The Compliance and Security Guideline of the TalkingData SDK

Last updated on: December. 22,2021

Introduction

In order to effectively regulate the rampant collection of personal information through coercive permission, excessive requests of permission or beyond the Approved scope by App, and to protect the security of personal information, the Secretary Bureau of the Cyberspace Administration of China, the General Office of the Ministry of Industry and Information Technology, the General Office of the Ministry of Public Security and the General Office of the State Administration for Market Regulation jointly issued the announcement of carrying out Special Campaigns against App Collecting and Using Personal Information in Violation of Laws and Regulations in January 2019. At the same time, the National Information Security Standardization Technical Committee, the China Consumers' Association, the Internet Society of China, and the Cybersecurity Association of China are authorized by the four departments to establish the Special Campaigns Working Group against App Collecting and Using Personal Information in Violation of Laws and Regulations, specifically promoting the evaluation of the collection and use of personal information in violation of laws andregulations by App.In March 2019, the Special Campaigns Working Group against App Collecting andUsing Personal Information in Violation of Laws and Regulations issued the Self-assessment Guideline for the Collection and Use of Personal Information by App to help App operators to conduct self-inspection and self-correction of their collection and use of personal information activities.In November 2019,the Secretary Bureau of the Cyberspace Administration of China, the General Office of the Ministry of Industry and Information Technology, the General Office of the Ministry of Public Security and the General Office of the State Administration for Market Regulation jointly released the Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations.These Measures clarify the Approaches to determine six main kinds of behavior of collecting and using of personal information by Apps inviolation of laws and regulations, provide reference for supervision and administration departments' determination of the collection and use of personal information by Apps in violation of laws and regulations,and the guidance for App operators' self-examination and self-correction.In December 2019, at the seminar on App personal information protection hosted by the Special Campaigns Working Group against App Collecting and Using Personal Information in Violation of Laws and Regulations, the relevant authorities expressed that they would put more efforts to their work, and strengthened the protection of personal information.Data Security Law of the People's Republic of China and Personal Information Protection Law of the People's Republic of China are enacted and come into force in 2021.In conclusion, the collection and use of personal information by Apps (including third-party codes and plug-ins embedded in Apps) and the protection of the rights and interests of the personal information subject have become a major governance issue for relevant competent authorities, with increasingly intensified supervision and stricter supervision standards.To help App developers and operators (hereinafter referred to as "you") of the TalkingData SDK to implement the end-user personal information protection more effectively, avoid violating the provisions of the relevant laws and regulations, policies and standards due to the third-party SDK, and have a clearer understanding of the TalkingData data compliance and safety protection technology has been adopted,especially the Approaches and measures to protect the privacy of personal information, TalkingData introduced The Compliance and Security Guideline of the TalkingData SDK for your reference.This guidelineconsists of three main sections:1. Compliance requirements for personal information protection ofdevelopers2. Important compliance issues when using the TalkingData SDK services3. Data security protection capability of the TalkingDataIf you have any other questions,please contact the TalkingData.

