The Compliance and Security Guideline of the TalkingData SDK

Last updated on: February. 18,2020

Introduction

In order to effectively regulate the rampant collection of personal information through coercive permission, excessive requests of permission or beyond the approved scope by APP, and to protect the security of personal information, the Secretary Bureau of the Cyberspace Administration of China, the General Office of the Ministry of Industry and Information Technology, the General Office of the Ministry of Public Security and the General Office of the State Administration for Market Regulation jointly issued the announcement of carrying out Special Campaigns against APP Collecting and Using Personal Information in Violation of Laws and Regulations in January 2019. At the same time, the National Information Security Standardization Technical Committee, the China Consumers' Association, the Internet Society of China, and the Cybersecurity Association of China are authorized by the four departments to establish the Special Campaigns Working Group against APP Collecting and Using Personal Information in Violation of Laws and Regulations, specifically promoting the evaluation of the collection and use of personal information in violation of laws and regulations by App.In March 2019, the Special Campaigns Working Group against APP Collecting and Using Personal Information in Violation of Laws and Regulations issued the Self-assessment Guideline for the Collection and Use of Personal Information by App to help App operators to conduct self-inspection and self-correction of their collection and use of personal information activities.In November 2019, the Secretary Bureau of the Cyberspace Administration of China, the General Office of the Ministry of Industry and Information Technology, the General Office of the Ministry of Public Security and the General Office of the State Administration for Market Regulation jointly released the Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations.These Measures clarify the approaches to determine six main kinds of behavior of collecting and using of personal information by Apps in violation of laws and regulations, provide reference for supervision and administration departments' determination of the collection and use of personal information by Apps in violation of laws and regulations, and the guidance for App operators' self-examination and self-correction.In December 2019, at the seminar on App personal information protection hosted by the Special Campaigns Working Group against APP Collecting and Using Personal Information in Violation of Laws and Regulations, the relevant authorities expressed that they would put more efforts to their work, and strengthened the protection of personal information.In conclusion, the collection and use of personal information by APPs (including third-party codes and plug-ins embedded in APPs) and the protection of the rights and interests of the personal information subject have become a major governance issue for relevant competent authorities, with increasingly intensified supervision and stricter supervision standards.To help APP developers and operators (hereinafter referred to as "you") of the TalkingData SDK to implement the end-user personal information protection more effectively, avoid violating the provisions of the relevant laws and regulations, policies and standards due to the third-party SDK, and have a clearer understanding of the TalkingData data compliance and safety protection technology has been adopted, especially the approaches and measures to protect the privacy of personal information, TalkingData introduced The Compliance and Security Guideline of the TalkingData SDK for your reference.This guideline consists of three main sections:1. Compliance requirements for personal information protection of developers2. Important compliance issues when using the TalkingData SDK services3. Data security protection capability of the TalkingDataIf you have any other questions, please contact the TalkingData.

