Tuya Compliance with the Australian Privacy Act
Prepared and Administered by Tuya Compliance Team
July 2024
Table of Contents
- 1. Privacy Law and Australian Privacy Principles
- 1.1. Overview of the Australian Privacy Act
- 1.2. Privacy Protection Certifications and Audits
- 1.3. Shared Responsibility Model
- 2. Tuya's Security Compliance Strategy
- 3. Customer Control Over Their Data
- 4. How Tuya Complies with the Australian Privacy Act
- 4.1. Tuya's Preparations for Privacy Act Compliance
- 4.2. How Tuya Complies with Australian Privacy Principles
- 5. Key Definitions
- 6. Conclusion
1. Privacy Law and Australian Privacy Principles
1.1. Overview of the Australian Privacy Act
The Privacy Act 1988 (Cth), hereinafter referred to as the Privacy Act, is the primary legislation for protecting personal information. It covers the collection, use, storage, and disclosure of personal information by federal public sector and private sector organizations. The Privacy Act was amended in December 2022. These amendments increased the maximum penalties stipulated by the Privacy Act and granted the Office of the Australian Information Commissioner (OAIC) stronger enforcement and information-sharing powers.
The Privacy Act stipulates 13 Australian Privacy Principles (APPs). These APPs apply to government agencies and private sector organizations with an annual turnover of AUD 3 million or more. The Australian Privacy Principles (APPs) are principle-based, aiming to protect privacy without imposing rigid regulatory burdens on agencies and organizations. These privacy principles:
- Address various stages of personal information processing, setting standards for the collection, use, disclosure, quality, and security of personal information.
- Obligate agencies and organizations bound by the Privacy Act to provide access to and correction of personal information.
The Office of the Australian Information Commissioner (OAIC) is responsible for investigating breaches of the Australian Privacy Principles (APPs). OAIC's powers include:
- Accepting enforceable undertakings.
- Seeking civil penalties for serious or repeated privacy infringements.
- Assessing the privacy performance of Australian government agencies and businesses.
For more detailed information about the Privacy Act, you can visit the official website: Privacy Act Official Website. Customers are responsible for ensuring they comply with the obligations stipulated by the Privacy Act (including the Australian Privacy Principles).
1.2. Privacy Protection Certifications and Audits
As of now, Tuya has obtained numerous global or industry-specific security compliance authoritative certifications, fully ensuring the security and compliance of customer deployment businesses. Tuya's industry-leading third-party audits and certifications, documents, and legal commitments help support Privacy Act compliance and meet industry privacy standards. View certificates and audit reports.
| Certification/Attestation | Description |
|---|---|
| CCPA Verification Report | The California Consumer Privacy Act (CCPA) is a law protecting the personal information of California residents. Tuya has completed CCPA compliance audits. |
| GDPR Verification Report | The EU General Data Protection Regulation (GDPR) aims to protect the fundamental privacy rights and personal data security of EU data subjects, comprehensively raising the standards for personal data privacy protection. Tuya has completed GDPR verification and optimized internal data security protection and compliance requirements. |
| ISO/IEC 27001:2022 | An international standard for information security management systems, centered on risk management, ensuring the continuous and effective operation of the information security management system. |
| ISO/IEC 27017:2015 | An international certification for information security in cloud computing, providing guidance on the implementation of security controls for cloud service providers. |
| ISO/IEC 27701:2019 | An internationally authoritative certification for privacy information management systems. Tuya's achievement of this certification demonstrates its robust system for personal data protection. |
| CSA STAR | CSA STAR certification, jointly launched by BSI and CSA, is an authoritative international certification for cloud security levels, aimed at addressing cloud security issues and helping cloud service providers demonstrate their service maturity. |
| ISO 9001:2015 | ISO 9001 is a systematic guideline and normative framework for ensuring the quality and operation of a company's products, ensuring compliance with customer and relevant legal requirements. |
| SOC 2 Type II & SOC 3 | SOC audit reports are independent audit reports issued by third parties according to the American Institute of Certified Public Accountants (AICPA) standards. They aim to examine the services provided by service organizations, enabling end-users to evaluate and address risks related to outsourced services. Tuya has passed SOC 2 audits and obtained SOC 2 and SOC 3 reports, demonstrating its key compliance control measures. |
1.3. Shared Responsibility Model
Tuya is responsible for the security management and operation of services and data interactions on its provided software SDKs, Apps, modules, and cloud platforms. Tuya bears corresponding responsibility for the security of its cloud service platform and infrastructure.
