Tuya UK GDPR Compliance Description
Date: July 2024
Prepared and Administered by Tuya Compliance Team
Foreword
This document provides customers with information regarding the UK General Data Protection Regulation (UK GDPR) and how Tuya utilizes its industry-leading data privacy and security features to store, process, maintain, and protect customer data. Tuya is committed to collaborating with customers to help them comply with UK GDPR by leveraging Tuya's compliance capabilities. This document explains Tuya's data protection features, how they meet UK GDPR requirements, and how compliance responsibilities are shared with customers. The information presented is applicable to Tuya and all its products and services.
1. Key Definitions
- Personal Data:
- Information that exists in electronic form as symbols, letters, numbers, images, sounds, or similar forms, relating to a specific individual or that can help identify a specific individual. Personal data includes basic personal data and sensitive personal data.
- Sensitive Personal Data:
- Personal data related to an individual's privacy rights, which, if infringed, directly affects the individual's legal rights and interests, such as health status and private life recorded in medical records (excluding blood type information), information about an individual's physical attributes and biometric characteristics, and personal location data determined through location services.
- Data Controller:
- An organization or individual that determines the purposes and means of processing personal data.
- Data Processor:
- An organization or individual that processes personal data on behalf of the data controller, pursuant to a contract or agreement with the data controller.
- Consent:
- A clear, voluntary, and affirmative indication of permission for processing the personal data of a data subject.
2. Tuya Privacy Protection Strategy
2.1 Tuya Security Compliance Strategy
As a technology-driven company focused on AI+IoT, Tuya places paramount importance on security and compliance from top to bottom. Tuya's security compliance strategy includes technical and management measures to ensure products and services maximize compliance with security and regulatory standards and requirements in various regions.
Security Compliance Team: Tuya has a professional security compliance team whose members have previously worked at internet companies like Alibaba, Ant Financial, and Baidu, as well as traditional security vendors such as NSFOCUS, Venustech, and Venustech. They support Tuya Cloud's security quality assurance, security assessment, and security operations. Additionally, the team engages external professional privacy and security cooperation agencies and global/regional law firms specializing in cybersecurity and privacy protection for expert consulting services. The compliance team works closely with Tuya's legal team to ensure more refined and reliable control over the security and reliability of Tuya's products and services.
Security Risk Assessment and Management: Tuya's security team is responsible for vulnerability management and discovery, capable of identifying, tracking, tracing, and fixing security vulnerabilities. They conduct security penetration testing before business code goes live and perform regular black-box testing on live businesses. Annually, Tuya collaborates with third-party security agencies to conduct penetration testing on cloud services, mobile clients, hardware products, and the company's IT infrastructure. Tuya supports external white-hat hackers in submitting vulnerabilities through Tuya SRC (https://src.tuya.com/) or a security email, offering rewards of up to $100,000 USD for high-quality, high-risk vulnerabilities.
Access Control: Tuya unifies the management of system permissions, server permissions, and data permissions for IT systems, implementing a zero-trust permission management model. Access control is simplified based on user identity, application identity, and application function type.
- Authentication, Authorization, Auditing: For internal system identity authentication, Tuya has implemented Single Sign-On (SSO) for all internal applications. SSO also supports One-Time Password (OTP) capabilities, fulfilling all password management needs and adding dynamic password verification for each login.
- Authorization: Tuya has a unified permission management system (ACL) for internal system access permissions, adhering to the "principle of least privilege" and "need-to-know principle" to authorize applications, application functions, and data. The platform has a comprehensive approval workflow management.
- Application Access Control: Tuya unifies permission control for various applications and inter-application calls. Access to services for Tuya's internal applications requires a unified client component, which facilitates mutual identification of user identities and permission control. Application authentication is achieved through a unified authentication service.
- Database Access Control: Tuya's database permission management primarily includes application accounts and database platform accounts. Application accounts are accounts provided to applications for database access, authenticating identity by recognizing the application's server. Database platform accounts are specifically created by DBAs, including read/write permissions for executing work orders and read-only accounts for query modules. Database platform accounts are rotated every 3 months.
Supplier Security:
- Service Supplier Risk Assessment: Tuya has established screening and regular assessment mechanisms for platform software suppliers. Beyond security indicators for hardware products and security standards for software services, Tuya thoroughly understands the practices of various service providers in information security assessment and privacy compliance. Information security assessments involve security penetration testing and supplier security capability assessments.
- Supplier Monitoring: Real-time monitoring of service quality, with attention to third-party security management. Tuya can respond quickly to anomalies.
Security Awareness and Training: To enhance network security awareness for all employees, Tuya Smart has released the "Tuya Smart Employee Information Security Handbook" and conducts regular network security awareness education and privacy protection training for employees. Employees are required to continuously learn cybersecurity knowledge, understand the policies and procedures in the handbook, remember acceptable and unacceptable behaviors, and be aware that they are responsible for their actions even without malicious intent, committing to act as required.
2.2 Shared Responsibility Model
Tuya is responsible for the security management and operation of services and data interactions provided through its software SDKs, APPs, modules, and cloud platform. Tuya bears responsibility for the security of its cloud service platform and infrastructure.
When customers use Tuya's services, they are responsible for developing, managing, and maintaining their Apps or embedded software (including using SDKs) that connect to Tuya Cloud. They must ensure the security and compliance of their applications and data, including hardware and App security compliance. Customers are solely responsible for the security of their developed applications and must implement appropriate security measures to protect their applications and data from unauthorized access, use, disclosure, damage, or interference.
Tuya will provide necessary technical support and security guidance to help customers ensure the security and compliance of their applications and data. However, customers are ultimately responsible for the final security and compliance of their applications and data, and Tuya assumes no liability for any resulting losses or responsibilities.
Customers and Tuya should cooperate to ensure the security and compliance of Tuya's services. If any security vulnerabilities or compliance issues are discovered, customers and Tuya should notify each other immediately and work together to resolve them.
The following diagram illustrates the shared responsibility model for information security among cloud service providers, Tuya, and customers:
[Diagram Description: The diagram shows a layered model of shared responsibility. At the top, "Third-party Client" includes "Hardware/Embedded", "App/OEM App", "Module/SDK". Below that is "Tuya", encompassing "Tuya APP/OEM APP", "Module/SDK", and the "Tuya Cloud" which includes services like "Smart Gateway", "Device Control", "Scenario Linkage", "AI Services", "Operations Platform", "Data Services", "Storage", "Database", "Data Isolation", "Log Services", and "Data Analysis". Below Tuya is "Third-party Cloud" (e.g., Amazon Cloud, Microsoft Cloud, Tencent Cloud). At the bottom is "Infrastructure" (e.g., Amazon, Microsoft in US, Europe, India, China). Arrows indicate shared responsibilities: Tuya shares responsibility with infrastructure providers. Tuya Cloud has responsibilities such as Authentication, Access Control, and Permission Control. Customers have responsibilities related to Data Isolation, Databases, Log Services, and Data Analysis.]
2.3 Privacy Protection Certification and Audit
As of now, Tuya has obtained numerous global and industry-specific security compliance certifications, fully ensuring the security and compliance of customer deployments. Tuya's industry-leading third-party audits and certifications, documentation, and legal commitments help support UK GDPR compliance and meet industry privacy standards.
| Certification/Attestation | Description |
|---|---|
| CCPA Attestation Report | The California Consumer Privacy Act (CCPA) is a law protecting the personal information of California residents. Tuya has completed CCPA compliance audits. |
| GDPR Attestation Report | The EU General Data Protection Regulation (GDPR) aims to protect the fundamental privacy rights and personal data security of EU data subjects, comprehensively raising the standards for personal data privacy protection. Tuya has completed GDPR verification and optimized internal data security protection and compliance requirements. |
| ISO/IEC 27001:2022 | International standard for information security management systems, focusing on risk management to ensure the continuous effectiveness of the information security management system. |
| ISO/IEC 27017:2015 | International certification for information security in cloud computing, providing guidance on security control implementation for cloud service providers. |
| ISO/IEC 27701:2019 | International authoritative certification for privacy information management systems. Tuya's attainment of this certification demonstrates its robust system for personal data protection. |
| CSA STAR | CSA STAR certification, jointly launched by BSI and CSA, is an authoritative international certification for cloud security levels, aimed at addressing cloud security issues and helping cloud computing service providers demonstrate their service maturity. |
| ISO 9001:2015 | ISO 9001 is a systematic guiding principle and normative framework for ensuring the quality and operation of a company's products, ensuring compliance with customer and relevant legal requirements. |
| SOC 2 Type II & SOC 3 | SOC audit reports are independent audit reports issued by third parties according to the standards of the American Institute of Certified Public Accountants (AICPA). They are designed to examine the services provided by service organizations so that end-users can evaluate and address risks related to outsourced services. Tuya has passed SOC 2 audits and obtained SOC 2 and SOC 3 reports, demonstrating its key compliance control measures. |
3. How Tuya Complies with UK GDPR Requirements
3.1 Overview of UK GDPR
The UK GDPR (United Kingdom General Data Protection Regulation) is the data protection regulation established by the UK after Brexit, based on the EU's GDPR (General Data Protection Regulation). This regulation aims to protect the privacy and security of personal data, ensuring legality, fairness, and transparency in data processing. UK GDPR emphasizes core data processing principles such as data minimization, accuracy, storage limitation, and confidentiality, requiring data controllers to implement appropriate technical and organizational measures to safeguard personal data.
UK GDPR applies to all companies and organizations operating within the UK, as well as those located outside the UK that process the data of UK residents. Any company providing goods or services to UK residents or monitoring their behavior must comply with this regulation. Through these provisions, UK GDPR aims to raise data protection standards, enhance public trust in data privacy, and ensure data processors bear clear responsibilities and obligations for their data processing activities.
Overall, UK GDPR not only inherits the core concepts of EU GDPR but also integrates specific UK legal requirements, forming a set of personal data protection regulations that are both universally applicable and flexible.
3.2 Tuya's Preparations for UK GDPR Compliance
Tuya's compliance and data security experts have been working with customers worldwide to address their concerns and help them prepare for running IoT services in the cloud after UK GDPR takes effect. These experts also review Tuya's operations and responsibilities according to UK GDPR requirements to ensure Tuya's services comply with UK GDPR regulations once the law is in effect.
- ✔️ Tuya strives to ensure that its products and solutions comply with UK GDPR, allowing customers to use Tuya's services with confidence.
- ✔️ Security and privacy features help customers comply with UK GDPR and better protect and manage personal data.
- ✔️ As the regulatory landscape evolves, Tuya's products and capabilities also continuously develop.
- ✔️ Tuya has made strong data processing, privacy, and security commitments in its terms.
3.3 Tuya's Role under UK GDPR
Under UK GDPR, controllers and processors must implement technical and management security measures to protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, communication, or any other form of improper or unlawful processing.
According to UK GDPR, Tuya acts as both a Data Controller and a Data Processor.
- Tuya as Data Controller: Tuya acts as a data controller when it collects personal data and determines the purposes and means of processing that personal data. This occurs when Tuya processes data from its direct customers (individual and corporate clients) for account management, service access, service attributes, or contact information to further support and manage Tuya products and services.
- Tuya as Data Processor: Tuya acts as a data processor or sub-processor when customers use Tuya services to process end-users' personal data and transfer that personal data to Tuya Cloud. In this scenario, customers use the functionalities provided within Tuya services (including security configuration controls) to process and store personal data. In this case, the customer acts as the data controller, and Tuya acts as the data processor or sub-processor.
Using Tuya alone does not guarantee full compliance with UK GDPR for customers. Customers should analyze their own business practices, technical, and organizational measures to ensure compliance with UK GDPR and ultimately bear the responsibility.
Customers have full control over their content data during their use of Tuya services:
- Customers can decide the region where their content data is stored.
- Customers can decide their content data protection policies.
3.4 How Tuya Complies with UK GDPR Requirements
This section details how Tuya supports UK GDPR requirements, addressing customer concerns:
| Data Protection Obligation | Customer Focus | Tuya's Approach |
|---|---|---|
| Data Minimization Principle "Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ('data minimization')" | 1. Collect and process only relevant necessary information; do not collect non-essential information without user consent. | 1. Tuya collects and processes the minimum amount of personal data necessary to achieve specific purposes. It conducts regular reviews of data processing activities to ensure the necessity of data collection and processing. |
| Lawfulness, Fairness, and Transparency "Processed lawfully, fairly and in a transparent manner in relation to data subjects" | 1. Notify data subjects before processing personal data and process information related to data subjects lawfully, fairly, and transparently. 2. Disclose how personal data is collected and processed, such as by creating concise, transparent, easy-to-understand, and accessible privacy policies, and notify data subjects. | 1. Tuya ensures all data processing activities have a lawful basis, such as data subject consent, necessity for contract performance, or fulfillment of legal obligations. Tuya demonstrates transparency to data subjects regarding how their data will be processed through privacy policies and notices. |
| Purpose Limitation "Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" | 1. Ensure the collection, use, or disclosure of personal data is limited to the declared, specified, and legitimate purposes. 2. Customers should ensure that the purpose of personal data collection is consistent with what is communicated to data subjects. | 1. After obtaining customer consent to collect personal data necessary for providing services, Tuya processes customer personal data only for the purposes specified in the contract and privacy policy, and does not use your data for any other products or for advertising services. |
| Storage Limitation "Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" | 1. Personal data is retained only for the period necessary to achieve the processing purpose. Clearly define retention periods for business processing activities. After the retention period, personal information should be deleted, anonymized, securely overwritten, or destroyed. | 1. Upon reaching the retention period, Tuya will return or delete/anonymize customer personal data as per the contract. |
| Data Subject Rights (Right to Information, Access, Rectification, Erasure, Objection/Opt-out, Data Portability) | 1. Customers have full control over their data and should establish personal rights response processes to address data subjects' rights to information, access, rectification, erasure, withdrawal of consent, and data export. | 1. Tuya assists customers by providing functionalities that allow data subjects to access, rectify, delete, and export their data. |
| Choice and Consent "Consent must be given by a clear affirmative action..." | 1. Processing personal data requires consent, unless otherwise provided by law. If consent is the legal basis, consent must be voluntary and explicitly expressed (e.g., written, verbal, checked consent box, selected consent technical settings, etc.). Silence or non-response does not constitute valid consent. 2. When processing sensitive personal information, data subjects must be notified that such processing involves sensitive data. 3. Data subjects can withdraw consent, and should be informed of the consequences and damages that may arise from withdrawing consent. | 1. After obtaining customer consent to collect personal data necessary for providing services, Tuya processes customer personal data only within the scope of purposes specified in the contract and privacy policy. Tuya adheres to the "Privacy by Design" principle during product and service development, helping customers design various consent functionalities. Tuya only requests corresponding permissions or personal data when a function is used, ensuring the legality and compliance of customer and Tuya businesses. |
| Data Protection Policy | 1. Requires data processors to provide data protection policies: ensure processors have appropriate data protection policies and regularly audit their compliance. 2. Ensure contractual provisions: clearly stipulate in contracts that processors must comply with GDPR and list the processor's specific obligations. | 1. Tuya has established and implemented data protection policies, ensuring all processing activities comply with UK GDPR regulations. Policies are regularly reviewed and updated to reflect the latest regulatory changes and internal company processes. 2. Regular employee training is conducted for all relevant employees on data protection, ensuring they understand UK GDPR requirements and their application in daily work. |
| Data Security "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures." | 1. Customers have full control over their data and should establish personal data protection strategies to protect personal data from the outset and throughout the processing. Configure security based on business and personal data protection needs, such as setting appropriate access control policies and password policies. Tuya provides detailed information. Customers can learn about Tuya's security practices via the following links: - Our Security and Privacy Certification Qualifications - Our Security Compliance White Paper | 1. Tuya provides comprehensive protection for personal data throughout its lifecycle. During the data collection phase, it implements data minimization and strict account authentication mechanisms. During transmission, it uses dual encryption for both the transmission channel and content. During storage, personal data is highly encrypted, with each user having a unique key. During display, data is anonymized. During destruction, all personal data is automatically zero-filled. |
| Sensitive Personal Data Processing "Where personal data is processed, the data subject must be informed that such processing is taking place and of the purposes for which the personal data is processed." "In the case of processing sensitive personal data, in addition to security and basic measures, the following requirements must be met: (a) a department and personnel responsible for personal data protection must be designated (and the Cyber Security and High-Tech Crime Prevention Directorate notified); (b) data subjects must be notified that sensitive personal data will be processed." | 1. Customers, as data controllers, should appoint a DPO, understand the DPO's responsibilities, and make contact information public in the privacy policy. | 1. Tuya has appointed a DPO responsible for overseeing the implementation of data protection policies and serving as the primary contact for data protection matters. The DPO's contact information is publicly available in Tuya's privacy policy. |
| Data Breach Notification "Data processors shall notify the data controller without undue delay after becoming aware of a personal data breach." "The data controller shall notify the supervisory authority without undue delay – and where possible not later than 72 hours after having become aware of the personal data breach..." | 1. In the event of a data breach, notification to third-party supervisory authorities must be made within 72 hours. Internal maintenance of personal data breach incident response emergency systems and processes, along with regular training and drills, is also required. | 1. Upon discovering a data breach, Tuya will notify the data controller immediately. |
| Data Disclosure "Personal data shall not be disclosed to third parties unless the data subject has consented or the disclosure is otherwise permitted by law." | 1. Ensure personal data disclosure is lawful and has obtained data subject consent. 2. Conduct due diligence on personal data recipients, selecting recipients with sufficient protection levels for cooperation to ensure the security of disclosed personal information. | