The Compliance and Security Guideline of the TalkingData SDK

Last updated on: September 8, 2023

Introduction

In order to effectively regulate the rampant collection of personal information through coercive permission, excessive requests of permission or beyond the Approved scope by App, and to protect the security of personal information, the Secretary Bureau of the Cyberspace Administration of China, the General Office of the Ministry of Industry and Information Technology, the General Office of the Ministry of Public Security and the General Office of the State Administration for Market Regulation jointly issued the Announcement of Carrying out Special Campaigns against App Collecting and Using Personal Information in Violation of Laws and Regulations in January 2019. At the same time, the National Information Security Standardization Technical Committee, the China Consumers' Association, the Internet Society of China, and the Cybersecurity Association of China are authorized by the four departments to establish the Special Campaigns Working Group against App Collecting and Using Personal Information in Violation of Laws and Regulations, specifically promoting the evaluation of the collection and use of personal information in violation of laws andregulations by App.In March 2019, the Special Campaigns Working Group against App Collecting andUsing Personal Information in Violation of Laws and Regulations issued the "Self-assessment Guideline for the Collection and Use of Personal Information by App" to help App operators to conduct self-inspection and self-correction of their collection and use of personal information activities.In November 2019,the Secretary Bureau of the Cyberspace Administration of China, the General Office of the Ministry of Industry and Information Technology, the General Office of the Ministry of Public Security and the General Office of the State Administration for Market Regulation jointly released the Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations.These Measures clarify the Approaches to determine six main kinds of behavior of collecting and using of personal information by Apps inviolation of laws and regulations, provide reference for supervision and administration departments' determination of the collection and use of personal information by Apps in violation of laws and regulations,and the guidance for App operators' self-examination and self-correction.In December 2019, at the seminar on App personal information protection hosted by the Special Campaigns Working Group against App Collecting and Using Personal Information in Violation of Laws and Regulations, the relevant authorities expressed that they would put more efforts to their work, and strengthened the protection of personal information.In March 2020, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation jointly issued the "Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications", clarifying the basic functions and necessary scope of personal information for common types of Apps.In October 2020, the "GB/T 35273-2020 Information Security Technology - Personal Information Security Specification" was officially implemented, which detailed the compliance requirements for personal information collection, storage, use, sharing, and public disclosure.In September 2021, the "Data Security Law" was officially implemented, clarifying the obligation to protect data security at the legal level.In November 2021, the "Personal Information Protection Law" was officially implemented, which clearly stipulates the compliance requirements for the entire life cycle of personal information. "GB/T 39335-2020 Information security technology - Guidance for Personal Information Security Impact Assessment " specifies the implementation mechanism for the personal information security impact assessment proposed by the "Personal Information Protection Law"In November 2021, the Ministry of Industry and Information Technology issued the "Notice on Carrying out the Perception Enhancement Action of Information and Communication Services", requiring the establishment of "dual lists" for personal information protection. The list of collected personal information should concisely and clearly list the basic information of personal information collected by apps (including embedded SDKs), including the type of information, purpose of use, and use scenarios.In February 2023, the Ministry of Industry and Information Technology issued the "Notice on Further Enhancing the Capability of Mobile Internet Application Services", requiring App developers and operators to concentrate on displaying and timely updating the names, functions, and personal information processing rules of embedded SDKs.In May 2023, the "GB/T 42574-2023 Information Security Technology - Implementation Guidelines for Notices and Consent in Personal Information Processing" was officially released, detailing the implementation requirements for informing and obtaining consent. Appendix B specifically elaborates the effective methods for implementing informed consent in the scenario of Apps embedded with third-party SDKs.In conclusion, the collection and use of personal information by Apps (including third-party codes and plug-ins embedded in Apps) and the protection of the rights and interests of the personal information subject have become a major governance issue for relevant competent authorities, with increasingly intensified supervision and stricter supervision standards.To help App developers and operators (hereinafter referred to as "you") of the TalkingData SDK to implement the end-user personal information protection more effectively, avoid violating the provisions of the relevant laws and regulations, policies and standards due to the third-party SDK, and have a clearer understanding of the TalkingData data compliance and safety protection technology has been adopted,especially the Approaches and measures to protect the privacy of personal information, TalkingData introduced The Compliance and Security Guideline of the TalkingData SDK for your reference.Please ensure that you utilize the TalkingData SDK in a legal and compliant manner, adhering to relevant laws, regulations, national standards, and regulatory requirements. The specific procedure is as follows:1.Please upgrade the TalkingData SDK to the latest version, and you can find the download link here: https://doc.talkingdata.com/posts/catalogue/1075.2.Please complete the SDK integration according to the "SDK Integration Document".This guidelineconsists of four main sections:1. The Instructions for SDK Configuration2. Compliance Requirements for Personal Information Protection of App Developers and Operators3. Important Compliance Issues When Using the TalkingData SDK4. Data Security Protection Capability of TalkingDataIf you have any other questions,please contact the TalkingData.

