Data Security & Compliance
数据安全与合规说明

1. Security Framework
安全体系

We maintain a structured information security framework to ensure the confidentiality, integrity, and availability of all data processed within our systems.

我们建立完善的信息安全体系，确保数据的机密性、完整性和可用性。

2. Data Collection Scope
数据收集范围

• Creator account and public profile information
• Shop, product, and operational data
• Collaboration and campaign data
• API usage logs and system activity data

• 达人账号及公开信息
• 店铺及商品运营数据
• 合作与活动数据
• API访问日志及系统数据

3. Purpose of Data Use
数据使用目的

• Creator collaboration and influencer management
• Affiliate and campaign management
• Product promotion and shop operations
• Performance analytics and reporting
• Security monitoring and fraud prevention

• 达人合作与管理
• 联盟与活动管理
• 商品推广与店铺运营
• 数据分析与报告
• 安全风控与反欺诈

4. Technical Security Measures
技术安全措施

• HTTPS/TLS encryption for all data transmission
• Role-Based Access Control (RBAC)
• Principle of Least Privilege
• Secure server infrastructure and isolation
• Firewall and intrusion protection
• System monitoring and logging mechanisms
• Regular vulnerability scanning and updates
• User permissions are reviewed at least annually to ensure continued compliance with access control policies.

• HTTPS/TLS加密传输
• 基于角色的访问控制（RBAC）
• 最小权限原则
• 安全服务器隔离环境
• 防火墙与入侵防护
• 系统日志与监控机制
• 定期漏洞扫描与更新
• 用户权限至少每年审核一次，以确保访问控制策略持续合规。

All company endpoints are protected with antivirus software and/or Host-based Intrusion Prevention Systems (HIPS), with regular automatic scans and updates to ensure endpoint security.

All vulnerability scan and penetration test reports are securely retained for review and compliance. Our organization continuously monitors, tracks, and addresses security threats as part of the Vulnerability and Threat Management Program.

公司所有终端均安装了杀毒软件和/或主机入侵防御系统（HIPS），并进行定期自动扫描和更新，以确保终端安全。

所有漏洞扫描和渗透测试报告均安全保存以供审查和合规。我们的组织持续监控、跟踪并处理安全威胁，作为漏洞与威胁管理程序的一部分。

5. Data Storage & Transmission
数据存储与传输

• Data is stored in secure server environments.
• Data in transit is encrypted using HTTPS/SSL.
• Sensitive data at rest is encrypted or anonymized.

• 数据存储在安全的服务器环境中
• 采用HTTPS/SSL加密传输机制
• 对敏感数据进行加密或脱敏处理

All sensitive data is classified according to its sensitivity level. Data at rest is encrypted using AES-128 or RSA 2048-bit or higher, and data in transit is encrypted using TLS v1.2 or higher. Encryption keys are securely managed and rotated regularly, with audits to ensure compliance.

所有敏感数据均按照敏感级别进行分类。静态存储的数据采用 AES-128 或 RSA 2048 位或更高位加密，传输中的数据使用 TLS v1.2 或更高版本加密。加密密钥安全管理并定期轮换，同时进行审计以确保合规。

6. Data Sharing
数据共享

We do not sell or distribute TikTok data. Data may only be shared when required by law, TikTok compliance, or authorized internal operations.

我们不会出售或传播数据，仅在法律要求、TikTok合规或内部授权情况下共享。

7. Data Retention & Deletion
数据保留与删除

• Data is retained only as necessary
• Deleted when no longer required
• Deleted upon user or TikTok request
• Deleted when API access is terminated

• 仅在必要期限内保留数据
• 不再需要时删除
• 用户或TikTok要求删除
• API终止后删除

8. User Rights
用户权利

• Access personal data
• Request correction
• Request deletion
• Withdraw authorization

• 访问数据
• 更正数据
• 删除数据
• 撤回授权

9. Incident Response
安全事件响应

• Establish an incident response mechanism for data security events.
• Promptly isolate and mitigate risks during incidents.
• Notify relevant users and regulatory authorities when necessary.

• 建立数据安全事件应急响应机制
• 发生事件时快速隔离与处理风险
• 必要时通知相关用户及监管机构

Our organization conducts at least one incident response exercise annually, documenting all activities and reports. Roles and responsibilities for incident management are clearly defined to ensure prompt and coordinated response.

我们的组织每年至少进行一次事件响应演习，并记录所有活动和报告。事件管理的角色和职责已明确划分，以确保快速且协调的响应。

10. Compliance
合规性

We comply with TikTok Developer Policies, TikTok Shop Open Platform rules, and applicable data protection regulations.

我们遵守TikTok开发者政策、平台规则及相关数据保护法规。

11. Regular Review & Updates
定期审查与更新

All security measures, including network isolation, firewalls, and monitoring systems, are regularly reviewed and updated to ensure continued effectiveness and compliance with TikTok security standards.

包括网络隔离、防火墙和监控系统在内的所有安全措施都会定期进行审查与更新，以确保其持续有效，并符合 TikTok 安全标准。

12. Daily Operational Security Baseline
日常运营安全基线

We enforce workplace security measures on all company devices, including password complexity requirements, automatic screen lock after 15 minutes of inactivity, multi-factor authentication (MFA) for critical systems, regular desktop clean-up, and role-based access control (RBAC). All measures are monitored and audited regularly to ensure compliance with security standards.

我们在所有公司设备上实施工作场所安全措施，包括密码复杂性要求、非活动状态下15分钟自动锁屏、关键系统多因素身份验证（MFA）、定期桌面清理以及基于角色的访问控制（RBAC）。所有措施均进行定期监控和审计，以确保遵守安全标准。