Tuya's Compliance with India's Digital Personal Data Protection Act (DPDPA)
Prepared and Administered by Tuya Compliance Team
September 2024
Preface
This document provides information to our customers regarding India's Digital Personal Data Protection Act (DPDPA), also referred to as the Act, and how Tuya leverages industry-leading data privacy and security features to store, process, maintain, and protect customer data. Tuya is committed to collaborating with customers to help them comply with the DPDPA using Tuya's compliance capabilities. This document explains our data protection features, how they meet DPDPA requirements, and how we share compliance responsibilities with our customers. The information provided herein applies to all Tuya products and services.
1. India's Digital Personal Data Protection Act
1.1. Overview of India's DPDPA
On August 11, 2023, India published the Digital Personal Data Protection Bill, 2023 (DPDPA or the Act) in the Gazette of India. This Act is India's first unified, comprehensive data protection legislation, and it will come into force upon notification by the Central Government. The DPDPA applies to the processing of digital personal data that occurs within India, regardless of whether the processing entity is located in India or abroad. The DPDPA mandates the establishment of a Data Protection Board, which is expected to perform various functions, including maintaining a register of consent managers, conducting investigations, issuing directions, and enforcement. Violations of the DPDPA can incur penalties of up to approximately $30 million USD. For more detailed information on the DPDPA, please visit the official website: DPDPA Official Website. Customers are responsible for ensuring their compliance with the obligations stipulated by the DPDPA.
1.2. Differences between GDPR and DPDPA
India's DPDPA shares some similarities with the European Union's General Data Protection Regulation (GDPR), but the two regimes also appear to differ in certain aspects. Key differences include:
| Aspect | GDPR | DPDPA |
|---|---|---|
| Classification of Data Fiduciaries | GDPR does not classify data controllers (similar to Data Fiduciaries in DPDPA). | DPDPA stipulates that the Central Government may classify certain Data Fiduciaries as "Significant Data Fiduciaries," imposing additional compliance obligations, such as appointing a DPO residing in India, appointing an independent data auditor, and conducting periodic assessments. |
| Consent Manager | No similar provision. | Consent Managers enable data subjects to provide, manage, review, and withdraw their consent through an accessible, transparent, and actionable platform. |
| Cross-border Transfer | Legal channels for cross-border transfer of personal data include adequacy decisions, Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), and user consent, unless the Central Government restricts transfers to certain countries or regions or mandates local storage. | Personal data can be transferred to third countries as long as the government does not prohibit it. The government will publish a list of jurisdictions to which personal data cannot be transferred. However, any stricter localization requirements stipulated by other Indian laws will continue to apply. |
| Data Processor Obligations | GDPR mandates obligations for data processors, such as implementing appropriate organizational and technical measures to assist controllers in achieving compliance. Processors can also be fined based on their degree of responsibility relative to controllers. | DPDPA does not specify processor obligations. The responsibility rests entirely with the Data Fiduciary, who must ensure the processor's compliance. |
| Child's Age | Under 16 is considered a child; EU member states may set the age at 13. | Under 18 is considered a child. |
| Data Breach Notification | When a data breach poses a risk to the rights and freedoms of data subjects, the supervisory authority must be notified. If the risk is high, affected individuals must also be notified. | Not explicitly clarified; instructions are issued by India's Computer Emergency Response Team (CERT-In). |
1.3. Privacy Certification and Audit
Tuya has obtained numerous global and industry-specific security compliance certifications to ensure the security and compliance of customer deployments. Tuya's industry-leading third-party audits and certifications, documentation, and legal commitments help support DPDPA compliance and meet industry privacy standards. View Certificates and Audit Reports [link placeholder].
- CCPA Verification Report: The California Consumer Privacy Act (CCPA) is a law protecting the personal information of California residents. Tuya has completed a CCPA compliance audit.
- GDPR Verification Report: The General Data Protection Regulation (GDPR) aims to protect the fundamental privacy rights and personal data security of EU data subjects, significantly raising the standards for personal data privacy protection. Tuya has completed GDPR verification and optimized its internal data security protection and compliance requirements.
