TalkingData SDK Compliance and Security Guide

Updated on: November 30, 2023

introduction

In order to effectively control the phenomenon of compulsory authorization, excessive claims, and collection of personal information beyond the scope of the App, and ensure the security of personal information, in January 2019, the Office of the Central Committee of the Communist Party of China's Cybersecurity and Information Technology Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Market Supervision and Administration jointly issued the Announcement on Special Governance of Illegal Collection and Use of Personal Information by App. At the same time, entrusted by the four departments, the National Information Security Standardization Technology Committee, the China Consumer Association, the China Internet Association, and the China Cyberspace Security Association set up a special governance working group for the collection and use of personal information in violation of laws and regulations on App, specifically promoting the evaluation of the collection and use of personal information in violation of laws and regulations on App. In March 2019, the Special Governance Working Group for Illegal Collection and Use of Personal Information on App released the Self Assessment Guide for Illegal Collection and Use of Personal Information on App for App operators to conduct self inspection and self correction on their collection and use of personal information. In November 2019, the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration of Market Supervision jointly formulated the Identification Method for Illegal Collection and Use of Personal Information on App, which defined the identification methods for six categories of illegal collection and use of personal information, It provides a reference for the supervision and management department to identify the illegal collection and use of personal information by App, and also provides guidance for App developers and operators to self check and self correct. In December 2019, at the "Seminar on the Protection of App Personal Information" hosted by the Special Governance Working Group for Illegal Collection and Use of Personal Information on App, the relevant competent departments said that they would further strengthen their work and effectively strengthen the protection of personal information. In March 2020, the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration of Market Supervision jointly issued the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, which defined the basic functions of common types of apps and the scope of necessary personal information. In October 2020, the "GB/T35273-2020 Information Security Technology Personal Information Security Specification" was officially implemented, detailing the compliance requirements for personal information collection, storage, use, sharing, public disclosure and other processing links. In September 2021, the Data Security Law was officially implemented, which defined the protection obligation of data security from the legal level. In November 2021, the Personal Information Protection Law was officially implemented, which clearly stipulates the compliance requirements for the full life cycle of personal information. GB/T39335-2020 Information Security Technology Guidelines for Personal Information Security Impact Assessment further details the specific implementation mechanism for personal information security impact assessment proposed in the Personal Information Protection Law. In November 2021, the Ministry of Industry and Information Technology issued the Notice of the Ministry of Industry and Information Technology on Carrying out the Awareness Improvement Action of Information and Communication Services, requiring the establishment of a "double list" of personal information protection, in which the list of collected personal information should concisely and clearly list the basic information of users' personal information collected by the App (including the embedded SDK), including the type of information, purpose of use Use scenarios, etc. In February 2023, the Ministry of Industry and Information Technology issued the Notice of the Ministry of Industry and Information Technology on Further Improving the Mobile Internet Application Service Capability, requiring app developers and operators to centrally display and timely update the embedded SDK name, functions and rules for processing personal information when using the SDK. In May 2023, the GB/T42574-2023 Information Security Technology Guidelines for the Implementation of Notification and Consent in Personal Information Processing was officially released, detailing the implementation requirements for notification and consent. Appendix B details the specific methods for effective implementation of notification and consent for the scenario where apps are embedded in third-party SDKs. To sum up, the collection and use of personal information and the protection of the rights and interests of the subject of personal information by App (including the third-party code and plug-in embedded in App), as the key governance issues of relevant competent authorities, are being increasingly supervised and the regulatory standards are becoming stricter. To help app developers and operators (hereinafter referred to as "you") who use the TalkingDataSDK better implement matters related to the protection of end user personal information, avoid violating the provisions of relevant laws, regulations, policies and standards due to the business involving third-party SDKs, and at the same time, help you better understand the compliance of TalkingData data business and the security protection technology capabilities that have been adopted, Especially for the methods and measures to protect personal information and privacy, TalkingData has specially prepared the TalkingData SDK Compliance and Security Guide for your reference. Please ensure that TalkingDataSDK services are used legally and in compliance with relevant laws, regulations, national standards and requirements of competent authorities. The specific process is as follows: 1. Please upgrade the TalkingDataSDK to the latest version. The specific download link is as follows: https://doc.talkingdata.com/posts/catalogue/1075 2. Please complete the SDK usage configuration according to the SDK Integration Document. This guide consists of three parts: 1. TalkingDataSDK configuration capability description 2. Compliance requirements for personal information protection of app developers and operators 3. Compliance considerations when using TalkingDataSDK services 4. Data security protection capability of TalkingData If you have any questions, please contact TalkingData.