When customers use Tuya's services, they are responsible for developing, managing, and maintaining their Apps connected to Tuya Cloud or their embedded software (including using SDKs), and ensuring the security and compliance of their applications and data, including hardware and App security compliance. Customers are solely responsible for the security of their developed applications and should take appropriate security measures to protect their applications and data from unauthorized access, use, disclosure, destruction, or interference.
Tuya will provide necessary technical support and security guidance to customers to help them ensure the security and compliance of their applications and data. However, customers are ultimately responsible for the final security and compliance of their applications and data, and Tuya assumes no liability for any resulting losses or responsibilities.
Customers and Tuya should cooperate to ensure the security and compliance of the services provided by Tuya. If any security vulnerabilities or compliance issues are discovered, customers and Tuya should notify each other immediately and work together to resolve the issues.
The following diagram illustrates the shared responsibility model for information security among basic cloud service providers, Tuya, and customers:
Diagram Description: The diagram depicts a shared responsibility model for IoT data security. It shows three layers: Third-Party Cloud Provider (e.g., AWS, Azure, Tencent Cloud), Tuya Cloud (covering Tuya App/OEM App, Module/SDK, SDK, and Tuya's cloud services like security operations, device control, data services, storage, etc.), and Third-Party Client (customer's end-user applications and devices). Responsibilities are divided across infrastructure, Tuya's cloud platform, and the customer's client-side, emphasizing shared accountability.
2. Tuya's Security Compliance Strategy
As a technology-driven company focused on AI+IoT, Tuya places a high priority on security and compliance from top to bottom. Tuya's security compliance strategy encompasses technical and management measures, aiming to ensure its products and services meet the security and compliance standards and requirements of various regions as much as possible.
Security Compliance Team
Tuya has a professional security compliance team whose members have previously worked at internet companies like Alibaba, Ant Financial, and Baidu, as well as traditional security vendors such as NSFOCUS, Venustech, and NSFOCUS. This team supports Tuya Cloud's security quality assurance, security assessment, and security operations. Additionally, the team engages external professional privacy and security consulting agencies and law firms specializing in cybersecurity and privacy protection globally and regionally for expert advice. The compliance team works closely with Tuya's legal team to ensure more refined and reliable control over the security and reliability of Tuya's products and services.
Security Risk Assessment and Management
Tuya's security team is responsible for vulnerability management and discovery, capable of identifying, tracking, tracing, and fixing security vulnerabilities. Before business code goes live, they conduct security penetration testing and regularly perform black-box testing on live businesses. Annually, Tuya collaborates with third-party security agencies to conduct penetration testing on cloud services, mobile clients, hardware products, and the company's IT infrastructure. Tuya supports external white-hat hackers in submitting vulnerabilities via Tuya SRC (https://src.tuya.com/) or a security email, offering rewards of up to $100,000 USD for high-quality, high-risk vulnerabilities.
Access Control
Tuya uniformly manages system permissions, server permissions, and data permissions for its IT systems, implementing a zero-trust privilege management model. It achieves simplified privilege control based on user identity, application identity, and application function type.
Supplier Security
Service Supplier Risk Assessment
Tuya has established screening and regular evaluation mechanisms for platform software suppliers. In addition to security indicators for hardware products and security standards for software services, Tuya also needs to gain a deep understanding of the practices of various service providers in information security assessment and privacy compliance. Information security assessments involve security penetration testing and supplier security capability assessments.
Service Supplier Monitoring
Real-time monitoring of service quality, focusing on third-party security management. Tuya can respond quickly when abnormalities occur.
Security Awareness and Training
To enhance company-wide cybersecurity awareness, Tuya Smart has published the "Tuya Smart Employee Information Security Handbook" and regularly conducts cybersecurity awareness education and privacy protection training for employees. Employees are required to continuously learn cybersecurity knowledge, understand the policies and procedures in the handbook, remember acceptable and unacceptable behaviors, realize they are responsible for their actions even without subjective intent, and commit to acting as required.
3. Customer Control Over Their Data
Data is the customer's data, not Tuya's data. Tuya processes their data solely according to the agreements signed with the customer. Tuya provides customers with the ability to control and access their data, as well as security configuration capabilities to help customers comply with their organization's consistent security policies. Customer data stored and managed on the Tuya platform is used only to provide services to the customer as per the contract and is not used for any other purpose. Customers have full control over their content data during their use of Tuya services:
Customer decides data storage region
Tuya currently has data centers in multiple regions globally, including Europe, the Americas, and Asia. Each regional data center is physically isolated. If customers have specific regional requirements, they can choose different regions according to their needs. Tuya will not transfer customer content data to other regions without the customer's explicit consent or other legal obligations.