1.Compliance requirements for personal information protection of developers

In this part, the interpretation of the compliance requirements for the protection of personal information of developers mainly aims at explaining the legal authorization for the collection and use of personal information and the important compliance requirements for the protection of personal fundamental rights and interests during the process of using the TalkingData SDK.1.1 What supporting compliance documents should be needed for the end user when the App is launched?At the least, you need to draft a separate personal information protection policy (privacy policy).Personal information protection policy is an important document that describes the current situation of the collection and use of personal information by App, obtains the legal authorization of users and protects the rights of personal information subjects. Its contents should comply with relevant national laws,regulations, policies and standards as well as your agreement with TalkingData. In particular:a) In accordance with the GB/T 35273-2020 Information Security Technology - Personal Information SecuritySpecification, the four Appendices of this document are also of important reference value for your understanding of personal information security requirements and personal information protection policy drafting:Appendix A: Examples of personal information;Appendix B: Identification of sensitive personal information;Appendix C: Methods to safeguard independent choice of personal information subject;Appendix D: Personal information protection policy templateb) The purpose, method and scope of your deployment of TalkingData SDK in the App to collect and use personal information shall be exposed to the end user clearly through your personal information protection policy, and the privacy protection standard provided shall not be lower than that of the TalkingData.1.2 What contents of the third-party SDK should be disclosed in the personal information protection policy of the App?You should specify to the end user regarding the purpose, method, and scope of the personal information collected and used by the third-party SDK you have embedded. In the personal information protection policy, you should also clearly inform that you have carefully selected TalkingData as a partner, and some functions required for App operation need to be realized through TalkingData SDK, so you and TalkingData jointly decide how to collect, use and process end users' personal information.TalkingData recommends that you refer to the terms stated in the data sharing and disclosure section of your personal information protection policy as follows:"For the purposes of data statistics and analysis, our products may integrate with the SDK of a third-party or other similar Applications, such as the 【TalkingData】SDK, and we need to share the purpose, method and scope of your relevant personal information, as shown specifically in the 【table】below. For the sake of your information security, we have signed a strict data security and non-disclosure agreement with the third-party SDK service providers. These companies will comply with our data privacy and security requirements strictly. To help you have a better understanding of the type and use of the collected data, and personal information protection methods of 【TalkingData】, you can log on tohttp://www.talkingdata.com/privacy.jsp?languagetype=zh_cnfor more information regarding 【TalkingData】 personal information protection policy. Meanwhile, we understand and respect your choice,if you don't want to participate in 【TalkingData】 big data calculation, you can also exercise your opt-outrights through http://www.talkingdata.com/optout.jsp?languagetype=zh_cn.You understand and agree that TalkingData has the right to de-identify and aggregate the collected data, and build the database to provide the data services.If the purpose, manner and scope of the personal information collected and used by the 【TalkingData】SDK changes, we will notify and remind the end user to read it in anAppropriate means."
The name of cooperative productsThe name of cooperative companiesCooperative ApproachesThe types and fields of the shared personal informationThe purpose and useThe data processing means
TalkingData Application statistical analysis SDKBeijing Tendcloud Tianxia Technology Co., Ltd.Embedding TalkingData SDKDevice information:【Android】Device brand, model, software version and other basic information and Application list information【IOS】Device brand, model,software version and other basic informationThe network information: WiFi connected by devices and base station informationThe location information: geographical location of devicesApplication information: Application package name, version number and other information of the App embedded the SDKApplication statistical analysis;Cheating protection;Marketing and pushing informationData encryption technology is used to transfer data;The information is desensitized and displayed by the method of de-identification and anonymity
TalkingData game operation analysis SDKGame operation analysis;Cheating protection;Marketing and pushing information
TalkingData mobile advertisements monitoring SDKMobile advertisements monitoring;Cheating protection
It is recommended that you refer to this table and disclose to your users according to the type of service provided by the TalkingData SDK you actually choose. You should know and understand that some device information (device IMEI information, Mac address, hardware device number information), location information and network information need to be Applied for authorization through the App function page where you install the TalkingData SDK, and we will only collect it after obtaining the user's consent.
The name of authorizationsThe purpose of authorizationsRelated products
READ_PHONE_STATEAllowing an Application to access information from a mobile device in a read-only manner to identify the user. App Analytics
Game Analytics
Ad Tracking
ACCESS_WIFI_STATEObtaining the MAC address of the device to identify the user.
WRITE_EXTERNAL_STORAGEStoring device information, as well as logging.
ACCESS_FINE_LOCATION(optional)The location information of the device obtained by GPS can be used to correct the geographical distribution data of the user, making the report data more accurate, and providing anti-fraud functions.
ACCESS_COARSE_LOCATION(optional)Obtaining rough location information of the Application, and providing anti-fraud functions.
RECEIVE_SMSAllowing an Application to receive system SMS broadcasts, and when SMS is automatically authenticated, SMS messages can be received.eAuth
READ_SMSAllowing an Application to read SMS records, and when SMS is automatically authenticated, SMS records can be read.eAuth
If you need to disclose data security capabilities of the TalkingData, see section 3.

1.3 The App personal information protection policy demonstration

You should comply with the requirements of relevant nation all aws, regulations, policies and standards to display the App personal information protection policy, including but not limited to: You should ensure that the personal information protection policy is independent and explicit. The personal information protection policy should be written separately and not as part of the end user agreement or other documents. When the App runs for the first time,it will remind the end user to read the collection and use rules of the personal information protection policy through pop-ups and other obvious means, and then initialize the SDK for information collection and processing.You should ensure that the personal information protection policy is readable and accessible. The personal information protection policy shall be drafted in clear, understandable, logical and common language. The simplified Chinese version also should be provided.After entering the main function interface of the App, the end user can access the personal information protection policy by clicking or sliding within 4 times.You should explain the purpose, method and scope of personal information collection and use to the end user clearly. Merely improving the quality of service, promoting user experience, pushing targeted information and developing new products cannot be the reason to force users to agree to collect their personal information.The personal information protection policy should be subject to the discretion of the end user to choose whether to agree or not, and should not be imposed by default or induced by deception.