1、 TalkingDataSDK configuration capability description

1. Configuration Description of SDK Extended Business Functions The basic business function of the TalkingDataSDK is to provide application statistical analysis services and mobile advertising monitoring services. You can analyze your application data by accessing the TalkingDataSDK. Currently, it does not involve providing other extended business functions. If other extended business functions are provided later, the TalkingDataSDK Security and Compliance Guide will be used The specific extended business functions and the ways and examples of closing configuration are introduced to you in detail. 2. Configuration description of SDK optional personal information TalkingData SDK distinguishes between basic personal information and optional personal information. You can select the specific type of optional personal information according to the actual business needs. Please refer to the following configuration documents for configuration operations. Configuration document link: https://doc.talkingdata.com/posts/1025 In the service scenario of application statistical analysis and mobile advertising monitoring, you can choose to collect additional MEID, IMEI or Mac information to more accurately identify users and identify cheating traffic; Collect application list to identify, analyze and eliminate cheating traffic; Collect location information to generate more accurate location distribution reports and identify cheating traffic. 3. Configuration instructions for SDK to collect personal information according to different frequencies and accuracies For collection frequency, TalkingDataSDK only collects relevant personal information when App calls or end users trigger relevant functions, and does not involve frequency control options such as timing logic. For the collected location accuracy, the TalkingDataSDK provides optional permissions for you to choose whether to apply for relatively accurate or rough geographic location permissions. If you need to configure the above permissions, you can refer to the following configuration documents for configuration operations. Configuration document link: https://doc.talkingdata.com/posts/1025 4. Description of system permission information applied by SDK You should know and understand that, due to different system requirements, you may also need to obtain relevant permissions to collect personal information using the TalkingDataSDK. You can make reasonable configuration according to the actual business needs. Configuration document link: Android: https://doc.talkingdata.com/posts/1025
iOS: https://doc.talkingdata.com/posts/1024 Android system permissions: Permission name Specific functions of permissions Purpose of authority Time of permission application Products involved INTERNET Make a network connection. Used to allow applications to network and send statistics. Called when data analysis is needed. For example, when data needs to be reported. Application statistical analysis, mobile advertising monitoring ACCESS_NETWORK_STATE Get the current network status. It is used to allow applications to detect network connection status and suspend data transmission in case of abnormal network status. Called when data analysis is needed. For example, when data needs to be reported in the network state. READ_PHONE_STATE Get device information. It is used to generate the unique identification of the desensitized end user. Called when data analysis is needed. For example, when advertising attribution is made. ACCESS_WIFI_STATE Get WiFi information. It is used to generate the unique identification of desensitized end users and identify cheating traffic. Called when data analysis is needed. For example, when advertising attribution is made. WRITE_EXTERNAL_STORAGE Allows applications to write to external storage. It is used to store device information and record logs. Called when data analysis is needed. For example, when it is necessary to generate a unique identifier for the terminal. ACCESS_FINE_LOCATION (optional) Obtain relatively accurate location information. It is used to correct the geographical distribution data of end users, make report data more accurate, and identify cheating traffic. Called when data analysis is needed. For example, when it is necessary to analyze the geographical distribution of users. ACCESS_COARSE_LOCATION (optional) Get rough location information. Used to identify cheating traffic. Called when data analysis is needed. For example, when it is necessary to analyze the geographical distribution of users. GET_TASKS (optional) Get the application usage status. It is used for more accurate statistics of end-user activity. Called when data analysis is needed. For example, you need to analyze whether the user is active.
IOS system permissions: Permission name Specific functions of permissions Purpose of authority Time of permission application Products involved network Make a network connection. Used to allow applications to network and send data. Called when data analysis is needed. For example, when data needs to be reported. Application statistical analysis, mobile advertising monitoring IDFA Get IDFA. It is used to generate the unique identification of the desensitized end user. Called when data analysis is needed. For example, when advertising attribution is made. Location information (optional) Get location information. It is used to correct the geographical distribution data of end users, make report data more accurate, and identify cheating traffic. Called when data analysis is needed. For example, when it is necessary to analyze the geographical distribution of users. WIFI information (optional) Get WiFi information. Used to identify cheating traffic. Called when data analysis is needed. For example, when advertising attribution is made. 5. SDK Initialization and Business Function Call Timing The TalkingDataSDK only prepares for the application runtime in the initialization phase, and does not collect any data. You should ensure that after the end user agrees to the Privacy Policy, you can start the analysis capability based on reasonable business scenarios, and use the TalkingDataSDK functions in compliance and necessity. When your app provides services to users, request the related services of the TalkingDataSDK. For the configuration description of the latest version of initialization configuration and startup analysis capability, see the link: Android: https://doc.talkingdata.com/posts/1025
