Google Workspace

1 Vendor Overview

Service: Email, calendar, document storage, video conferencing, productivity suite Primary Use: Client communications, meeting recordings, document collaboration, SEC-required archival Data Classification: Highly sensitive client information and privileged communications Contract Status: Google Workspace Business with Data Processing Amendment Risk Level: Critical (stores all client communications and confidential documents)

2 Data Protection Compliance

2.1 Green Energy & Sustainability

Status:GREEN ENERGY POWERED - Carbon Neutral: Carbon-neutral since 2007, committed to carbon-free by 2030 - Renewable Energy: 100% renewable energy for all operations since 2017 - Sustainability Leadership: Largest corporate purchaser of renewable energy globally - Environmental Reporting: Annual sustainability reports with verified metrics

2.2 Regulation S-P Compliance

Status: ⚠️ REQUIRES VERIFICATION

Required Documentation: - [ ] Data Processing Agreement: Verify current enterprise DPA covers incident notification - [ ] Security Certifications: Confirm SOC 2 Type II and ISO 27001 status - [ ] Breach Notification: Verify 72-hour notification guarantee - [ ] Audit Rights: Confirm security assessment access

Claimed Google Cloud DPA Coverage: - Enterprise-grade data processing agreement - Incident notification within 72 hours - Security certifications (SOC 2 Type II, ISO 27001) - Audit rights and security control verification - Data residency controls

Communication Archival: - Gmail: SEC Rule 204-2 compliant email archival (7 years minimum) - Meet Recordings: Client meeting recordings with automated storage - Document Versioning: Complete revision history for client documents - Access Logging: Detailed audit trails for compliance monitoring

2.3 Utah Consumer Privacy Act (UCPA)

Status:COMPLIANT

Consumer Rights Support: - Data Access: Google Takeout provides complete client data export - Deletion Rights: Account-level and document-level deletion capabilities - Portability: Standard export formats for all client data - Processing Limitation: Granular privacy controls and data sharing restrictions

3 Incident Response Integration

3.1 Breach Notification Process

Google → ECIC: 72 hours maximum via enterprise support ECIC → Clients: 30 days per Regulation S-P requirements

Notification Channels: 1. Critical Incidents: Direct phone notification to admin users 2. Security Alerts: Real-time notifications via Admin Console 3. Compliance Team: security-notifications@google.com for enterprise accounts 4. Account Management: Dedicated Customer Success Manager contact

4 Support Channels

  • Enterprise Support: Google Cloud Support Console (Project: ethical-capital-workspace)
  • Admin Contact: workspace-admin@ethicalcapital.com
  • Security Incidents: security-notifications@google.com
  • Emergency: Google Workspace Admin Console → Help → Contact Support (24/7)

5 Key Integrations

  • Gmail: Client email interaction tracking, contact touch frequency analysis
  • Calendar: Meeting scheduling data aggregation from multiple calendars
  • Drive: Document storage, client file organization, automated backup pipeline
  • Contacts: Contact resolution and email address mapping across systems
  • Forms: Client onboarding data collection and automated matching

6 Technical Implementation

  • Authentication: OAuth 2.0 with refresh tokens securely stored in Doppler encrypted credential store
  • Rate Limits: 100 requests/second/user (Gmail), 1000/second (Calendar), varies by service
  • Data Flow: Daily sync → DuckDB catalog → LACRM metrics aggregation
  • Automation: Referenced in processes: data-ingestion, contact-management, drive-backup
  • Scopes: Gmail.readonly, Calendar.readonly, Drive.readonly, Contacts.readonly, Forms.responses.readonly

7 Risk Notes

  • OAuth tokens contain broad workspace access - secure storage critical
  • PII present in Gmail content and Drive files - access logging enabled
  • Drive backup includes client-sensitive documents - encryption at rest required
  • API quota exhaustion impacts all automated workflows - monitor usage dashboards
  • Token refresh failures cascade to all Google integrations - automated monitoring essential

8 Operational Dependencies

  • Contact Index: Gmail and Contacts provide email-to-person mapping for all other integrations
  • LACRM Sync: Meeting data from Calendar feeds portfolio review tracking
  • Drive Backup: Automated nightly sync to ensure business continuity
  • Client Onboarding: Forms responses trigger contact matching and LACRM updates
Owner: Compliance: Chief Compliance Officer
Last reviewed: 2025-09-25
SLA: Critical infrastructure
Controls: ?invalid meta type:ops_controls
Commit: 8f0c18729ae96125ef5caf6824600a75c4928c16