1. The Instructions for SDK Configuration

1.1 Explanation of the TalkingData SDK Configuration of extended business functionsThe basic business functions of the TalkingData SDK primarily encompass app statistics analysis and mobile advertising monitoring services. By integrating the TalkingData SDK, you can conduct data analysis on end-users. Currently, it does not involve the provision of additional extended business functions. If there are plans to introduce additional extended business functions in the future, specific details about these extensions, along with instructions on how to configure and disable them, will be presented to you through the " The Compliance and Security Guideline of the TalkingData SDK".1.2 Explanation of Configuring Optional Personal Information in the SDKThe TalkingData SDK distinguishes between fundamental personal information and optional personal information. Depending on your specific business needs, you can choose the specific types of optional personal information to collect. Please refer to the configuration guidelines in the following document.Configuration document link: https://doc.talkingdata.com/posts/1025In the context of app statistics analysis and mobile advertising monitoring services, you have the option to collect additional information such as MEID, IMEI, or Mac address to more accurately identify end-users and detect fraudulent traffic. You may also choose to collect a list of installed apps to aid in identifying, analyzing, and filtering fraudulent traffic. Additionally, the collection of location information can be used to generate more precise location distribution reports and detect fraudulent traffic.1.3 Explanation of Collecting Personal Information by SDK Based on Different Frequencies and Levels of PrecisionIn regards to data collection frequency, the TalkingData SDK only collects relevant personal information when the app is invoked or when it is triggered by end-user interactions. There are no options for timing logic or other frequency controls. Regarding the precision of location information collection, the TalkingData SDK provides optional permissions, allowing you to independently choose whether to request relatively precise geographic location permissions or coarse location permissions. If you need to configure these permissions, please refer to the configuration guidelines in the following document.Configuration document link:https://doc.talkingdata.com/posts/10251.4 Explanation of System Permissions Requested by the SDKYou should be aware and understand that, due to varying system requirements, your use of the TalkingData SDK for personal information collection may also require obtaining relevant permissions. You can configure these permissions according to your specific business needs. For detailed configuration guidelines, please refer to the following document.Configuration document link:Android: https://doc.talkingdata.com/posts/1025iOS: https://doc.talkingdata.com/posts/1024Android:
Name of the PermissionSpecific Function of the PermissionPurpose of the PermissionTiming of Permission RequestsRelated Products
INTERNETInitiating Network Connection.To permit applications to establish online connectivity and transmit data.Data analysis is invoked as needed, for instance, when reporting data is required.App Analytics, Ad Tracking
ACCESS_NETWORK_STATEObtaining the present status of the network.To permit applications to check the connectivity status, and suspend data transmission in instances of network irregularities.Data analysis is invoked as needed, for instance, when data reporting is required in a connected state.
READ_PHONE_STATEObtaining device information.To generate de-identified unique identifiers for end-users.Data analysis is invoked as needed, for instance, during ad attribution processes.
ACCESS_WIFI_STATEObtaining WiFi information.To generate de-identified unique identifiers for end-users, and identify fraudulent traffic.Data analysis is invoked as needed, for instance, during ad attribution processes.
WRITE_EXTERNAL_STORAGEGranting permission for apps to inscribe data onto external storage.To store device information, and document logs.Data analysis is invoked as needed, for instance, during ad attribution processes.
ACCESS_FINE_LOCATION(optional)Obtaining relatively precise location information.To rectify end-user geographic distribution data, enhancing the precision of report data, and identify fraudulent traffic.Data analysis is invoked as needed, for instance, when analyzing the geographical distribution of end-users is required.
ACCESS_COARSE_LOCATION(optional)Obtaining coarse location information.To identify fraudulent traffic.Data analysis is invoked as needed, for instance, when analyzing the geographical distribution of end-users is required.
GET_TASKS(optional)Obtaining the status of the app utilization.To enhance the precision in evaluating end-user engagement levels.Data analysis is invoked as needed, for instance, when analyzing the active status of end-users is required.
iOS:
Name of the PermissionSpecific Function of the PermissionPurpose of the PermissionTiming of Permission RequestsRelated Products
INTERNETInitiating Network Connection.To permit applications to establish online connectivity and transmit data.Data analysis is invoked as needed, for instance, when reporting data is required.App Analytics, Ad Tracking
IDFAObtaining IDFA.To generate de-identified unique identifiers for end-users.Data analysis is invoked as needed, for instance, during ad attribution processes.
LOCATION(optional)Obtaining location information.To rectify end-user geographic distribution data, enhancing the precision of report data, and identify fraudulent traffic.Data analysis is invoked as needed, for instance, when analyzing the geographical distribution of end-users is required.
WIFI(optional)Obtaining WiFi data.To identify fraudulent traffic.Data analysis is invoked as needed, for instance, during ad attribution processes.