iOS: https://doc.talkingdata.com/posts/1024 6. Example of terms of the SDK personal information processing rules disclosed in the App Privacy Policy You should indicate the purpose, method and scope of personal information collection and use of third-party SDKs you access one by one to end users. You should clearly inform the end user in the Privacy Policy that you have carefully selected TalkingData as a partner. In order to realize some functions required for App operation, TalkingData SDK should be used. TalkingData and you should jointly decide how to collect, use, process and deal with the end user's personal information. TalkingData recommends that you refer to the following terms in the data sharing and disclosure section of the Privacy Policy (please disclose according to the actual cooperation): "Under the scenario of application statistical analysis and mobile advertising monitoring, our products will integrate the [TalkingData] SDK of Beijing Tengyun Tianxia Technology Co., Ltd. We need to share your relevant personal information with this SDK. The data types and purposes involved are as follows: 1) Basic personal information: collect unique device identifiers (OAID and AndroidID), IP addresses, IDFVs, and IDFAs to generate desensitized end user unique identifiers for basic analysis; 2) Optional personal information: collect MEID, IMEI and Mac information to identify users and cheating traffic more accurately; Collect application list to identify, analyze and eliminate cheating traffic; Collect location information to generate more accurate location distribution reports and identify cheating traffic; 3) Other basic data related to applications, devices and networks: SDK or API version, platform, timestamp, creation time of system files, application identifier, application version, application distribution channel, application process information, application IDF authorization status, application NFC permission status (yes or no), whether the device supports NFC functions (yes or no) Whether the device supports Bluetooth function (Yes or No), device model, terminal manufacturer, terminal operating system version, session start/stop time, language location, mobile network/country code, time zone, hard disk CPU and battery usage, network information (connection status of WiFi network or base station, BSSID or SSID information connected to WiFi, and SystemID information connected to base station) are used for rough multidimensional analysis in the application statistics and analysis service, and provide data reports by region and application version number; It is used for rough multidimensional analysis, evaluation of advertising effect, and identification, analysis, and elimination of cheating traffic in mobile advertising monitoring services. For your information security, we have signed a strict data security confidentiality agreement with [TalkingData], which will strictly comply with our data privacy and security requirements. In order to better understand the type and purpose of data collected by [TalkingData], as well as the way to protect personal information, you can further understand by viewing the TalkingData Group Privacy Policy and TalkingData SDK Privacy Policy links of [TalkingData]: https://www.talkingdata.com/sdkprivacy.jsp?languagetype=zh_cn https://talkingdata.com/privacy.jsp?languagetype=zh_cn At the same time, we understand and respect your right to choose. If you are unwilling to participate in the big data calculation of [TalkingData], you can also exercise your opt out right through the following ways: http://www.talkingdata.com/optout.jsp?languagetype=zh_cn You understand and agree that TalkingData has the right to de identify and aggregate the collected data and then build a database to provide data services. If the purpose, method and scope of personal information collected and used by the [TalkingData] SDK change, we will notify you in an appropriate way and remind you to read it. 7. Suggested ways and examples for App to obtain end-user authorization and consent When the app runs for the first time, a pop-up window should appear, announcing the summary of the Privacy Policy and attaching a link to the full version of the Privacy Policy, clearly prompting the end user to read and choose whether to agree to the Privacy Policy. The pop-up window should also provide the option of agreeing and refusing to agree at the same time, instead of tacit consent, to ensure the end user's independent choice. Examples of disclosure are as follows: 8. Configuration instructions for end users to exercise their rights End users can request either of us to exercise the rights of personal information subject. Once you receive any request from the end user about TalkingDataSDK personal information processing behavior, please inform us within 24 hours and solve it together. In order to facilitate the end user to exercise the right of refusal directly to us, you should inform the end user that they can exercise the right of exit through the opt out channel of the TalkingData terminal device. Once the end user exercises the opt out right, his personal information will not be processed in any form, nor will he frequently ask for the user's consent. TalkingDataopt out link: http://www.talkingdata.com/optout.jsp?languagetype=zh_cn TalkingData strongly recommends that you embed this opt out link in the Privacy Policy so that end users can more easily exercise their right to exit.