- ISO/IEC 27001:2022: An international standard for information security management systems, focusing on risk management to ensure the continuous and effective operation of the information security management system.
- ISO/IEC 27017:2015: An international certification for information security in cloud computing, providing guidance on implementing security controls for cloud service providers.
- ISO/IEC 27701:2019: An authoritative international certification for privacy information management systems. Tuya's achievement of this certification demonstrates its robust framework for personal data protection.
- CSA STAR: The CSA STAR certification, jointly launched by BSI and CSA, is an authoritative international certification for cloud security levels, aimed at addressing cloud security issues and helping cloud service providers demonstrate their service maturity.
- ISO 9001:2015: ISO 9001 is a systematic guideline and framework for ensuring the quality of a company's products and operations, ensuring compliance with customer and relevant legal requirements.
- SOC 2 Type II & SOC 3: SOC audit reports are independent audit reports issued by third parties based on the American Institute of Certified Public Accountants (AICPA) standards. They examine the services provided by service organizations to enable end-users to assess and address risks related to outsourced services. Tuya has passed SOC 2 audits and obtained SOC 2 and SOC 3 reports, demonstrating its key compliance controls.
1.4. Shared Responsibility Model
Tuya is responsible for the security management and operation of services and data interactions on its provided software SDKs, Apps, modules, and cloud platforms. Tuya also assumes responsibility for the security of its cloud service platform and infrastructure.
When customers use Tuya's services, they are responsible for developing, managing, and maintaining their Apps connected to Tuya Cloud or their hardware embedded software (including the use of SDKs). They must ensure the security and compliance of their applications and data, including the security compliance of hardware and Apps. Customers are solely responsible for the security of their developed applications and must implement appropriate security measures to protect their applications and data from unauthorized access, use, disclosure, destruction, or interference.
Tuya will provide necessary technical support and security guidance to customers to help them ensure the security and compliance of their applications and data. However, customers are ultimately responsible for the security and compliance of their applications and data, and Tuya disclaims any resulting losses or liabilities.
Customers and Tuya should collaborate to ensure the security and compliance of the services provided by Tuya. If any security vulnerabilities or compliance issues are discovered, customers and Tuya should notify each other immediately and work together to resolve the issues.
The following diagram illustrates the shared responsibility model between cloud service providers, Tuya, and customers:
Diagram: Shared Responsibility Model
The diagram depicts a layered approach to security and compliance responsibilities. At the top are the user-facing applications and SDKs: Tuya APP/OEM APP/ODM APP, Customer's App, Module/SDK, and SDK. These connect to the Tuya Cloud, which encompasses various services like Device Control, Scenario Linkage, AI Services, and an Operations Platform. Underneath these services are Tuya Cloud's Data Services, including Storage, Database, Data Isolation, Log Services, and Data Analysis. The foundational infrastructure layer includes cloud providers like AWS (US, Europe, India), Microsoft Cloud (US), and Tencent Cloud (China). Responsibilities are shared across these layers: Tuya shares responsibility with infrastructure providers. Tuya Cloud has its own responsibilities. Customers have their own responsibilities, particularly concerning their applications, data, and access control/permission management.
2. Tuya's Security Compliance Strategy
As a technology-driven company focused on AI+IoT, Tuya places paramount importance on security and compliance from top to bottom. Tuya's security compliance strategy encompasses technical and management measures designed to ensure its products and services meet the security and compliance standards and requirements of various regions as much as possible.
2.1. Security Compliance Team
Tuya has a professional security compliance team whose members have previously worked at internet companies like Alibaba, Ant Financial, and Baidu, as well as traditional security vendors such as NSFOCUS, Venustech, and NSFOCUS. This team supports the security quality assurance, security assessment, and security operations of Tuya Cloud. Additionally, for privacy security compliance, the team engages external professional privacy security consulting agencies and law firms specializing in global and regional network security and privacy protection for expert advice. The compliance team works closely with Tuya's legal team to ensure more refined and reliable control over the security and reliability of Tuya's products and services.