1.5 Initialization of the SDK and Timing for Business Function InvocationThe TalkingData SDK, during its initialization phase, solely undertakes preparations for the app runtime and does not collect any data. It is imperative that you ensure the initiation of analytical capabilities based on reasonable business scenarios only after the end-user has consented to the "Privacy Policy" in a compliant and necessary manner. When your app is offering services to end-users, you may then request the relevant services from the TalkingData SDK.For detailed instructions on the latest version's initialization configuration and initiating analytical capabilities, please refer to the following link:Android: https://doc.talkingdata.com/posts/1025iOS: https://doc.talkingdata.com/posts/10241.6 Examples of App Privacy Policy Disclosure of SDK Personal Information Processing RulesYou should explicitly inform end-users of the purposes, methods, and scope of personal information collection and usage by third-party SDKs you integrate with. In your "Privacy Policy," it is crucial to clearly state that you have carefully chosen TalkingData as a partner and that certain functionalities required for app operation are implemented through the TalkingData SDK. Both you and TalkingData jointly decide how to collect, use, and process end-user personal information.TalkingData recommends that the terms of data sharing and disclosure in the "Privacy Policy" section of your app can be expressed as follows (please adjust according to your actual cooperation situation):"In the context of application analytics and mobile advertising monitoring, our product integrates the 【TalkingData】SDK from Beijing Tengyun Tianxia Technology Co., Ltd. We may need to share specific personal information with this SDK, and the types of data and purposes involved are as follows:1) Fundamental Personal Information: Collecting unique device identifiers (OAID and Android ID), IP address, IDFV, and IDFA for generating de-identified unique identifiers of end-users and facilitating fundamental analysis.2) Optional Personal Information: Collecting MEID, IMEI, or Mac information to enhance the precision of end-user identification and identify fraudulent traffic; collecting the application list for identifying, analyzing, and filtering fraudulent traffic; collecting location information (latitude and longitude, SystemID, NetworkID, and BasestationID) to generate more precise location distribution reports and identify fraudulent traffic.3) Basic data concerning other aspects of applications, devices, and networks: Collecting SDK or API version, platform, timestamp, system file creation time, application identifier, application version, application distribution channel, application process information, application's IDFA authorization status, sensor information, application's NFC permission status (yes or no), device's NFC capability (yes or no), device's Bluetooth capability (yes or no), device model, terminal manufacturer, terminal device operating system version, session start/stop time, language locale, mobile network/country code, time zone, hard disk, CPU, and battery usage information, network information (connectivity status of WiFi network or mobile network, connected WiFi BSSID or SSID information) for conducting coarse-grained multidimensional analysis within application statistics analysis services and providing data reports categorized by region and application version number. Collecting the data mentioned above is also used for conducting coarse-grained multidimensional analysis within mobile advertisements monitoring services to assess the effectiveness of advertising placements, identify, analyze, and filter fraudulent traffic.In order to safeguard your information security, we have entered into a stringent data security and confidentiality agreement with TalkingData. They will rigorously adhere to our data privacy and security requirements. To gain a better understanding of the types of data collected by TalkingData, their purposes, and how they protect personal information, you can refer to TalkingData's "TalkingData Group Privacy Policy" and "TalkingData SDK Privacy Policy" through the following links:rvices to assess the effectiveness of advertising placements, identify, analyze, and filter fraudulent traffic.https://www.talkingdata.com/sdkprivacy.jsp?languagetype=zh_cnhttps://www.talkingdata.com/sdkprivacy.jsp?languagetype=zh_cnAdditionally, we understand and respect your right to choose. If you do not wish to participate in TalkingData's big data computing, you can exercise opt-out rights through the following method:http://www.talkingdata.com/optout.jsp?languagetype=zh_cnYou understand and agree that TalkingData has the right to de-identify and aggregate the collected data to create databases for providing data services. If the purposes, methods, or scope of personal information collection and usage by the TalkingData SDK change, we will appropriately notify and remind end-users to review the updated information."1.7 Recommendations and Examples for Acquiring Consent and Authorization from End- UsersWhen an app is first launched, it should display a pop-up window that presents a summarized content of the 'Privacy Policy' along with a link to the full 'Privacy Policy.' This pop-up should explicitly prompt end users to read and make a choice regarding their consent to the 'Privacy Policy.' The pop-up should also provide options for both consent and refusal, without any default agreement, to ensure the end users' autonomy in decision-making. 1.8 Instructions for End-Users to Exercise Their RightsEnd-users have the option to request the exercise of their rights related to personal data processing from either party involved. Upon receiving any requests from end-users regarding personal data processing activities associated with the TalkingData SDK, please promptly notify us within 24 hours, and let us work together to address these requests.To facilitate end-users in directly exercising their rights to opt-out, you should inform them that they can utilize the TalkingData opt-out mechanism to exercise their right to withdraw consent. Once an end-user exercises their opt-out right, their personal information will no longer be processed in any manner, and their consent will not be frequently asked for. The link for TalkingData opt-out is as follows:http://www.talkingdata.com/optout.jsp?languagetype=zh_cnTalkingData strongly recommends embedding this opt-out link within your "Privacy Policy" to enable end-users to conveniently exercise their opt-out rights.