Customer decides data protection policies
Through Tuya platform's security and privacy protection configurations, customers can use different Tuya services to decide whether to enable multi-factor authentication, what user password policies to use, and customize session durations, among other settings. Customers should consider how to manage and protect personal data security, prevent personal data leakage, and in case of a leakage incident, promptly notify the Office of the Australian Information Commissioner (OAIC) according to relevant laws and regulations.
Customer decides Tuya's access to their data
Unless explicitly authorized by the customer, Tuya will not access any of the customer's data. Tuya commits not to use customer data for purposes other than those stipulated in the contract and declared in the privacy policy.
Government Access
If Tuya receives a request from a government entity for customer data, Tuya's policy is to inform the government to request this data directly from the customer. Tuya has a professional team that reviews and evaluates every request received based on Tuya's policies and laws. Tuya commits not to provide "backdoor" access to any government agency, nor to allow any government agency illegal access to your data.
4. How Tuya Complies with the Australian Privacy Act
4.1. Tuya's Preparations for Privacy Act Compliance
Tuya's compliance and data security experts have been working with customers worldwide to address their issues and help them prepare for running IoT services in the cloud after the Privacy Act takes effect. These experts also review Tuya's operations and responsibilities against the requirements of the Privacy Act to ensure that Tuya's services comply with the Privacy Act's provisions once the law is in effect.
- Tuya strives to ensure that its products and solutions comply with the Privacy Act, allowing customers to use its services with confidence.
- Security and privacy features help customers comply with the Privacy Act and better protect and manage personal data.
- Tuya's products and capabilities continuously evolve as the regulatory landscape changes.
- Tuya makes strong data processing, privacy, and security commitments in its terms.
4.2. How Tuya Complies with Australian Privacy Principles
Tuya is committed to partnering with its customers, leveraging Tuya's compliance capabilities to help customers comply with the Australian Privacy Principles. Tuya explains its data protection features, how they meet the requirements of the APPs, and how Tuya shares compliance responsibilities with customers. Tuya also commits to not using customer data beyond providing services, thereby supporting customer compliance with the Australian Privacy Principles.
| Data Protection Obligation | How Tuya Supports APP Requirements | Customer Focus |
|---|---|---|
| APP 1 — Open and Transparent Management of Personal Information | Tuya's Practice: For customer personal data: Tuya clearly informs customers about the purposes, methods, and scope of personal data processing through its Privacy Policy. Tuya commits to accessing or using your data only for the purposes stipulated in the contract or declared in the privacy policy to complete the products and services you have ordered. For end-user personal data: Customers are responsible for notification obligations. Tuya provides assistance by offering information from the Tuya official website or by contacting the Tuya Privacy Protection Office. | Customer Focus: a. Requires APP entities to manage personal information in an open and transparent manner. b. Entities must have a clearly expressed and up-to-date privacy policy describing how you collect, use, and share personal information. c. The privacy policy must be made available free of charge in an easily accessible manner. |
| APP 2 — Anonymity and Pseudonymity | Tuya's Practice: Tuya provides a nickname feature, allowing users to enter pseudonyms that do not reveal their identity. | Customer Focus: Individuals have the right to choose not to state their identity or to use a pseudonym. |
| APP 3 — Collection of Solicited Personal Information | Tuya's Practice: Tuya adheres to the principle of minimal necessary collection, gathering only data essential for functionality. For sensitive data, Tuya obtains prior consent from the data subject. For end-user data, customers ensure the reasonableness of collection and obtain consent from the data subject. | Customer Focus: a. Entities must only collect personal information if it is reasonably necessary for one or more of the entity's functions or activities. b. Sensitive information must only be collected with consent, and if it is necessary for one or more functions or activities. c. Entities must collect personal information by lawful and fair means. |
| APP 4 — Dealing with Unsolicited Personal Information | Tuya's Practice: As a commissioned processor, Tuya strictly processes customer data according to data processing agreements and contractual terms. When a customer requests the deletion of specific data, Tuya executes it promptly to assist the customer in complying with APPs. | Customer Focus: When an entity receives unsolicited personal information, the entity must, within a reasonable period, determine if it solicited this information and if it complies with APP 3. If it complies with APP 3, the personal information may be used or disclosed. If it is determined that the information cannot be collected, or is not included in federal records, it should be deleted or anonymized. |