2、 Compliance requirements for personal information protection of app developers and operators

The interpretation of the compliance requirements for the protection of personal information of app developers and operators in this section is mainly aimed at the interpretation of the legal authorization for the collection and use of personal information and the key compliance requirements for the protection of subject's rights and interests during your use of TalkingDataSDK.

1. Before the launch of the App, it is necessary to develop supporting compliance documents for end users

You need to develop at least an independent Privacy Policy (also known as Personal Information Protection Policy). The Privacy Policy is an important document that describes the collection and use of App's personal information, obtains the user's legal authorization and protects the rights of the user's personal information subject. Its content should comply with the provisions of relevant national laws, regulations, policies and standards and your agreement with TalkingData. especially: 1) Comply with GB/T35273-2020 Information Security Technology Personal Information Security Specification. The four appendices of this document also have important reference value for your understanding of personal information protection requirements and drafting of Privacy Policy: Appendix A: Example of Personal Information Appendix B: Determination of Personal Sensitive Information Appendix C: Methods to Realize the Autonomy of Personal Information Subjects Appendix D: Personal Information Protection Policy Template 2) Your Privacy Policy should indicate to the end user the purpose, method and scope of your deployment of TalkingDataSDK in the App to collect and use personal information, and the protection standard provided should not be lower than TalkingData's privacy protection.

2. Display scheme of App Privacy Policy

You should comply with the requirements of relevant national laws, regulations, policies and standards to display the App Privacy Policy, including but not limited to: You should ensure the independence and obvious hint of the Privacy Policy. The Privacy Policy should be written separately, not as part of the End User Agreement or other documents. When the app runs for the first time, it will prompt the end user to read the collection and use rules of the Privacy Policy through a pop-up window and other obvious ways. After that, the SDK will start analysis for information collection and processing. You should ensure the readability and accessibility of the Privacy Policy. The Privacy Policy will use clear and understandable language that conforms to logic and common habits, and provide a simplified Chinese version. After entering the main function interface of the App, the end user can access the Privacy Policy by clicking or sliding within 4 times. You should make clear to the end user the purpose, method and scope of collecting and using personal information. Just improving service quality, improving user experience, directional push information, and developing new products cannot be the reason for forcing users to agree to collect their personal information. The end user shall choose whether to agree to the Privacy Policy, and shall not obtain the authorization of the end user by means of default check of consent or deception. 3. Important notes The interpretation of compliance requirements in this section does not constitute TalkingData's comprehensive and complete legal advice on the legal obligations of your personal information protection. We strongly recommend that you fully understand the existing and possibly published laws, regulations, policies, standards and law enforcement inspection requirements on personal information protection. Relevant materials you can refer to include but are not limited to: Personal Information Protection Law of the People's Republic of China http://www.legaldaily.com.cn/government/content/2021-08/23/content_8586559.htm Data Security Law of the People's Republic of China http://www.xinhuanet.com/politics/2021-06/10/c_1127552048.htm Network Security Law of the People's Republic of China http://www.gov.cn/xinwen/2016-11/07/content_5129723.htm Civil Code of the People's Republic of China http://legal.people.com.cn/n1/2020/0602/c42510-31731656.html Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications http://www.gov.cn/zhengce/zhengceku/2021-03/23/content_5595088.htm Self assessment Guide for Collection and Use of Personal Information by App in Violation of Laws and Regulations https://www.mpaypass.com.cn/download/202007/25221310.html Identification Method for Illegal Collection and Use of Personal Information by App http://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm Notice of the Ministry of Industry and Information Technology of the People's Republic of China on the Promotion of Information and Communication Service Perception https://www.gov.cn/zhengce/zhengceku/2021-11/06/content_5649420.htm Notice of the Ministry of Industry and Information Technology on Further Improving Mobile Internet Application Service Capability https://www.gov.cn/zhengce/zhengceku/2023-03/02/content_5744106.htm GB/T35273-2020 Information Security Technology Personal Information Security Specification https://ansafe.xust.edu.cn/DownLoad/2020SafeInstruction.pdf GB/T39335-2020 Information Security Technology Guidelines for Personal Information Security Impact Assessment https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=9EA84C0C3C2DBD3997B23F8E6C8ECA35 GB/T41391-2022 Information Security Technology - Basic Requirements for Personal Information Collection by Mobile Internet Application (App) https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=977D9EBB32ABF0A7DD6A1215969FE57A GB/T42574-2023 Information Security Technology - Guidelines for the Implementation of Notification and Consent in Personal Information Processing https://std.samr.gov.cn/gb/search/gbDetailed?id=FC816D04FFD262EBE05397BE0A0AD5FA