2. Compliance Requirements for Personal Information Protection of App Developers and Operators

In this part, the interpretation of the compliance requirements for the protection of personal information of App developers and operators mainly aims at explaining the legal authorization for the collection and use of personal information and the important compliance requirements for the protection of personal fundamental rights and interests during the process of using the TalkingData SDK.

2.1 Complementary Compliance Documents for the End Before When the Release of an App

At the least, you need to draft a separate privacy (personal information protection policy).Privacy policy is an important document that describes the current situation of the collection and use of personal information by App, obtains the legal authorization of users and protects the rights of personal information subjects. Its contents should comply with relevant national laws,regulations, policies and standards as well as your agreement with TalkingData. In particular:a)In accordance with the GB/T 35273-2020 Information Security Technology - Personal Information SecuritySpecification,the four Appendices of this document are also of important reference value for your understanding of personalinformation security requirements and privacy policy drafting:Appendix A:Examples of personal informationAppendix B: Identification of sensitive personal informationAppendixC: Methods to safeguard independent choice of personal information subjectAppendix D: Personal information protection policy templateb) The purpose, method and scope of your deployment of the TalkingData SDK in the App to collect and use personal information shall be exposed to the end user clearly through your privacye policy, and the privacy protection standard provided shall not be lower than that of theTalkingData.

