Business Messages from Google Q&A relating to data & security February 2021 Background: Business Messages is a messaging product from Google. It can be thought of as an ‘inbound’ channel, where a user initiates a conversation with a business. It is most commonly used for customer service, commerce, acquisition and marketing use cases. Users discover a business from an ‘entry point’ and then open up a ‘conversational surface’ to chat to the business. The business connects (directly, or through a CRM/CS partner) through an API that Google provides. More information can we found at ​https://businessmessages.google/ Developer documentation can we found at https://developers.google.com/business-communications/business-messages/guides?hl=en Entry points Include, but are not limited to: Search results pages (SERP) of different types Map pages Phone/dialer app on android Widgets or other devices that might be placed on a website or in app Weblinks Confidential & proprietary. Please don’t share without permission Confidential & proprietary. Please don’t share without permission Conversational Surface The messaging channel is delivered over IP, not through mobile carriers networks. It is not related to SMS or MMS or RCS, and is independent of any 3rd party OTT messaging applications that the consumer might use. Each Partner connecting to the Google API is governed by a ​Terms of Service for Business Messages ​, and ​Acceptable Use Policy​. Google does not enter into custom or supplementary agreements regarding Business Messages. Objectives The purpose of this document is to provide answers to common questions relating to Business Messages data security and associated topics. 1. What is the messaging architecture and flow for Business Messages? Which elements are encrypted? Messages sent between users and businesses are encrypted between a user’s device and Google’s servers and between Google’s servers and the CRM/CSP through the Google Business Messaging API. Confidential & proprietary. Please don’t share without permission 2. What is the implication from the Business Messages ​Terms of Service​ that Google and the partner are both Independent Data Controllers? Since the user journey starts on a Google surface (e.g., search results page) and/or the conversation takes place on a Google conversational surface, the information passed in the consumer to business conversation falls under the Google Privacy policy. Since the consumer is passing information to the business, the conversation also falls under the Privacy Policy of the business - which is linked from the top-right menu of all consumer-to-business conversations. Confidential & proprietary. Please don’t share without permission Note that (in addition), the Business Messages ​Terms of Service​ includes clause 9. Data Protection 3. Why won’t Google entertain custom agreements for Business Messages? Just like Google Play, Business Messages is scaling to a very large number of user experiences, and this requires uniform legal agreements. We have purposefully designed very partner friendly terms that we believe provide ample protection for businesses and their users. 4. Our business is subject to regulations that mean that its providers must be available for audit. Will Google co-operate with this? We have teams that are dedicated to responding to law enforcement and regulator inquiries in accordance with applicable law. 5. Will Google use customer’s data outside of Business Messages? Google’s use of customer data is governed by Google’s ​privacy policy​. Things we WILL do with user data: ● Improve Business Messages ● Measure performance of Business Messages ● Improve results by understanding when and why users click on message buttons ● Optimize the positioning of message buttons ● Detect and prevent spam and fraud ● Protect users ● Analyse user intent through NLP techniques ● Provide automated responses to the user where appropriate (for example opening hours of stores) Things we WON’T do with user data: ● Sell advertising based on, or otherwise monetize, message contents ● Share unaggregated data or message content with any third parties or competitors ● Violate our privacy policy See also this ​op-ed​ from Google’s CEO: Confidential & proprietary. Please don’t share without permission “To make privacy real, we give you clear, meaningful choices around your data. All while staying true to two unequivocal policies: that Google will never sell any personal information to third parties; and that you get to decide how your information is used. 6. Is persistent storage used for this service, and where is the information stored (conversations, materials for the agent, etc.) Mobile Originated (MO): Stored on ‘store and forward’ basis (meaning Google stores until it has been able to connect to the user’s device and deliver the message), for not longer than 35 days.. Mobile terminated (MT): Typically held for 35 days on store and forward basis.. MT: Held encrypted at Google for maximum 31 days, solely for spam detection. Agent Materials (logo, name, description, etc): Persistently stored in global Google storage. Messages are stored on a user’s device perpetually, unless the user chooses to delete them. Google stores (encrypted) messages to allow them to be synchronized between a user’s devices (and to ensure old messages are shown on a new device). These stored messages cannot/will not be shared with any third party. Access to the messages is only available using the user’s Google ID (only that specific user can gain access to their data). The identical storage system is used for user data for YouTube, Photos, Stadia, Gmail, Chat, and other Google products and services. 7. I​ f a message is not delivered, how would the business be notified that the message hasn’t been delivered? We report the status of each message - sent and delivered. 8. Are messages stored encrypted? Yes - messages are stored encrypted at Google. 9. Can a business control the encryption keys for its messages stored at Google? Unfortunately not, because Google needs to scan Business Messages messages for spam to protect all users. Confidential & proprietary. Please don’t share without permission 10. Is Business Messages certified by any 3rd parties? Yes. Business Messages has received ISO 27001, SOC 2 and SOC3 certification. Please ask if you’d like copies of certificates. 11. What audit rights do we have? See this section from the Business Messages ​Terms of Service​: Each party will perform the following testing of the services, systems, devices, and media used to perform services pursuant to this Agreement using employees qualified to perform such testing, or a qualified independent security assessor: 1. regular vulnerability scans using an industry standard vulnerability scanner at reasonable intervals, but in no event, less frequently than once every quarter; 2. penetration testing at least once per year; and 3. annual audit of that party’s Safeguards under an audit standard appropriate and applicable to the actions that party performs pursuant to this Agreement. 12. How does Google handle data breaches? Please refer to Exhibit B, section 6, of the Business Messages ​Terms of Service​, for Incident Response: Incident Response​. Each party will maintain an incident response program to respond when that party has reason to believe that has been or will be unauthorized access to, use or loss of personal data or other Confidential Information. A party will promptly notify the other party if it identifies such an incident involving personal data processed by, for, or on behalf of the other party. 13. What does the customer see when the Business Messages service is unavailable? When a message cannot be sent (for any reason), we display “​Not sent * Tap to retry” 14. What reporting does Google see on Business Messages agents (the business to consumer interactions)? Google has internal reporting for the gross number of users, messages, and responses for each agent, based only on the last 31 days data. We use this for diagnostics and system improvements. Beyond 31 days we store only aggregate reporting data. Confidential & proprietary. Please don’t share without permission 15. Does the Privacy and Security section of the Business Messages Agreement limit a brand’s ability to collect and use information about its own customers? We do not intend to restrict a business’s ability to serve its own customers. A conversation between a user and a business that is created through the Business Messages API can be stored by the business, according to the terms of its own privacy policy with its users. 16. What data is stored on the user’s device? Message history is stored within the user’s phone. We plan to offer features in the future that will help users transfer sensitive information—e.g. SSNs, credit card numbers—to businesses in a safe and secure manner. For instance, we may use special webviews or other message types specifically for gathering this type of info. 17. What is meant by: “Do not use any information about the user’s online or offline state for any reason except to directly provide the services to the user, and under no circumstances in a manner that may surprise or disturb a user (including, but not limited to, sending a promotion or advertisement based on them coming back online)” Some features are provided to allow businesses to choose the correct channel to message a business - not to build a profile of offline vs. online status for a user, nor to provide a trigger to deliver a message based on a change of online status for a particular user. The Agreement specifically prohibits a business from using information about the user’s state for any of these purposes. 18. Explain “​Company will provide a clear and conspicuous privacy notice to such individuals that accurately describes how Company collects, uses, and protects that information.​” We expect all businesses using Business Messages to supply a privacy policy and offer guarantees that they will not use/share user data without specific user permission.