before entering negotiations.

The Cloud Data Processing Addendum (CDPA)

The CDPA is Google's standard data processing agreement for Google Cloud services. It covers the core GDPR Article 28 requirements: processing only on documented instructions, confidentiality obligations, security measures, sub-processor management, data subject rights assistance, deletion or return of data on termination, and audit rights. For organisations that don't already have a Data Processing Agreement embedded in their contract, opting into the CDPA is mandatory for GDPR compliance.

However, the CDPA contains several provisions that enterprise compliance teams consistently flag. The definition of "documented instructions" is broad enough to permit Google to process data for service improvement purposes unless you explicitly opt out. The sub-processor list is a URL reference rather than a contract schedule — meaning Google can add new sub-processors by updating a web page, with customer notification but without requiring customer consent. And the audit rights clause gives Google significant discretion over timing, scope, and format of any audit.

Standard Contractual Clauses (SCCs)

For cross-border data transfers from the EU/EEA to Google's infrastructure outside the EU, Google relies on the EU Commission's Standard Contractual Clauses (SCCs). Google updated its SCCs in 2022 and 2024 to align with the new EU SCC framework and incorporate UK IDTA (International Data Transfer Agreement) provisions. The SCCs are incorporated by reference in the CDPA.

The SCCs provide a lawful mechanism for international data transfers but do not resolve data residency concerns. Data can be lawfully transferred under SCCs to US servers and still violate your internal data residency policy, your customer contracts, or sector-specific regulations such as DORA (Digital Operational Resilience Act for financial services) or NIS2 (Network and Information Security Directive).

Technical Controls: Regions and Assured Workloads

Google Cloud provides technical mechanisms for data residency through two primary tools: resource location policies and Assured Workloads. Resource location policies allow you to restrict where new Google Cloud resources (VMs, databases, storage buckets) can be created, preventing accidental deployment outside your designated regions. Assured Workloads is a paid overlay that provides additional controls for regulated workloads, including enforced data residency, limited personnel access, and compliance documentation.

The critical distinction: technical controls are operational configurations, not contractual obligations. If a technical control fails or is inadvertently reconfigured, you have no contractual remedy unless your Master Agreement explicitly documents the data residency commitment and attaches liability to breaches.

What GDPR Requires from Your Cloud Provider Contract

GDPR Article 28 specifies the minimum content required in a contract between a data controller (your organisation) and a data processor (Google). Beyond the minimum requirements, effective data governance in a cloud environment requires provisions that go significantly further. The gap between GDPR minimum and operational best practice is where most enterprise compliance failures occur.

Article 28 Mandatory Requirements

The mandatory GDPR Article 28 requirements that must appear in your contract are: (1) processing only on your documented instructions; (2) confidentiality obligations on all persons authorised to process the data; (3) implementation of appropriate technical and organisational security measures; (4) sub-processor restrictions and pass-through obligations; (5) assistance with data subject rights requests; (6) assistance with your compliance obligations including DPIAs; (7) deletion or return of all personal data on termination; and (8) provision of all information necessary to demonstrate compliance, including audit rights.

Google's standard CDPA addresses all eight requirements, but the language used to address some of them is deliberately permissive. The audit rights clause, for example, states that Google will provide audit information subject to "reasonable and practicable arrangements" — a standard that Google interprets conservatively, often limiting audits to third-party certifications rather than customer-initiated assessments.

Beyond Article 28: What Regulated Enterprises Need

Financial services firms operating under DORA must document data processing locations at the level of individual data centres for their critical third-party ICT providers. Healthcare organisations under GDPR's special category data rules need explicit consent mechanisms for any data processing by Google personnel. Government contractors may require sovereign cloud provisions that standard GDPR compliance doesn't address. The Google Cloud PPA negotiation process is where these sector-specific requirements should be included as contractual conditions of the commercial deal.

Negotiating Data Residency Clauses

Effective data residency negotiation with Google requires specificity. Generic requests for "EU data processing" are insufficient — they don't specify which services are in scope, what constitutes a breach, or what remedy you have when Google fails to maintain the commitment. The following framework provides a structured approach to negotiating residency terms that are both enforceable and operationally practical.

Define the Scope of Data in the Contract

The first step is defining exactly which data categories are subject to residency requirements. Not all data processed through Google Cloud requires EU-only storage. Logs, telemetry, and performance metrics may be acceptable to process globally. Customer personal data, financial transaction records, and health information typically require strict residency controls. Your contract should distinguish between these categories and apply residency requirements only where needed — negotiating EU-only processing for everything creates operational constraints without proportionate benefit.

Specify the Processing Regions

Don't accept language like "primarily processed in the EU" or "processed in accordance with Google's regional architecture." Demand specific language: "Customer Data in scope as defined in Schedule A shall be stored at rest and processed exclusively within European Union member states. Google shall not transfer, replicate, or process Customer Data in scope outside the European Union without Customer's prior written consent, except as required by applicable law (in which case Google shall notify Customer to the extent permitted by law)."

This language needs to appear in your Master Agreement or a signed schedule, not just in a technical configuration guide or a webpage that Google can modify unilaterally. See our GCP negotiation leverage framework for how to position this as a commercial condition rather than a post-signing legal request.