3、 Compliance precautions when you use TalkingDataSDK service

1. Compliance self check before you use TalkingDataSDK service

Before downloading the TalkingDataSDK, you should carefully read the SDK Download Compliance Statement, and conduct a compliance self-examination of your Privacy Policy and the collection and use of personal information by your app products according to the provisions of the statement. You should ensure that the end user is prompted to read your Privacy Policy in an obvious way when the app runs for the first time and is legally authorized by the end user. After that, the SDK will start analysis to collect and process information. According to the TalkingData Group Privacy Policy that you have read and agreed to, you should pay special attention to obtaining the authorization and consent of the end user in advance if you need to process personal information from their App end users through TalkingData. TalkingData provides you with services on the premise that you have promised: "(1) You have obtained sufficient and necessary authorization, consent and permission from the end user to use the purpose required for us to perform the service (if your app is designed and developed for children under 14 years of age, you should have taken necessary technical measures to ensure that you have obtained the authorization, consent and permission from their guardian); (2) You have obtained sufficient and necessary authorization, consent and permission from the end user to allow us to conduct anonymous and aggregated processing of the collected data (if your app is designed and developed for children under 14 years old, you should have taken necessary technical measures to ensure that you have obtained the authorization, consent and permission from their guardians); (3) You have complied with and will continue to comply with applicable laws, regulations and regulatory requirements, including but not limited to formulating and publishing relevant policies on personal information protection and privacy protection; (4) You have disclosed and explained to the end users, allowing us to de identify and aggregate the collected data and build a TalkingData database to provide data services, but at the same time, you should provide the end users with an easy to operate selection mechanism to explain how and when the end users can exercise their options, It shall also describe how and when the option can be modified or withdrawn after the exercise of the option, so that the end user can choose to agree or disagree to collect and use its personal information for commercial purposes. "

2. TalkingData's compliance review

As a service provider, TalkingData has defined the security responsibilities and obligations of each party in the Service Agreement, TalkingData Group Privacy Policy, TalkingDataSDK Privacy Policy and Data Security and Personal Information Protection Commitment reached with you. And TalkingData has clearly stated the scope and purpose of collecting end-user information in the TalkingData Group Privacy Policy and TalkingData SDK Privacy Policy, and clearly requires you to explain the source of data to TalkingData and ensure that the source is legal, and must clearly inform the end-user of the content, purpose and necessity of the data collected, Obtain the appropriate authorization from the end user. In order to ensure that you can effectively obtain the authorization of the end user and ensure the legality and compliance of TalkingData's access to the end user's personal information, TalkingData will conduct risk assessment on your data compliance due diligence, and review the relevant documents such as the legal source certification documents of the personal information you have shared, as well as the User Agreement/Terms of Service and Privacy Policy published on the official website to review the consent authorization and notification mechanism. In case of non-compliance, TalkingData will ask you to add or revise the content and/or notification mechanism of the User Agreement/Terms of Service and Privacy Policy.

4、 Data security protection capability of TalkingData

TalkingData not only focuses on the accumulation of technical practices and the improvement of product services, but also actively practices the protection of personal information and public data, and strictly abides by national laws, regulations, policies and standards.