2.2 The AppPrivacy Policy Demonstration

You should comply with the requirements of relevant nation all aws, regulations, policies and standards to display the App privacy policy, including but not limited to:You should ensure that the privacy policy is independent and explicit. The privacy policy should be written separately and not as part of the end user agreement or otherdocuments. When the App runs for the first time,it will remind the end user to read the collection and use rules ofthe privacy policy through pop-ups and other obvious means, and then initialize the SDK forinformation collection and processing.You should ensure that the privacy policyis readable and accessible. The privacy policy shall be drafted in clear, understandable,logical and common language. The simplified Chinese version also should be provided.After entering the main functioninterface of the App, the end user can access the privacy policy by clicking or sliding within4 times.You should explain the purpose, method and scope of personal information collection and use tothe end user clearly. Merely improving the quality of service, promoting user experience, pushing targeted informationand developing new products cannot be the reason to force users to agree to collect their personal information.Theprivacy policy should be subject to the discretion of the end user to choose whether to agreeor not, and should not be imposed by default or induced by deception.

2.3 Important Explanations

In this section, TalkingData's interpretation of the compliance requirements does not constitute the comprehensive and complete legal advice to developers in terms of their personal information protection legal obligations. We strongly recommend that you be fully aware of the personal information protection laws, regulations, policies, standards and enforcement inspection requirements that are available and may be issued in the future. Relevant information for your reference includes but not limited to:Personal Information Protection Law of the People's Republic of Chinahttp://www.legaldaily.com.cn/government/content/2021-08/23/content_8586559.htmData Security Law of the People's Republic of Chinahttp://www.xinhuanet.com/politics/2021-06/10/c_1127552048.htmCybersecurity Law of the People's Republic of Chinahttp://www.gov.cn/xinwen/2016-11/07/content_5129723.htmCivil Code of the People's Republic of Chinahttp://legal.people.com.cn/n1/2020/0602/c42510-31731656.htmlThe Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Appshttp://www.gov.cn/zhengce/zhengceku/2021-03/23/content_5595088.htmGuidelines for App Self-assessment of Collecting and Using Personal Information in Violation of Laws and Regulationshttps://www.mpaypass.com.cn/download/202007/25221310.htmlThe Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulationshttp://www.cac.gov.cn/2019-12/27/c_1578986455686625.htmNotice of the Ministry of Industry and Information Technology on Launching the Action for Improvements to the Perception of Information and Communications Serviceshttps://www.gov.cn/zhengce/zhengceku/2021-11/06/content_5649420.htmNotice of the Ministry of Industry and Information Technology on Further Improving the Service Capability of Mobile Internet Appshttps://www.gov.cn/zhengce/zhengceku/2023-03/02/content_5744106.htmGB/T 35273-2020 Information Security Technology - Personal Information Security Specificationhttp://pip.tc260.org.cn/jbxt/privacy/detail/20200307123754442334GB/T 39335-2020 Information Security Technology - Guidance for Personal Information Security Impact Assessmenthttps://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=9EA84C0C3C2DBD3997B23F8E6C8ECA35GB/T 41391-2022 Information Security Technology - Basic Specification for Collecting Personal Information in Mobile Internet Applicationshttps://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=977D9EBB32ABF0A7DD6A1215969FE57AGB/T 42574-2023 Information Security Technology - Implementation Guidelines for Notices and Consent in Personal Information Processinghhttps://std.samr.gov.cn/gb/search/gbDetailed?id=FC816D04FFD262EBE05397BE0A0AD5FA