| APP 5 — Notification of the Collection of Personal Information | Tuya's Practice: Tuya processes personal data according to data processing agreements and contractual terms. Tuya receives and executes customer instructions for processing personal information. Tuya does not use customer data for any other purpose. | Customer Focus: When an entity collects personal information, or before it does (in principle), it should inform the individual about: a) The entity's identity and contact details. b) The fact that the entity has obtained personal information from someone other than the individual. c) If the collection is required by law or court order, the fact of collection should be stated. d) The purpose for collecting the personal information. e) The consequences for the individual if all or part of the information is not collected. f) Any other entities, bodies, or persons involved. g) How the individual can exercise their right to access and correct information. h) Complaint channels and how the entity handles complaints. i) Whether personal information is likely to be disclosed overseas. j) Which countries overseas personal information is disclosed to. |
| APP 6 — Use or Disclosure of Personal Information | Tuya's Practice: After obtaining customer consent to collect personal data necessary for providing services, Tuya processes customer personal data solely for the purposes stipulated in the contract and declared in the privacy policy. Tuya will not use your data for any other purpose. | Customer Focus: In general, information may be used or disclosed for the primary purpose for which it was collected. If used or disclosed for a secondary purpose related to the primary purpose (or directly related in the case of sensitive personal information) that the individual could reasonably expect, personal information may be used or disclosed without consent. For customer personal data, Tuya adheres to the principle of minimal necessary collection, gathering only data essential for functionality. When collecting sensitive data, Tuya obtains prior consent from the data subject. For end-user data, customers ensure the reasonableness of collection and obtain consent from the data subject. |
| APP 7 — Direct Marketing | Tuya's Practice: Tuya does not use customer data for direct marketing. | Customer Focus: Personal information may be used for direct marketing if: a. The personal information was collected by the entity from the individual; and b. The individual could reasonably expect their personal information to be used for direct marketing; and c. The entity provides an easy means for the individual to refuse to receive direct marketing. Sensitive information must be consented to before being used for direct marketing. |
| APP 8 — Cross-border Disclosure of Personal Information | Tuya's Practice: Tuya stores and processes customer data only in the data centers chosen by the customer and does not move customer data without customer consent, unless required by law. If customers choose to store data in multiple regions, this is their choice. Regardless of where data is stored and processed, customers have absolute control over their data. | Customer Focus: Entities must take reasonable steps to ensure that an overseas recipient does not breach the Australian Privacy Principles (APPs) before disclosing personal information to an overseas recipient. Customers should establish data cross-border transfer assessment mechanisms, fully understand data cross-border regulatory requirements, select appropriate data storage solutions, and transparently inform individual users about international data transfers, for example, in their privacy statements. Customers can choose the data center where their data is stored. By default, data originating from Australia will be stored in AWS Frankfurt nodes. Customers can change this at any time. Tuya's IoT platform is designed so that customers can effectively control their data regardless of which data center they choose for storage. Customers should consider whether they need to disclose the location where they store or process personal information to individuals and obtain any necessary consent from the relevant individuals if required. Customers' compliance with APP 8 obligations stems from "disclosing" personal information to an overseas recipient. Guidance from the Office of the Australian Information Commissioner (OAIC) suggests that if a customer does not release the processing of personal information from their effective control, it may be considered "use" rather than "disclosure" under the Privacy Act. Therefore, customer use of the Tuya cloud platform does not constitute "disclosure" of personal information, as the customer retains effective control over any personal information uploaded, with Tuya acting as a data processor according to the customer's instructions. |
| APP 9 — Use or Disclosure of Government Related Identifiers | Tuya's Practice: Tuya's products and services do not collect government-related identifiers by default. | Customer Focus: An entity must not adopt a government-related identifier of an individual as its own identifier of the individual. Unless it is reasonably necessary for the entity to verify the identity of the individual for the purposes of the entity carrying out its functions or activities, an entity must not use or disclose a government-related identifier of an individual. |
| APP 10 — Quality of Personal Information | Tuya's Practice: Tuya's products and services provide end-users (data subjects) with the ability to access, correct, delete, and export data. Tuya assists customers in responding to individual requests. | Customer Focus: An entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date, complete, and relevant. Customers have full control over their data and direct contact with personal information subjects, and should ensure personal information is accurate, up-to-date, and complete. |