2.2. Security Risk Assessment and Management
Tuya's security team is responsible for vulnerability management and discovery, capable of identifying, tracking, tracing, and fixing security vulnerabilities. Before business code goes live, they conduct security penetration testing and regularly perform black-box testing on live businesses. Annually, Tuya collaborates with third-party security agencies to conduct penetration testing on cloud services, mobile clients, hardware products, and the company's IT infrastructure. Tuya encourages external white-hat hackers to submit vulnerabilities through Tuya SRC (https://src.tuya.com/) or its security email, offering rewards of up to $100,000 USD for high-quality, high-risk vulnerabilities.
2.3. Access Control
Tuya centrally manages system permissions, server permissions, and data permissions for its IT systems, implementing a zero-trust permission management model. This model provides simplified permission control based on user identity, application identity, and application function type.
- Authentication, Authorization, and Auditing: For internal system identity authentication, Tuya has implemented Single Sign-On (SSO) for all internal applications. SSO also supports One-Time Password (OTP) capabilities, which not only meet all password management requirements but also add dynamic password verification for each login.
- Access Control Lists (ACL): Tuya has a unified permission management system (ACL) for internal system access, adhering to the "principle of least privilege" and "need-to-know principle." This system provides authorization for applications, application functions, and data, with a robust approval workflow management platform.
- Application Access Control: Tuya uniformly controls permissions for various applications and inter-application calls. Access to Tuya internal application services requires a unified client component, which facilitates mutual identification of users and permission control. Application authentication is achieved through a unified authentication service.
- Database Access Control: Tuya's database permission management primarily includes application accounts and database platform accounts. Application accounts are used to provide applications with access to databases, authenticating identity by recognizing the application's server. Database platform accounts are created by DBAs and include read/write permissions for executing work orders and read-only accounts for query modules. Database platform accounts are rotated every three months.
2.4. Vendor Security
Tuya has established screening and regular evaluation mechanisms for its platform software vendors. In addition to security indicators for hardware products and security standards for software services, Tuya also thoroughly assesses the practices of various service providers in information security assessment and privacy compliance. Information security assessments include security penetration testing and vendor security capability evaluations.
Tuya monitors service quality in real-time, paying attention to third-party security management. Tuya can respond quickly in case of anomalies.
2.5. Security Awareness and Training
To enhance company-wide cybersecurity awareness, Tuya Smart publishes the "Tuya Smart Employee Information Security Handbook" and conducts regular cybersecurity awareness education and privacy protection training for employees. Employees are required to continuously learn cybersecurity knowledge, understand the policies and procedures in the handbook, remember acceptable and unacceptable behaviors, recognize accountability for their actions even without intent, and commit to acting as required.
3. Customer Control Over Their Data
Data belongs to the customer, not Tuya. Tuya processes customer data solely based on agreements signed with the customer. Tuya provides customers with the ability to control and access their data, as well as configure security settings to help customers comply with their organization's consistent security policies. Customer data stored and managed on the Tuya platform is used exclusively to provide services to customers as per contract and is not used for any other purpose. Customers retain full control over their content data throughout their use of Tuya services:
- Customer decides the storage region for content data: Tuya has deployed localized data centers in India. By default, all data for Indian users is stored in India. Tuya currently has data centers in multiple regions globally, including Europe, the Americas, and Asia. Each regional data center is physically isolated. If a customer has specific regional requirements, they can choose different regions based on their needs. Tuya will not transfer customer content data to other regions without explicit customer consent or other legal obligations.
- Customer decides the data protection policies for their content data: Through Tuya platform's security and privacy protection configurations, customers can use different Tuya services to decide whether to enable multi-factor authentication, what user password policies to use, customize session durations, and more. Customers should consider how to manage and protect personal data security, prevent personal data leakage, and in case of a leakage incident, notify regulatory authorities and affected data subjects promptly according to relevant laws and regulations.