1.Compliance requirements for personal information protection of developers

In this part, the interpretation of the compliance requirements for the protection of personal information of developers mainly aims at explaining the legal authorization for the collection and use of personal information and the important compliance requirements for the protection of personal fundamental rights and interests during the process of using the TalkingData SDK.1.1 What supporting compliance documents should be needed for the end user when the APP is launched?You need at least a separate privacy policy.Privacy policy is an important document that describes the current situation of the collection and use of personal information by APP, obtains the legal authorization of users and protects the rights of personal information subjects. Its contents should comply with relevant national laws, regulations, policies and standards as well as your agreement with TalkingData. In particular:a) In accordance with the GB/T 35273-2017 Information Security Technology - Personal Information Security Specification, the four appendices of this document are also of important reference value for your understanding of personal information security requirements and privacy policy drafting:Appendix A: Examples of personal information;Appendix B: Personal sensitive information determination;Appendix C: Approaches to guarantee the right of consent of personal information subjects;Appendix D: Privacy policy templateb) The purpose, method and scope of your deployment of TalkingData SDK in the APP to collect and use personal information shall be exposed to the end user clearly through your privacy policy, and the privacy protection standard provided shall not be lower than that of the TalkingData.1.2 What contents of the third-party SDK should be disclosed in the privacy policy of the APP?You should specify to the end user, one by one, regarding the purpose, method, and scope of the personal information collected and used by the third-party SDK you have embedded. In the privacy policy, you should also clearly inform the end user that you have carefully selected TalkingData as a partner and entrusted it with the task of collecting, using, organizing and processing the end user's personal information.TalkingData recommends that you refer to the terms stated in the data sharing and disclosure section of your privacy policy as follows:"For the purposes of data statistics and analysis, our products may integrate with the SDK of a third-party or other similar applications, such as the 【TalkingData】SDK, and we need to share the purpose, method and scope of your relevant personal information, as shown specifically in the 【table】below. For the sake of your information security, we have signed a strict data security and non-disclosure agreement with the third-party SDK service providers. These companies will comply with our data privacy and security requirements strictly. To help you have a better understanding of the type and use of the collected data, and personal information protection methods of 【TalkingData】, you can log on tohttp://www.talkingdata.com/privacy.jsp?languagetype=zh_cn for more information regarding 【TalkingData】 privacy policy. Meanwhile, we understand and respect your choice, if you don't want to participate in 【TalkingData】 big data calculation, you can also exercise your opt-out rights throughhttp://www.talkingdata.com/optout.jsp?languagetype=zh_cn. You understand and agree that TalkingData has the right to de-identify and aggregate the collected data, and build the database to provide the data services. If the purpose, manner and scope of the personal information collected and used by the 【TalkingData】SDK changes, we will notify and remind the end user to read it in an appropriate means."
The name of cooperative productsThe name of cooperative companiesCooperative approachesThe types and fields of the shared personal informationThe purpose and useThe data processing means
TalkingData application statistical analysis SDKBeijing Tendcloud Tianxia Technology Co., Ltd.Embedding TalkingData SDKDevice information:【Android】Device brand, model, software version and other basic information and application list information【IOS】Device brand, model, software version and other basic informationThe network information:WiFi connected by devices and base station informationThe location information:geographical location of devicesApplication information:application package name, version number and other information of the APP embedded the SDKApplication statistical analysis;Cheating protection;Marketing and pushing informationData encryption technology is used to transfer data;The information is desensitized and displayed by the method of de-identification and anonymity
TalkingData game operation analysis SDKGame operation analysis;Cheating protection;Marketing and pushing information
TalkingData mobile advertisements monitoring SDKMobile advertisements monitoring;Cheating protection
It is recommended that you refer to this table and disclose to your users according to the type of service provided by the TalkingData SDK you actually choose. You should know and understand that some device information (device IMEI information, Mac address, hardware device number information), location information and network information need to be applied for permission through the APP function page where you install the TalkingData SDK, and we will only collect it after obtaining the end user's consent.If you need to disclose data security capabilities of the TalkingData, see section 3.

1.3 The APP privacy policy demonstration

You should comply with the requirements of relevant national laws, regulations, policies and standards to display the APP privacy policy, including but not limited to: You should ensure that the privacy policy is independent and explicit. The privacy policy should be written separately and not as part of the end user agreement or other documents. When the App runs for the first time, it will remind the end user to read the collection and use rules of the privacy policy through pop-ups and other obvious means, and then initialize the SDK for information collection and processing.You should ensure that the privacy policy is readable and accessible. The privacy policy shall be drafted in clear, understandable, logical and common language. The simplified Chinese version also should be provided. After entering the main function interface of the APP, the end user can access the privacy policy by clicking or sliding within 4 times.You should explain the purpose, method and scope of personal information collection and use to the end user clearly. Merely improving the quality of service, promoting user experience, pushing targeted information and developing new products cannot be the reason to force users to agree to collect their personal information.The privacy policy should be subject to the discretion of the end user to choose whether to agree or not, and should not be imposed by default or induced by deception.

1.4 What can end users do if they do not want their personal information to be processed?

You should inform the end user that they can exercise their opt-out rights through TalkingData terminal opt – out mechanism. If the end user exercises this right, their information will neither be collected or processed in any form, nor be subject to frequent user permission. TalkingData opt - out link ishttp://www.talkingdata.com/optout.jsp?languagetype=zh_cn. TalkingData strongly suggests that you embed this opt-out link in your privacy policy to make it more convenient for end users to exercise their opt-out rights.

1.5 Important explanations

In this section, the TalkingData’s interpretation of the compliance requirements does not constitute the comprehensive and complete legal advice to developers in terms of their personal information protection legal obligations. We strongly recommend that you be fully aware of the personal information protection laws, regulations, policies, standards and enforcement inspection requirements that are available and may be issued in the future. Relevant information for your reference includes:GB/T 35273-2017 Information Security Technology - Personal Information Security Specificationhttp://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=4FFAA51D63BA21B9EE40C51DD3CC40BEInformation Security Technology - Personal Information Security Specification(exposure draft)http://pip.tc260.org.cn/jbxt/privacy/detail/201910232235364993Practical Guide to Network Security - Information Specification Necessary for Basic Business Functions of Mobile Internet Applicationshttp://pip.tc260.org.cn/jbxt/privacy/detail/20190702143616836520Guidelines for APP Self-assessment of Collecting and Using Personal Information in Violation of Laws and Regulationshttp://pip.tc260.org.cn/jbxt/privacy/detail/20190302114600934277Notice of issuing the Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulationshttp://www.cac.gov.cn/2019-12/27/c_1578986455686625.htm

2. Important compliance issues when using the TalkingData SDK services

2.1 Self-examination compliance is needed before you use the TalkingData SDK service

Prior to downloading the TalkingData SDK, you should carefully read the SDK download compliance statement, and use this statement to conduct self-examination compliance concerning your privacy policy and the circumstance of personal information collected and used by your products. You should ensure that when the APP runs for the first time, the end user is reminded to read your privacy policy in an obvious means and obtain the legal authorization of the end user. After that, the SDK is initialized for information collection and processing.According to the TalkingData privacy policy that you have read and agreed to, you should pay particular attention to obtaining authorization and consent of the end user in advance if you need to process personal information from the APP end-user through TalkingData. The service provided by TalkingData is based on your commitment to:"(1) You have obtained sufficient and necessary authorization, consent and permission from the end user to allow us to use the APP for the purposes necessary for the performance of the service (if your APP is designed and developed for children under the age of 14, you should have taken the necessary technical measures to guarantee that you have acquired the authorization, consent and permission of their guardian);(2) You have obtained sufficient and necessary authorization, consent and permission from the end user to allow us to use the collected data to conduct anonymous, polymerized processing (if your APP is designed and developed for children under the age of 14, you should have taken the necessary technical measures to ensure that you have acquired the authorization, consent and permission of their guardian).(3) You have complied with and will continue to abide by applicable laws, regulations and regulatory requirements, including but not limited to the formulation and publication of policies related to the protection of personal information and privacy;(4) You have disclosed and explained to the end user that you allow us to de-identify and aggregate the collected data, and build TalkingData database to provide data services. However, you should also provide the end user with a choice mechanism that is easy to operate, and explain how and when the end user can exercise their option, and specify how and when to modify or withdraw their choice, making the end-user can choose to agree or disagree with collecting and using the de-identifying data of their personal information for commercial purposes."

2.2 The TalkingData examines your compliance

As a service provider, TalkingData has defined the security responsibilities and obligations of each party in the service agreement, privacy policy and data security and personal information protection commitment entered into with you. In TalkingData’s privacy policy, it has specified the scope and purpose of collecting the end user’s information. It is required that you should explain data sources to TalkingData and guarantee that these sources are legitimate. Moreover, you must inform the end user of the content, purpose, and necessity of the collected data, and obtain the end user's authorization accordingly.In order to ensure that you achieve the effective end user authorization, and the TalkingData obtains the end user’s personal information is legitimate, prior to both parties enter into a cooperation agreement, TalkingData will carry out a data compliance due diligence for risk assessment, and examine relevant documents, such as evidence or documents provided by you concerning legitimate sources of personal information you intend to share, and the customer agreement/terms of service as well as privacy policy released on the official website to inspect the consent authorization and notification mechanism. In case of non-compliance, TalkingData will require you to add or amend the content and/or notification mechanism of the customer agreement/terms of service and privacy policy.

3. Data security protection capability of the TalkingData

TalkingData not only focuses on the accumulation of technical practices and the improvement of product services, but also protects personal information and public data actively, and abides by national laws, regulations, policies and standards strictly.

3.1 Data security measures of the TalkingData

TalkingData attaches critical importance to the protection of personal information and has adopted different measures to ensure the security of personal information at different stages of the data life cycle.1) Data collection securityTalkingData clarifies and identifies the purpose and usage of collecting data in the process of data acquisition to meet the requirements of the legality, reality, validity of data sources, and different data protection principles, such as data minimization principle. Furthermore, TalkingData establishes the internal data classification and grading system as well as data quality management standard system to specify data collection procedure and define data format, so as to guarantee the legitimacy and consistency of data collection.2)Data transmission securityPrior to transmission, TalkingData will set different data security levels for different kinds of data, so as to adopt different encryption methods, such as MD5, key encryption. HTTPS is used in data transfer to guarantee the encryption security of the transmission channel. Data transmission messages are encrypted by the encryption algorithm RC4, which conforms to the national requirements. Meanwhile, keys of encryption algorithm are managed dynamically to prevent them from being lost or broken. According to the requirement of data transfer within and outside the company, the TalkingData adopts appropriate encryption measures to ensure the security of transmission channels, nodes and data, preventing data leakage during the process of transmission.3)Data storage securityTalkingData adopts different security storage mechanisms according to different data encryption levels, such as cleartext storage for data with low importance, and encryption storage for data with high importance, and carries out integrity detection for core data regularly to ensure that data will not be damaged or lost in the data storage stage. Moreover, TalkingData will use a partitioned storage strategy based on the value or sensitivity of different data. For example, raw data and desensitized data will be stored in different clusters, while high-value data will be stored in a separate cluster. In addition, the company can prevent artificial data leakage by controlling data access rights strictly, applying for permission in conformity to business needs, and keeping data access audit logs to trace operation records.4)Data processing securityAfter personal data enters the TalkingData statistical platform, TalkingData will conduct data desensitization processing in strict accordance with the requirements of laws and regulations and business needs. The anonymous TDID is used as the primary key of entity identification to associate with business data, and the specific ID that can directly identify the entity is removed to ensure the balance between data availability and security. In addition, the company will control the right of processing strictly in the process of data analysis and processing. Data processers need to pass Kerberos authentication before data processing, so they can proceed with subsequent data operations. Meanwhile, TalkingData adopts multi-tenancy management system, assigns different functional accounts based on various business applications, grants fine-grained access authorization to prevent unauthorized access, and establishes a security protection mechanism for data processing.5)Data sharing securityPrior to exchanging data, the data operation team and data product team of TalkingData will conduct multi-dimensional security assessment on the qualification, use behavior and other issues of third-party companies to judge whether sharing data with them or not. When TalkingData provides data to external organizations and exchanges data with partners through cooperation, SMC front-end processor people package and other measures will be adopted to implement the security risk control mechanism of the shared data, and journal recording and retention will be conducted to reduce the security risk in the data sharing scenario.6)Data destruction securityTalkingData formulates different data storage cycle policies and data aging policies for various types of business data, and migrates and cleans up data that does not conform to the storage policies regularly, so as to destroy data effectively and prevent data leakage caused by the recovery of important data of stored media. Furthermore, the TalkingData arranges employees to physically destroy the storage media periodically, and establishes effective data destruction procedures and technical measures to prevent the risk of data leakage.