1. Data security measures for TalkingData

TalkingData attaches great importance to the protection of personal information, and has taken different measures at different stages of the data life cycle to ensure the security of personal information. 1) Data collection security TalkingData will clarify the purpose and purpose of data collection in the process of data collection, meet the requirements of data protection principles such as the authenticity, validity and minimum sufficiency of data sources, and define the collection process and standardize the data format by establishing an internal data classification and classification system and data quality management standard system, so as to ensure the compliance of data collection Justification and consistency. 2) Data transmission security TalkingData will set different data confidentiality levels for different data before transmission, thus adopting different encryption methods, such as MD5, key encryption, etc. During data transmission, https protocol will be used to ensure the encryption security of the transmission channel. The data transmission message is encrypted with the encryption algorithm RC4 that meets the national requirements, and the encryption algorithm key is dynamically shared to prevent the key from being lost or cracked. According to the internal and external data transmission requirements of the organization, TalkingData has adopted appropriate encryption measures to ensure the security of transmission channels, nodes and data and prevent data leakage during transmission. 3) Data storage security TalkingData adopts different security storage mechanisms according to different data encryption levels, such as clear text storage for data with low importance, and encrypted storage for data with high importance, and regularly conduct integrity detection for key data to ensure that key data will not be damaged or lost in the data storage phase. At the same time, TalkingData also uses the partition storage strategy according to the value or sensitivity of the data. For example, the original data and desensitized data will be stored in different clusters, and high-value data will be stored in a separate cluster. In addition, the company strictly controls data access rights by applying as needed, and keeps data access audit logs to trace operation records to prevent artificial data leakage. 4) Data processing security After personal data enters the TalkingData statistical platform, TalkingData will conduct data desensitization processing in strict accordance with the requirements of laws and regulations and business needs. Anonymous TDID is used as the entity identification primary key to associate with business data, removing specific IDs that can directly identify entities, and ensuring the balance between data availability and security. In addition, the company will strictly control the processing authority during data analysis and processing. Data processing personnel need to pass kerberos authentication before data processing to perform subsequent data operations. At the same time, TalkingData adopts a multi tenant management system, allocates different functional accounts for different business applications, and establishes a security protection mechanism for data processing by fine-grained authorization of access to prevent unauthorized access. 5) Data cooperation security Before data exchange, TalkingData will conduct a multi-dimensional security assessment on the qualification, use behavior and other items of partners to determine whether to conduct data cooperation. When TalkingData carries out data business with partners, it will adopt models such as TalkingData security island to control the security risk of data, and conduct journal recording and retention to reduce the security risk of data cooperation. 6) Data destruction security TalkingData will formulate different data storage cycle policies and data aging policies for different types of business data, and regularly migrate and clean data that does not conform to the storage policy, so as to achieve effective destruction of data and prevent data leakage caused by the recovery of major data of storage media. At the same time, TalkingData will also regularly arrange personnel to physically destroy the storage media, and prevent the risk of data leakage by establishing effective data destruction procedures and technical means.

2. Data security protection mechanism of TalkingData

TalkingData has established an information security protection mechanism from different dimensions to ensure the data security of data subjects, and constantly improved the internal management compliance system according to the policy changes of laws and regulations. 1) Organization and management TalkingData has established an information security working group, which is responsible for organizing information security related exchanges, coordinating the handling of information security related issues and the decision-making of data life cycle security construction, and actively communicating and collaborating with other relevant organizations. TalkingData requires each staff member to sign a data security confidentiality agreement and receive information security training before employment. At the same time, TalkingData will strictly control the access to third parties and outsourcing services through risk assessment, analyze the security impact and formulate corresponding measures. 2) Network and Information Asset Management TalkingData has established a list of network and information assets and an asset liability system. According to the sensitivity and importance of network and information assets, TalkingData classifies them, takes corresponding management measures, and requires that each asset be managed by the designated responsible person of the corresponding security management authority, who will assume the corresponding security responsibility. 3) Physical and environmental security The critical or sensitive network and information processing facilities of TalkingData are placed in the security area and protected by the designated security boundary. For different security areas, different levels of security protection and access control measures should be taken to prevent illegal access and interference. 4) Operation and maintenance safety TalkingData establishes management and operation systems and processes for network and information processing, and separates responsibilities as far as possible. TalkingData has constantly strengthened its awareness of prevention, taken effective measures to prevent and control malware, established a strict software management system, loaded security patches in a timely manner, and regularly evaluated system security vulnerabilities. In addition, TalkingData has also formulated the management system and disposal process of information storage media, especially the management of removable storage media and system documents, and formulated corresponding procedures and standards to protect the security of information and media during transmission. 5) Access control TalkingData formulates access control policies based on business and security requirements to realize the principle of minimizing authorization, clarify user responsibilities, strengthen user access control management, set appropriate interfaces at the company's network boundaries, adopt effective user and device verification mechanisms, control user access, and isolate sensitive information. At the same time, access to and use of the system shall be monitored, and event logs shall be recorded and reviewed. 6) Development and maintenance The development of TalkingData system, including network infrastructure, must strictly follow the system security lifecycle management process. Security requirements will be confirmed before developing new systems. Appropriate control measures, audit trail records and activity logs shall be adopted in the design, including the verification of input data, internal processing and output data. In the process of system development and maintenance, strictly implement the system development process management, including the change control of development, testing and production environment, to ensure the security of system software, hardware and data. 7) Security incident response and security audit TalkingData has developed an emergency response mechanism for personal information security incidents, and will regularly organize employees to carry out emergency response training and emergency drills, and ensure that the design, operation, use and management of network and information systems must comply with the security requirements of national laws, policies and regulations, and regularly check the security of network and information systems, Inspect the implementation of safety policies and technical specifications.