- Customer decides whether Tuya can access their data: Unless explicitly authorized by the customer, Tuya will not access any of the customer's data. Tuya commits not to use customer data for purposes other than those stipulated in the contract and privacy policy statements.
4. How Tuya Complies with India's DPDPA Requirements
4.1. How Tuya Complies with India's DPDPA
Tuya is committed to collaborating with customers and leveraging Tuya's compliance capabilities to help customers comply with India's DPDPA. We explain our data protection features, how they meet DPDPA requirements, and how we share compliance responsibilities with customers. Tuya commits to not using customer data beyond providing services, thereby supporting customer compliance with the DPDPA.
| DPDPA Requirement | Customer Focus | Tuya's Practice |
|---|---|---|
| Data Fiduciary The Act defines "Data Fiduciary" as any person who alone or in conjunction with other persons determines the purposes and means of processing of personal data. The Act creates a class of Data Fiduciaries called "Significant Data Fiduciaries." The Government will have the power to classify participants as Significant Data Fiduciaries based on factors such as the volume and sensitivity of personal data processed, risks to the rights of data subjects, potential impact on India's sovereignty and integrity, risks to national security and public order. |
Customers play the role of Data Fiduciaries, having full control over their data, determining the purpose, scope, and method of data processing. Customers should monitor government updates to identify if they fall into the "Significant Data Fiduciary" list. | Tuya's practice: Tuya is committed to not using customer data beyond providing services, thereby supporting customer compliance with the DPDPA. |
| Processing Notice When processing data, Data Fiduciaries must inform data subjects about: • Personal data and the purpose of processing, and which data is shared with which third parties; • Method of withdrawing consent; • Grievance redressal mechanisms and how to complain to the Board. Such notices should accompany or precede each request for consent. |
Customers should disclose how personal data is collected and processed, such as by creating concise, transparent, understandable, and easily accessible privacy policies, and by notifying data subjects before collecting their data. | Tuya's practice: For customer's personal data: Tuya clearly informs customers about the purpose, method, and scope of personal data processing through its "Privacy Policy." Tuya commits to accessing or using your data only as per contractual agreements or privacy policy statements to complete the products and services you have ordered. For end-user's personal data: If relying on voluntarily provided personal data for processing, the specified processing purpose should be provided before providing such data to end-users. |
| Consent and Choice DPDPA emphasizes consent as the core legal basis for personal data processing. Other bases like contract or legitimate interests of the Data Fiduciary do not constitute a compliance basis. Valid consent must meet the following conditions: • Voluntary, informed, specific, and clear; • Expressed through a clear affirmative action; • Revocable at any time, and limited to data necessary for specific purposes. |
Customers, as Data Fiduciaries, should ensure that personal data collection is based on legitimate, specific, and clear purposes, inform data subjects, and obtain their consent. When collecting and processing children's personal data, customers should inform their parents or legal guardians and obtain explicit consent. Customers can use the features provided by Tuya products and services or build their own capabilities to better practice notification, choice, consent, and withdrawal of consent. | Tuya's practice: Tuya has developed multi-level consent mechanisms for the use of personal data: opt-in mechanisms. √ Opt-in mechanisms for marketing solutions and personalized data processing activities; √ Consent is technically recorded once the customer makes a decision; √ Users can easily withdraw consent, and methods for withdrawing consent are defined. After obtaining customer consent for personal data necessary to provide services, Tuya processes customer personal data only within the scope of purposes defined in contractual agreements and privacy policy statements. Tuya, with "Privacy by Design" as a core principle during product and service development, helps customers design various consent features, and only applies for corresponding permissions or personal data when a feature is used, ensuring the legality and compliance of customer and Tuya's business. |
| Purpose Limitation Processing can only be for the purpose of collection. |
Customers have full control over their end-users' personal data. They can independently decide whether to use Tuya services to collect and use their users' personal data. Customers should ensure that the purpose of personal data collection and processing is consistent with the stated purpose. | Tuya's practice: After obtaining customer consent for personal data necessary to provide services, Tuya processes customer personal data only for the purposes defined in contractual agreements and privacy policy statements. Tuya does not use your data for any other products or for providing advertising services. |