3. Important Compliance Issues When Using the TalkingData SDK

3.1 Self-examination is needed Require Before Using the TalkingData SDK

Prior to downloading the TalkingData SDK, you should carefully read the SDK download compliance statement, and use this statement to conduct self-examination compliance concerning your personal information protection policy and the circumstance of personal information collected and used by your products. You should ensure that when the App runs for the first time,the end user is reminded to read your personal information protection policy in an obvious means and obtain the legal authorization of the end user. After that, the SDK is initialized for information collection and processing.According to the TalkingData personal information protection policy that you have read and agreed to, you should pay particular attention to obtaining authorization and consent of the end user in advance if you need to process personal information from the App end-user through TalkingData. The service provided by TalkingData is based on your commitment to:"(1) You have obtained sufficient and necessary authorization, consent and permission from the end user to allow us to use the App for the purposes necessary for the performance of the service (if your App is designed and developed for children under the age of 14, you should have taken the necessary technical measures to guarantee that you have acquired the authorization, consent and permission of their guardian);(2) You have obtained sufficient and necessary authorization, consent and permission from the end user to allow us to use the collected data to conduct anonymous, polymerized processing (if your App is designed and developed for children under the age of14, you should have taken the necessary technical measures to ensure that you have acquired the authorization,consent and permission of their guardian).(3) You have complied with and will continue to abide by Applicable laws, regulations and regulatory requirements, including but not limited to the formulation and publication of policies related to the protection of personal information and privacy;(4) You have disclosed and explained to the end user that you allow us to de-identify and aggregate the collected data, and build TalkingData database to provide data services. However, you should also provide the end user with a choice mechanism that is easy to operate, and explain how and when the end user can exercise their option, and specify how and when to modify or withdraw their choice, making the end-user can choose to agree or disagree with collecting and using the de-identifying data of their personal information for commercial purposes."

3.2 The Compliance Examination Conducted by TalkingData

As a service provider, TalkingData has defined the security responsibilities and obligations of each party in the service agreement, personal information protection policy and data security and personal information protection commitment entered into with you. In TalkingData's personal information protection policy,it has specified the scope and purpose of collecting the end user's information. It is required that you should explain data sources to TalkingData and guarantee that these sources are legitimate. Moreover, you must inform the end user of the content, purpose, and necessity of the collected data, and obtain the end user's authorization accordingly.In order to ensure that you achieve the effective end user authorization, and the TalkingData obtains the end user's personal information is legitimate, prior to both parties enter into a cooperation agreement, TalkingData will carry out a data compliance due diligence for risk assessment, and examine relevant documents, such as evidence or documents provided by you concerning legitimate sources of personal information you intend to share, and the customer agreement/terms of service as well as personal information protection policy released on the official website to inspect the consent authorization and notification mechanism. In case of non-compliance, TalkingData will require you to add or amend the content and/or notification mechanism of the customer agreement/terms of service and personal information protection policy.

4. Data Security Protection Capability of TalkingData

TalkingData not only focuses on the accumulation of technical practices and the improvement of product services, but also protects personal information and public data actively, and abides by national laws, regulations, policies and standards strictly.