| APP 11 — Security of Personal Information | Tuya's Practice: Tuya provides comprehensive protection for the personal data lifecycle: a. Minimal processing and strict account authentication mechanisms during data collection. b. Dual encryption of transmission channels and content during transmission. c. AES 256 encryption for personal data during storage, with unique keys for each user. Irreversible algorithms are used for highly sensitive data, with keys managed and distributed uniformly via a Key Management System (KMS). For sensitive data like images or videos, Tuya generates unique keys for specific users and devices to encrypt the data. d. Logical isolation for individuals during the usage phase; de-identification during the display phase. e. During destruction, all personal data will be automatically zero-value overwritten. Tuya provides detailed information. Customers can learn more about our security practices via the following links: • Our Security and Privacy Protection Certification Qualifications • Our Security Compliance White Paper | Customer Focus: An entity must take reasonable steps to protect the personal information it holds from misuse, interference, and loss, and from unauthorized access, modification, or disclosure. In certain circumstances, an entity has an obligation to destroy or de-identify personal information. Customers have full control over their data and should establish personal data protection policies to safeguard personal data. They should perform security configuration work based on business and personal data protection needs, such as setting appropriate access control and password policies. Customers should promptly delete information that is no longer needed. |
| APP 12 — Access to Personal Information | Tuya's Practice: Tuya assists customers in responding to data subject requests for access and correction of their personal data. Tuya provides dedicated channels (see Tuya Privacy Policy) to receive and respond to customer requests. | Customer Focus: When an individual requests access to personal information held by an entity, the entity should provide it within a reasonable period. If access is denied due to trade secrets, privacy of others, etc., the individual should be notified in writing. |
| APP 13 — Correction of Personal Information | Tuya's Practice: Tuya provides features for end-users (data subjects) to access, correct, delete, and export data. Tuya assists customers in responding to individual requests. | Customer Focus: An entity must provide individuals with a means to correct their personal information and respond to individual correction requests free of charge within a reasonable period. |
5. Key Definitions
Personal Information: Refers to a broad range of information or opinions that can identify an individual, depending on whether the individual can be identified or is reasonably identifiable in the circumstances. Personal information includes:
- Name, signature, address, phone number, or date of birth
- Sensitive Information
- Credit information
- Employee record information
- Photographs
- Internet Protocol (IP) addresses
- Voice and facial recognition biometric technology (as they collect unique characteristics of an individual's voice or face)
- Location information from mobile devices (as it can reveal user activity patterns and habits)
Sensitive Personal Data: Similar to GDPR, the definition of sensitive personal data is almost identical, referring to "sensitive personal data relating to race or ethnic origin, religious beliefs, political opinions, membership of a trade union or religious, philosophical or political organization, data relating to health or sex life, genetic or biometric data, when relating to a natural person."
Data Controller: Unlike European law, there is no concept of "data controller" in Australia's Privacy Act. Each APP entity that obtains/receives personal information (even if it might be considered a "data processor" under GDPR) is effectively considered a data controller under Australian law and bears its own primary and separate privacy obligations under the Privacy Act/APPs.
Data Processor: Same as above.
6. Conclusion
Tuya is committed to providing customers with consistent, reliable, secure, and compliant IoT access services, effectively ensuring the availability, confidentiality, and integrity of customer and their users' data. Tuya is committed to data protection as its core, with cloud security capabilities as its foundation. Leveraging Tuya's unique IoT solutions, Tuya builds industry-leading competitiveness, constructs a comprehensive cloud platform security assurance system, and consistently makes information security assurance a key development strategy for Tuya Cloud.
To ensure that businesses operating in various regions comply with local privacy protection regulations, Tuya continuously monitors updates to relevant laws and regulations, translates new regulatory requirements into Tuya's internal policies, and optimizes internal processes to guarantee that Tuya's various activities comply with legal and regulatory requirements. Tuya continuously evolves and launches privacy protection-related services and solutions based on updated legal and regulatory requirements to help customers meet new privacy protection legal and regulatory requirements.
Adhering to privacy protection legal and regulatory requirements is a long-term and multi-faceted activity. Tuya is willing to continuously enhance its capabilities in the future to meet relevant legal and regulatory requirements and build a secure and trustworthy cloud platform for its customers.
Tuya customers need to evaluate their personal data processing practices and determine if the requirements of the Privacy Act apply to them. It is recommended to consult legal experts for guidance on the specific requirements of the Privacy Act applicable to your organization, as this document does not constitute legal advice.