| Data Transfer Under the Act, personal data can be transferred to third countries as long as the government does not prohibit it. The government will publish a list of jurisdictions to which personal data cannot be transferred. However, any stricter localization requirements stipulated by other Indian laws will continue to apply. |
As Data Fiduciaries, customers should establish data cross-border transfer assessment mechanisms, fully understand data cross-border regulatory requirements, choose appropriate data storage solutions, and transparently inform personal users about international data transfers, for example, in privacy statements. | Tuya's practice: Currently, India's data is stored in AWS India by default. Tuya also provides customers with the mechanism to choose their own data centers. Customers can reasonably select corresponding data centers to ensure data transfer compliance. Regardless of the Tuya data center you choose, security and privacy protection policies are consistent and fully guaranteed. Concurrently, Tuya transparently informs users about international data transfer information, for example, in its privacy policy. |
| Retention and Disposal The Act does not specify retention periods; however, data should be deleted immediately once there is a reasonable basis to believe that the specified processing purpose is no longer valid, or the data subject withdraws consent (whichever is earlier). Additionally, the government may prescribe retention periods for different categories of Data Fiduciaries and different processing purposes. |
Customers should define the retention periods for personal data in their business processing activities. After the retention period expires, personal information should be deleted, anonymized, overwritten multiple times, or destroyed. | Tuya's practice: The retention period for personal information is the shortest time required to achieve the purpose of providing products and services. Tuya will delete or anonymize user data upon customer request and will retain data according to the data retention policy. Tuya adopts the principle of minimum data retention: • User personal information is retained only with explicit user consent and for purposes related to services; it shall not be used for any other purpose without user consent. • Data required to be retained by law, or data that the company can prove is necessary for business purposes, may be retained within the timeframe specified in a clear data retention schedule. • Data retained for the legitimate interests of customers or third parties may only be retained if there is a clear contractual agreement or instruction from the customer or third party, for example, when providing services to customers or for other purposes. • Customers have the right to determine their data retention policy based on the principle of minimum data retention and to inform Tuya in a timely manner for service needs. When customers request data deletion or return, Tuya will execute according to the explicit instructions. |
| Data Breach Notification Upon the occurrence of a personal data breach, the Data Fiduciary shall provide such notification of the breach to the Board and to each affected data subject in the form and manner prescribed by the Government. |
Customers should maintain an emergency response system and process for personal data breach incidents, conducting regular training and drills. | Tuya's practice: Tuya has formulated an "Incident and Data Breach Response Plan" to remediate data breach incidents and notify data fiduciaries. |
| Data Processing Agreement (DPA) Data Fiduciaries shall enter into a valid contract with Data Processors. |
Customers should sign Data Processing Agreements with Data Processors and provide clear written instructions to processors. | Tuya's practice: Tuya, as a Data Processor, signs Data Processing Agreements with controllers (customers) before data processing and strictly adheres to the agreements for data processing. |
| Data Subject Rights DPDPA grants data subjects rights such as the right to be informed, right of access, right to correction, right to erasure, right to withdraw consent, and right to grievance redressal. |
Customers, as Data Fiduciaries, should establish personal rights response processes and publicly disclose channels for data subjects to exercise their rights through privacy policies, etc., to respond to data subjects' rights to be informed, access, correction, erasure, withdrawal of consent, and grievance redressal. | Tuya's practice: Tuya has formulated the "Personal Rights Handling Procedure for Privacy" which details the internal processes for executing data subject rights. For customer's personal data: Tuya ensures customers can exercise their rights to access and correct their personal data. Tuya provides dedicated channels (see Tuya Privacy Policy) to receive and respond to customer requests and appeals. For end-user's personal data: Tuya helps customers provide functions for end-users (data subjects) to access, correct, delete, and export data. Tuya assists customers in responding to personal requests. |