4.1 Data Security Measures of TalkingData

TalkingData attaches critical importance to the protection of personal information and has adopted different measures to ensure the security of personal information at different stages of the data life cycle.1) Data Collection SecurityTalkingData clarifies and identifies the purpose and usage of collecting data in the process of data acquisition to meet the requirements of the legality, reality, validity of data sources, and different data protection principles, such as data minimization principle. Furthermore, TalkingData establishes the internal data classification and grading system as well as data quality management standard system to specify data collection procedure and define data format, so as to guarantee the legitimacy and consistency of data collection.2)Data Transmission SecurityPrior to transmission, TalkingData will set different data security levels for different kinds of data, so as to adopt different encryption methods,such as MD5, key encryption. HTTPS is used in data transfer to guarantee the encryption security of the transmission channel. Data transmission messages are encrypted by the encryption algorithm RC4, which conforms to the national requirements. Meanwhile, keys of encryption algorithm are managed dynamically to prevent them from being lost or broken. According to the requirement of data transfer within and outside the company, the TalkingData adopts Appropriate encryption measures to ensure the security of transmission channels, nodes and data, preventing data leakage during the process of transmission.3)Data Storage SecurityTalkingData adopts different security storage mechanisms according to different data encryption levels, such as cleartext storage for data with low importance, and encryption storage for data with high importance, and carries out integrity detection for core data regularly to ensure that data will not be damaged or lost in the data storage stage. Moreover, TalkingData will use a partitioned storage strategy based on the value or sensitivity of different data. For example, raw data and de-indentified data will be stored indifferent clusters, while high-value data will be stored in a separate cluster. In addition, the company can prevent artificial data leakage by controlling data access rights strictly, Applying for permission in conformity to business needs, and keeping data access audit logs to trace operation records.4)Data Processing SecurityAfter personal data enters the TalkingData statistical platform, TalkingData will conduct data desensitization processing in strict accordance with the requirements of laws and regulations and business needs. The anonymous TDID is used as the primary key of entity identification to associate with business data, and the specific ID that can directly identify the entity is removed to ensure the balance between data availability and security. In addition, the company will control the right of processing strictly in the process of data analysis and processing. Data processers need to pass Kerberos authentication before data processing, so they can proceed with subsequent data operations. Meanwhile, TalkingData adopts multi-tenancy management system, assigns different functional accounts based on various business Applications, grants fine-grained access authorization to prevent unauthorized access, and establishes a security protection mechanism for data processing.5)Data Collaboration SecurityBefore exchanging data, TalkingData conducts multidimensional security assessments on its partners' qualifications, usage behavior, and other factors to determine whether to collaborate. TalkingData uses security measures such as the TalkingData Safety Island when conducting data business with partners to control data security risks, with logging to mitigate security risks in data collaboration.6)Data Destruction SecurityTalkingData formulates different data storage cycle policies and data aging policies for various types of business data, and migrates and cleans up data that does not conform to the storage policies regularly, so as to destroy data effectively and prevent data leakage caused by the recovery of important data of stored media. Furthermore, the TalkingData arranges employees to physically destroy the storage media periodically, and establishes effective data destruction procedures and technical measures to prevent the risk of data leakage.

4.2 Data Decurity Potection Mechanism of TalkingData

TalkingData establishes information security protection mechanism from different dimensions to guarantee data security of data subjects, and perfects internal management compliance system according to the constant policy change of laws and regulations.1)Organization and ManagementTalkingData has established an information security committee, which is responsible for organizing information security-related meetings and communications, coordinating the processing of information security-related issues and the decision-making of data security construction in the life cycle, and actively communicating and cooperating with other relevant organizations. TalkingData requires all employees to sign a data security confidentiality agreement and receive information security training before starting work. At the same time, TalkingData will control access to third parties and outsourcing services strictly through risk assessment, analyze security impact and develop corresponding measures.2)Network and Information Asset ManagementTalkingData establishes the network and information asset list and asset liability system. On the grounds of the sensitivity and importance of network and information assets, TalkingData classifies them and takes corresponding management measures, and requires each asset to be managed by the designated employee who has the corresponding security management authority and assumes corresponding security responsibilities.3)Physical and Environmental SecurityCritical or sensitive network and information processing facilities forTalkingData are placed in safe areas protected by designated security boundaries. For various security areas, different levels of security protection and access control measures should be adopted to prevent illegal access and interference.4)Operation and Maintenance SecurityTalkingData establishes management system and operational procedure for network and information processing, and separates responsibilities as much as possible. TalkingData increases the awareness of prevention constantly, takes effective measures to prevent and control malicious software, establishes a strict software management system,downloads security patches timely, assesses system security vulnerability regularly. What is more, TalkingData also formulates the management system and disposal procedure of information storage media, especially strengthens the management of removable storage media and system documents, and makes corresponding procedures and standards to protect the security of information and media in the process of transmission.5)Access ControlOn the basis of business and security needs, TalkingData establishes access control policies to achieve the principle of authorization minimization, clarifies users'responsibilities, strengthens the management of the user access control, sets Appropriate interfaces at the company's network boundaries, and adopts effective user and device authentication mechanisms to control user access and isolate sensitive information. Accessing to and using the system should also be monitored and incidents logs should be recorded and examined.6)Development and MaintenanceThe development of TalkingData system, including network infrastructure, must follow the system security lifecycle management procedure strictly. Security needs should be identified before new systems are developed. In the process of designing, TalkingData adopts Appropriate control measures, audit trail records, and activity logs,including the verification of input data, internal processing and output data. In the process of system development and maintenance, it is necessary to implement system development management process strictly, including changing the control of development, testing and production environment, so as to ensure the security of system hardware, software and data.7)Security Incidents Response and Security AuditTalkingData establishes personal information safety incident emergency response mechanism, and organize emergency response training and emergency drills for the staff on a regular basis, makes sure that the network and information system design, operation, usage and management must comply with national laws, policies and regulations concerning security requirements., and inspects the network and information system security, as well as the implementation of the security policy and the technical specifications regularly.