3. Data security protection capability certification of TalkingData

TalkingData has obtained many certifications to improve its security compliance capabilities, as follows: 1) Three levels of network security protection; 2) Privacy Information Management System Certification ISO/IEC27701:2019; 3) Information Security Management System Certification ISO/IEC27001:2013; 4) Quality management system certification ISO9001:2015; 5) Information technology service management system certification ISO/IEC20000-1:2018; 6) The SDK security evaluation certificate of China Information Security Evaluation Center shows that the security meets the EAL1 level; 7) Zhuoxin big data plan big data platform security certification; 8) Evaluation of China Academy of Information and Communications SDK Security Special Action; 9) Theil test certificate for security capability evaluation of data circulation platform; 10) Data security and personal information protection social responsibility evaluation is two stars. TalkingData led and participated in a number of data compliance projects of the regulatory authorities, and became a member of the working group related to data security and personal information protection, as follows: (1) Pilot unit for application and promotion of Personal Information Security Specification of Information Security Technology; (2) Pilot unit for application and promotion of Information Security Technology Data Security Capability Maturity Model; (3) Pilot unit for application and promotion of Information Security Technology Personal Information Security Impact Assessment Guide; (4) Member of TC260 Big Data Security Standards Task Force of National Information Security Standardization Technical Committee; (5) Member of Privacy Computing Alliance Group of China Academy of Information and Communications; (6) Member of the "Zhuoxin Big Data Plan" of China Academy of Information and Communications; (7) Member of Data Security Working Committee of China Network Security Industry Alliance; (8) The first group members of the Personal Information Protection Compliance Audit Promotion Team; (9) The first member of the "Data Security Community Program (DSC)" of the China Academy of Information and Communications; (10) The first batch of enterprises participating in the green SDK industrial ecological co construction action. TalkingData participated in the preparation of standards, specifications, white papers, reports, etc. related to data security and personal information protection, as follows: (1) Information Security Technology Personal Information Security Impact Assessment Guide; (2) Information Security Technology Internet Platform and Product Service Privacy Agreement Requirements; (3) Information Security Technology Security Requirements for Automated Decision Making Based on Personal Information; (4) Information Security Technology Big Data Service Security Capability Requirements; (5) Social Responsibility Evaluation Indicators for Enterprise Data Security and Personal Information Protection; (6) Information Security Technology Mobile Internet Application (App) Software Development Kit (SDK) Security Requirements; (7) Mobile Internet Application SDK Security Technical Requirements and Test Methods; (8) Software Development Kit (SDK) Security and Compliance White Paper; (9) Privacy Computing Technology Application Compliance Guide (2022); (10) Implementation Reference of the Data Security Law (First Edition); (11) Reference Case Set for Fulfillment of Data Security Protection Obligations; (12) Implementation Guidelines for Follow up Disposal Measures such as "Health Code" Data Deletion. If you have any questions, please contact TalkingData.

support@tendcloud.com
Data report Developer Support Compliance Guidelines
two thousand and twenty-four © TalkingData.com Jing ICP Bei No. 12005794 |Jing ICP Certificate No. 130311| Beijing Public Network Security 11010502050041