| Data Security Data Fiduciaries shall implement reasonable security safeguards to prevent personal data breaches. |
Customers, having full control over their data, should establish personal data protection policies to safeguard personal data security. They should perform security configuration work based on business and personal data protection needs, such as setting appropriate access control policies and password policies. | Tuya's practice: Tuya provides comprehensive protection for the personal data lifecycle: a. During data collection, it implements minimization and strict account authentication mechanisms; b. During transmission, it uses dual encryption for transmission channels and content; c. During storage, personal data is encrypted using AES 256, with unique keys for each user. Highly sensitive data is protected using irreversible algorithms, and keys are managed and distributed uniformly through a Key Management System (KMS). For sensitive data like images or videos, Tuya generates unique keys to encrypt data based on specific users and devices. d. During use, it implements logical isolation for individuals; during display, it uses anonymization processing. e. During destruction, all personal data will be automatically zero-value overwritten. Tuya provides detailed information. Customers can learn more about our security practices via the following links: • Our Security and Privacy Protection Certifications • Our Security Compliance White Paper |
| Data Subject Obligations The Act stipulates that data subjects shall not impersonate other data subjects, shall not file false or frivolous complaints, and shall provide verifiable true information when exercising rights to correction or erasure. |
When acting as Data Subjects, customers should provide true and accurate identity information for data requests or complaints. When processing data requests or complaints from their end-users, customers should verify the end-users' identities. | Tuya's practice: Tuya provides self-service functions for data requests or complaints. If a user directly contacts Tuya's privacy office, Tuya will verify the user's identity information. |
4.2. Tuya's Continuous Monitoring of DPDPA Developments
Considering that substantive aspects of India's DPDPA require further definition or clarification through subsequent notifications and rules by the Central Government, and will be implemented in phases, Tuya will continuously monitor the developments of India's DPDPA. This includes awaiting the Indian government's clarification on the Act's effective date, the release of the list of Significant Data Fiduciaries, the registration method for Consent Managers, and specific requirements for the Data Protection Board, among other aspects.
5. Key Definitions
- Data Fiduciary: The Act defines "Data Fiduciary" as any person who alone or in conjunction with other persons determines the purposes and means of processing of personal data.
- Data Processor: Any person who processes data on behalf of a Data Fiduciary.
- Significant Data Fiduciary: Any Data Fiduciary or class of Data Fiduciaries notified by the Government based on an assessment of relevant factors it may determine, including:
• The volume and sensitivity of personal data processed;
• Risks to the rights of data subjects;
• Potential impact on India's sovereignty and integrity;
• Risks to democratic elections;
• National security; and
• Public order. - Consent Manager: A person registered with the Data Protection Board, acting as a single point of contact, enabling data subjects to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.
6. Conclusion
Tuya is committed to providing customers with consistent, reliable, secure, and compliant IoT access services, effectively ensuring the availability, confidentiality, and integrity of customer and their users' data. Tuya pledges to place data protection at its core, build upon its cloud security capabilities, leverage Tuya's unique IoT solutions to create industry-leading competitiveness, establish a robust cloud platform security assurance system, and consistently make information security assurance one of Tuya Cloud's key development strategies.
To ensure that businesses operating in various regions comply with local privacy protection regulations, Tuya continuously monitors updates in relevant laws and regulations. Tuya translates new regulatory requirements into internal policies, optimizes internal processes, and ensures that all activities conducted by Tuya meet legal and regulatory requirements. Tuya continuously develops and launches privacy protection-related services and solutions based on updated legal and regulatory requirements to help customers meet new privacy protection legal and regulatory requirements.
Adhering to privacy protection laws and regulations is a long-term and multifaceted activity. Tuya is willing to continuously enhance its capabilities in the future to meet the requirements of relevant laws and regulations and build a secure and trustworthy cloud platform for its customers.
Tuya customers need to evaluate their personal data processing methods and determine if the requirements of the DPDPA apply to them. We recommend consulting legal experts for guidance on the specific DPDPA requirements applicable to your organization, as this document does not constitute legal advice.