Negotiate Assured Workloads Pricing

Assured Workloads is Google's premium data residency and compliance product. It enforces data residency at the platform level, restricts personnel access to customer data based on geographic controls, and provides compliance documentation for regulated workloads. The standard premium is 5-10% above base service pricing. For enterprise accounts making significant multi-year commitments, this premium is negotiable. Redress has successfully negotiated Assured Workloads inclusion at no additional cost for accounts committing to $3M+ annual GCP spend, as part of a broader Google Cloud CUD negotiation.

Sub-Processor Controls and Third-Party Risk

Google's CDPA allows Google to engage sub-processors to deliver Cloud services, subject to notification obligations. Google maintains a public list of sub-processors at a URL referenced in the CDPA. When Google adds a new sub-processor, it updates this URL and notifies customers. Customers have the right to object to new sub-processors, but the process for exercising that right — and Google's response — is not clearly defined in the standard agreement.

Negotiating Sub-Processor Controls

Enterprise buyers with robust third-party risk management programmes need stronger sub-processor provisions. The key modifications to request are: (1) a contractual schedule listing current sub-processors rather than a URL reference, updated by mutual written amendment rather than Google's unilateral update; (2) advance notice of at least 60 days before adding new sub-processors, compared to the standard shorter period; (3) a clearly defined objection process that specifies what happens if you object — and gives you the right to terminate the affected service if Google proceeds with an objectionable sub-processor; and (4) flow-down clauses requiring sub-processors to comply with the same data residency and GDPR obligations that apply to Google.

Google's account teams will resist sub-processor schedule amendments because they create operational inflexibility. The strongest negotiating position combines this request with the commercial deal — sub-processor controls as a condition of a multi-year commitment — rather than as a standalone legal request. Enterprise-tier accounts spending $2M+ annually have more success with these provisions than smaller accounts.

Audit Rights and Compliance Evidence

GDPR Article 28(3)(h) requires processors to provide all information necessary to demonstrate compliance and to allow for and contribute to audits by the controller. Google's standard CDPA satisfies this requirement by providing access to third-party compliance certifications (ISO 27001, SOC 2 Type II, ISO 27018) and by participating in "reasonable and practicable" customer audits.

Strengthening Audit Provisions

Third-party certifications are evidence of compliance at a point in time, not a continuous compliance guarantee. For organisations that require evidence of ongoing compliance with specific GDPR obligations — particularly those subject to regulatory examination — the standard certification access is insufficient. Negotiate for: (1) right to questionnaire-based assessments on specific controls relevant to your GDPR obligations, not limited to topics covered by Google's certification scope; (2) a defined response time for compliance evidence requests (30 days is standard; 15 days is achievable for defined question sets); and (3) right to commission third-party assessors to review Google's compliance against your specific contractual requirements at your cost.

Data Deletion and Exit Rights

GDPR Article 5(1)(e) requires that personal data is not kept for longer than necessary. When your Google Cloud relationship ends — whether at contract expiry, termination, or migration — you need contractual certainty that Google deletes all copies of your data within a defined timeframe. Google's standard CDPA provides for deletion or return of data on termination but leaves the timeframe vague.

Negotiate specific deletion timelines: "Google shall delete all Customer Data in scope, including all copies and backups, within 60 days of termination. Google shall provide written certification of deletion within 90 days of termination." For specific services, you may want contractual rights to data export in standard formats before deletion — this connects to the broader data portability provisions discussed in our guide on Google Cloud exit rights.

Also negotiate the Google Workspace licensing negotiation provisions for end-user data — Workspace data (email, Drive, Calendar) operates under different terms than Google Cloud infrastructure data, and both need coordinated treatment in your GDPR compliance framework.

AI and GenAI Data Processing Considerations

The expansion of Google AI services — Vertex AI, Gemini, and Document AI — into enterprise workflows creates new GDPR compliance dimensions that standard data residency provisions don't adequately address. When personal data is processed by AI models, additional considerations apply: the basis for AI processing, model training data restrictions, and output data retention.

Google's standard AI service terms reserve significant rights over data used to train and improve models. If personal data is processed through Vertex AI or Gemini services, the standard terms may permit use of that data for model improvement unless you explicitly opt out. The opt-out mechanism exists but is not prominently documented and must be configured service-by-service. The Google Gemini enterprise licensing guide 2026 provides specific guidance on AI data processing restrictions and what to negotiate in your Gemini and Vertex AI agreements.

Putting It Together: The Data Residency Negotiation Checklist

Before signing or renewing a Google Cloud agreement involving personal data processing, verify that your contract includes all of the following provisions:

• CDPA adoption: Confirm the CDPA is incorporated into your Master Agreement, not just available on Google's website.
• Specific processing regions: Data categories and their required processing regions are named explicitly in a contract schedule, not by URL reference.
• EU-only processing language: Explicit prohibition on processing in-scope data outside the EU without prior written consent.
• Assured Workloads: For regulated workloads, Assured Workloads is included as a contractual service obligation with defined scope.
• Sub-processor notice period: Minimum 60-day advance notice of new sub-processors, with a defined objection process.
• Audit rights: Right to questionnaire-based assessments with defined response timeframes.
• Data deletion timeline: Specific deletion deadline (60-90 days post-termination) with written certification.
• AI processing restrictions: Explicit opt-out from model training using your personal data across all AI services in scope.

About the Author

Fredrik Filipsson is Co-Founder of Redress Compliance, with 20+ years in enterprise software licensing and 500+ vendor engagements. He is Gartner-recognised for independent advisory on cloud and SaaS procurement. Connect on LinkedIn.