1.4 What can end users do if they do not want their personal information to be processed?

The end user may demand any of us to respond to the request of exercising the personal information subject right. Once you receive any request from an end user regarding personal information processing by TalkingData SDK, please inform us within 24 hours and we can resolve it together.In order to facilitate the end user to exercise rights directly,you should inform the end user that they can exercise their opt-out rights through TalkingData terminal opt – out mechanism. If the end user exercises this right, their information will neither be collected or processed in any form, nor be subject to frequent user permission. TalkingData opt - out link ishttp://www.talkingdata.com/optout.jsp?languagetype=zh_cn. TalkingData strongly suggests that you embed this opt-out link in your personal information protection policy to make it more convenient for end users to exercise their opt-out rights.

1.5 Important explanations

In this section, the TalkingData's interpretation of the compliance requirements does not constitute the comprehensive and complete legal advice to developers in terms of their personal information protection legal obligations. We strongly recommend that you be fully aware of the personal information protection laws, regulations, policies, standards and enforcement inspection requirements that are available and may be issued in the future. Relevant information for your reference includes but not limited to:Personal Information Protection Law of the People's Republic of Chinahttp://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtmlData Security Law of the People's Republic of Chinanpc.gov.cn/npc/c30834/202106/7c9af12f51334a73b56d7938f99a788a.shtmlCybersecurity Law of the People's Republic of Chinahttp://www.gov.cn/xinwen/2016-11/07/content_5129723.htmCivil Code of the People's Republic of Chinahttp://www.npc.gov.cn/npc/c30834/202006/75ba6483b8344591abd07917e1d25cc8.shtmlThe Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Appshttp://www.gov.cn/zhengce/zhengceku/2021-03/23/content_5595088.htmGB/T 35273-2020 Information Security Technology-Personal Information Security Specificationhttp://pip.tc260.org.cn/jbxt/privacy/detail/20200307123754442334Guidelines for App Self-assessment of Collecting and Using Personal Information in Violation of Laws and Regulationshttps://www.mpaypass.com.cn/download/202007/25221310.htmlThe Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulationshttp://www.scio.gov.cn/xwfbh/xwbfbh/wqfbh/42311/44109/xgzc44115/Document/1691066/1691066.htm

2. Important compliance issues when using the TalkingData SDK services

2.1 Self-examination compliance is needed before you use the TalkingData SDK service

Prior to downloading the TalkingData SDK, you should carefully read the SDK download compliance statement, and use this statement to conduct self-examination compliance concerning your personal information protection policy and the circumstance of personal information collected and used by your products. You should ensure that when the App runs for the first time,the end user is reminded to read your personal information protection policy in an obvious means and obtain the legal authorization of the end user. After that, the SDK is initialized for information collection and processing.According to the TalkingData personal information protection policy that you have read and agreed to, you should pay particular attention to obtaining authorization and consent of the end user in advance if you need to process personal information from the App end-user through TalkingData. The service provided by TalkingData is based on your commitment to:"(1) You have obtained sufficient and necessary authorization, consent and permission from the end user to allow us to use the App for the purposes necessary for the performance of the service (if your App is designed and developed for children under the age of 14, you should have taken the necessary technical measures to guarantee that you have acquired the authorization, consent and permission of their guardian);(2) You have obtained sufficient and necessary authorization, consent and permission from the end user to allow us to use the collected data to conduct anonymous, polymerized processing (if your App is designed and developed for children under the age of14, you should have taken the necessary technical measures to ensure that you have acquired the authorization,consent and permission of their guardian).(3) You have complied with and will continue to abide by Applicable laws, regulations and regulatory requirements, including but not limited to the formulation and publication of policies related to the protection of personal information and privacy;(4) You have disclosed and explained to the end user that you allow us to de-identify and aggregate the collected data, and build TalkingData database to provide data services. However, you should also provide the end user with a choice mechanism that is easy to operate, and explain how and when the end user can exercise their option, and specify how and when to modify or withdraw their choice, making the end-user can choose to agree or disagree with collecting and using the de-identifying data of their personal information for commercial purposes."