3.2 Data security protection mechanism of the TalkingData

TalkingData establishes information security protection mechanism from different dimensions to guarantee data security of data subjects, and perfects internal management compliance system according to the constant policy change of laws and regulations.1)Organization and managementTalkingData has established an information security committee, which is responsible for organizing information security-related meetings and communications, coordinating the processing of information security-related issues and the decision-making of data security construction in the life cycle, and actively communicating and cooperating with other relevant organizations. TalkingData requires all employees to sign a data security confidentiality agreement and receive information security training before starting work. At the same time, TalkingData will control access to third parties and outsourcing services strictly through risk assessment, analyze security impact and develop corresponding measures.2)Network and information asset managementTalkingData establishes the network and information asset list and asset liability system. On the grounds of the sensitivity and importance of network and information assets, TalkingData classifies them and takes corresponding management measures, and requires each asset to be managed by the designated employee who has the corresponding security management authority and assumes corresponding security responsibilities.3)Physical and environmental securityCritical or sensitive network and information processing facilities for TalkingData are placed in safe areas protected by designated security boundaries. For various security areas, different levels of security protection and access control measures should be adopted to prevent illegal access and interference.4)Operation and maintenance securityTalkingData establishes management system and operational procedure for network and information processing, and separates responsibilities as much as possible. TalkingData increases the awareness of prevention constantly, takes effective measures to prevent and control malicious software, establishes a strict software management system, downloads security patches timely, assesses system security vulnerability regularly. What is more, TalkingData also formulates the management system and disposal procedure of information storage media, especially strengthens the management of removable storage media and system documents, and makes corresponding procedures and standards to protect the security of information and media in the process of transmission.5)Access controlOn the basis of business and security needs, TalkingData establishes access control policies to achieve the principle of authorization minimization, clarifies users’ responsibilities, strengthens the management of the user access control, sets appropriate interfaces at the company's network boundaries, and adopts effective user and device authentication mechanisms to control user access and isolate sensitive information. Accessing to and using the system should also be monitored and incidents logs should be recorded and examined.6)Development and maintenanceThe development of TalkingData system, including network infrastructure, must follow the system security lifecycle management procedure strictly. Security needs should be identified before new systems are developed. In the process of designing, TalkingData adopts appropriate control measures, audit trail records, and activity logs, including the verification of input data, internal processing and output data. In the process of system development and maintenance, it is necessary to implement system development management process strictly, including changing the control of development, testing and production environment, so as to ensure the security of system hardware, software and data.7)Security incidents response and security auditTalkingData establishes personal information safety incident emergency response mechanism, and organize emergency response training and emergency drills for the staff on a regular basis, makes sure that the network and information system design, operation, usage and management must comply with national laws, policies and regulations concerning security requirements., and inspects the network and information system security, as well as the implementation of the security policy and the technical specifications regularly.

3.3 Data security protection capability certification of the TalkingData

TalkingData's primary systems have been registered with the third level of cybersecurity classified protection, and TalkingData has passed the following system certification or evaluation:(1) Information Security Management System certification ISO9001;(2) Information Security Management System certification ISO27001;(3) Software Capability Maturity Model Integration CMMI(Level3);(4) The EAL1 level of SDK security certification issued by China Information Technology Security Evaluation Center.If you have any other problems, please contact TalkingData.