4.3 Data Security Protection Capability Certification of TalkingData

TalkingData has acquired a number of certifications to improve data compliance capability. The details are as follows:(1) The third level of cybersecurity classified protection system:>(2)Privacy information management system certification ISO/IEC 27701:2019;(3)Information security management system certification ISO/IEC 27001:2013;(4)Quality management system certification ISO 9001:2015;(5)Information technology service management system certification ISO/IEC 20000-1:2018;(6)The data platform security certification by excellent security surpass trusted program;(7)The China Academy of Information and Communications Technology SDK security special assessment;(8) The certificate of Data flow platform security capability assessment;(9) Two star rating for social responsibility in data security and personal information protection.In addition, TalkingData has also led and participated in many data compliance projects organized by regulatory authorities, and is a member of many working groups related to data security and personal information protection. The details are as follows:(1)The company of launching the Information Security Technology Personal Information Security Specification pilot program;(2)The company of launching the Information Security Technology Data Security Maturity Model pilot program;(3)The company of launching the Information Security Technology Personal Information Security Impact Assessment pilot program;(4) The National Information Security Standardization Technical Committee?The member of the TC260 big data security standard specific working group;(5)The member of data security working Committee of the China Cybersecurity Industry Alliance;(6)The first group of members of the promotion of personal information protection compliance and audit team;(7)One of the first group of members of the Data Security Community (DSC) Program of the China Academy of Information and Communications Technology;(8) One of the first group of participating companies in the Green SDK industry ecological co-construction initiative. TalkingData has participated in the drafting of standards, guidelines, white papers, and reports related to data security and personal information protection, as follows: (1)Information Security Technology - Guidance for Personal Information Security Impact Assessment; (2)Information Security Technology - Requirements of Privacy Policy of Internet Platforms, Products and Services;(3)Information Security Technology - Security Requirements for Automated Decision Making Based on Personal Information;(4)Information Security Technology - Security Capability Requirements for Big Data Services;(5)Guidance on Social Responsibility of Data Security and Personal Information Protection;(6)Information Security Technology - Security Requirements for Mobile Internet Applications (App) Software Development Kits (SDK);(7)Security Technical Requirements and Test Methods of Mobile Application SDK;(8)White Paper on SDK Security and Compliance;(9)White Paper on Standardization of Data Element Circulation (2022);(10)Compliance Guidelines for Privacy Computing Technology Applications (2022);(11)Implementation Reference for the Data Security Law (First Edition);(12)The reference Casebook for Fulfilling Data Security Protection Obligations;(13)Case Studies on Data Security and Social Responsibilities in Personal Information Protection;(14)Implementation Guidelines for Subsequent Disposal Measures of "Health Code" Data Deletion.If you have any other problems, please contact TalkingData.