2.2 The TalkingData examines your compliance

As a service provider, TalkingData has defined the security responsibilities and obligations of each party in the service agreement, personal information protection policy and data security and personal information protection commitment entered into with you. In TalkingData's personal information protection policy,it has specified the scope and purpose of collecting the end user's information. It is required that you should explain data sources to TalkingData and guarantee that these sources are legitimate. Moreover, you must inform the end user of the content, purpose, and necessity of the collected data, and obtain the end user's authorization accordingly.In order to ensure that you achieve the effective end user authorization, and the TalkingData obtains the end user's personal information is legitimate, prior to both parties enter into a cooperation agreement, TalkingData will carry out a data compliance due diligence for risk assessment, and examine relevant documents, such as evidence or documents provided by you concerning legitimate sources of personal information you intend to share, and the customer agreement/terms of service as well as personal information protection policy released on the official website to inspect the consent authorization and notification mechanism. In case of non-compliance, TalkingData will require you to add or amend the content and/or notification mechanism of the customer agreement/terms of service and personal information protection policy.

3. Data security protection capability of the TalkingData

TalkingData not only focuses on the accumulation of technical practices and the improvement of product services, but also protects personal information and public data actively, and abides by national laws, regulations, policies and standards strictly.

3.1 Data security measures of the TalkingData

TalkingData attaches critical importance to the protection of personal information and has adopted different measures to ensure the security of personal information at different stages of the data life cycle.1) Data collection securityTalkingData clarifies and identifies the purpose and usage of collecting data in the process of data acquisition to meet the requirements of the legality, reality, validity of data sources, and different data protection principles, such as data minimization principle. Furthermore, TalkingData establishes the internal data classification and grading system as well as data quality management standard system to specify data collection procedure and define data format, so as to guarantee the legitimacy and consistency of data collection.2)Data transmission securityPrior to transmission, TalkingData will set different data security levels for different kinds of data, so as to adopt different encryption methods,such as MD5, key encryption. HTTPS is used in data transfer to guarantee the encryption security of the transmission channel. Data transmission messages are encrypted by the encryption algorithm RC4, which conforms to the national requirements. Meanwhile, keys of encryption algorithm are managed dynamically to prevent them from being lost or broken. According to the requirement of data transfer within and outside the company, the TalkingData adopts Appropriate encryption measures to ensure the security of transmission channels, nodes and data, preventing data leakage during the process of transmission.3)Data storage securityTalkingData adopts different security storage mechanisms according to different data encryption levels, such as cleartext storage for data with low importance, and encryption storage for data with high importance, and carries out integrity detection for core data regularly to ensure that data will not be damaged or lost in the data storage stage. Moreover, TalkingData will use a partitioned storage strategy based on the value or sensitivity of different data. For example, raw data and desensitized data will be stored indifferent clusters, while high-value data will be stored in a separate cluster. In addition, the company can prevent artificial data leakage by controlling data access rights strictly, Applying for permission in conformity to business needs, and keeping data access audit logs to trace operation records.4)Data processing securityAfter personal data enters the TalkingData statistical platform, TalkingData will conduct data desensitization processing in strict accordance with the requirements of laws and regulations and business needs. The anonymous TDID is used as the primary key of entity identification to associate with business data, and the specific ID that can directly identify the entity is removed to ensure the balance between data availability and security. In addition, the company will control the right of processing strictly in the process of data analysis and processing. Data processers need to pass Kerberos authentication before data processing, so they can proceed with subsequent data operations. Meanwhile, TalkingData adopts multi-tenancy management system, assigns different functional accounts based on various business Applications, grants fine-grained access authorization to prevent unauthorized access, and establishes a security protection mechanism for data processing.5)Data sharing securityPrior to exchanging data, the data operation team and data product team of TalkingData will conduct multi-dimensional security assessment on the qualification, use behavior and other issues of third-party companies to judge whether sharing data with them or not. When TalkingData provides data to external organizations and exchanges data with partners through cooperation, SMC front-end processor people package and other measures will be adopted to implement the security risk control mechanism of the shared data, and journal recording and retention will be conducted to reduce the security risk in the data sharing scenario.6)Data destruction securityTalkingData formulates different data storage cycle policies and data aging policies for various types of business data, and migrates and cleans up data that does not conform to the storage policies regularly, so as to destroy data effectively and prevent data leakage caused by the recovery of important data of stored media. Furthermore, the TalkingData arranges employees to physically destroy the storage media periodically, and establishes effective data destruction procedures and technical measures to prevent the risk of data leakage.

3.2 Data security protection mechanism of the TalkingData

TalkingData establishes information security protection mechanism from different dimensions to guarantee data security of data subjects, and perfects internal management compliance system according to the constant policy change of laws and regulations.1)Organization and managementTalkingData has established an information security committee, which is responsible for organizing information security-related meetings and communications, coordinating the processing of information security-related issues and the decision-making of data security construction in the life cycle, and actively communicating and cooperating with other relevant organizations. TalkingData requires all employees to sign a data security confidentiality agreement and receive information security training before starting work. At the same time, TalkingData will control access to third parties and outsourcing services strictly through risk assessment, analyze security impact and develop corresponding measures.2)Network and information asset managementTalkingData establishes the network and information asset list and asset liability system. On the grounds of the sensitivity and importance of network and information assets, TalkingData classifies them and takes corresponding management measures, and requires each asset to be managed by the designated employee who has the corresponding security management authority and assumes corresponding security responsibilities.3)Physical and environmental securityCritical or sensitive network and information processing facilities forTalkingData are placed in safe areas protected by designated security boundaries. For various security areas, different levels of security protection and access control measures should be adopted to prevent illegal access and interference.4)Operation and maintenance securityTalkingData establishes management system and operational procedure for network and information processing, and separates responsibilities as much as possible. TalkingData increases the awareness of prevention constantly, takes effective measures to prevent and control malicious software, establishes a strict software management system,downloads security patches timely, assesses system security vulnerability regularly. What is more, TalkingData also formulates the management system and disposal procedure of information storage media, especially strengthens the management of removable storage media and system documents, and makes corresponding procedures and standards to protect the security of information and media in the process of transmission.5)Access controlOn the basis of business and security needs, TalkingData establishes access control policies to achieve the principle of authorization minimization, clarifies users'responsibilities, strengthens the management of the user access control, sets Appropriate interfaces at the company's network boundaries, and adopts effective user and device authentication mechanisms to control user access and isolate sensitive information. Accessing to and using the system should also be monitored and incidents logs should be recorded and examined.6)Development and maintenanceThe development of TalkingData system, including network infrastructure, must follow the system security lifecycle management procedure strictly. Security needs should be identified before new systems are developed. In the process of designing, TalkingData adopts Appropriate control measures, audit trail records, and activity logs,including the verification of input data, internal processing and output data. In the process of system development and maintenance, it is necessary to implement system development management process strictly, including changing the control of development, testing and production environment, so as to ensure the security of system hardware, software and data.7)Security incidents response and security auditTalkingData establishes personal information safety incident emergency response mechanism, and organize emergency response training and emergency drills for the staff on a regular basis, makes sure that the network and information system design, operation, usage and management must comply with national laws, policies and regulations concerning security requirements., and inspects the network and information system security, as well as the implementation of the security policy and the technical specifications regularly.

3.3 Data security protection capability certification of the TalkingData

TalkingData has acquired a number of certifications to improve data compliance capability. The details are as follows:(1) The third level of cybersecurity classified protection system:>(2) Privacy information management system certification ISO/IEC 27701:2019;(3) Information security management system certification ISO/IEC 27001:2013;(4) Quality management system certification ISO 9001:2015;(5) Information technology service management system certification ISO/IEC 20000-1:2018;(6) Software capability maturity model integration CMMI ( Level3);(7) The EAL1 level of SDK security certification issued by the China Information Technology Security Evaluation Center;(8) The data platform security certification by excellent security surpass trusted program;(9) The SDK security certification by the China Academy of Information and Communications Technology;In addition, TalkingData has also led and participated in many data compliance projects organized by regulatory authorities, and is a member of many working groups related to data security and personal information protection. The details are as follows:(1) The company of launching the Information Security Technology Personal Information Security Specification pilot program;(2) The company of launching the Information Security Technology Data Security Maturity Model pilot program;(3) The company of launching the Information Security Technology Personal Information Security Impact Assessment pilot program;(4) Jointly released "Software Development Kit (SDK) Security and Compliance White Paper" with the China Academy of Information and Communications Technology;(5) The National Information Security Standardization Technical Committee—The member of the TC260 big data security standard specific working group;(6) The China Communications Standards Association—The member of the big data policy and regulation working group;(7) The member of privacy computing alliance group of the China Academy of Information and Communications Technology;(8) The member of the excellent security surpass trusted program of the China Academy of Information and Communications Technology;(9) The member of data security working Committee of the China Cybersecurity Industry Alliance;(10) The first group of members of the promotion of personal information protection compliance and audit team;(11) The board member of the China Advertising Association.If you have any other problems, please contact TalkingData.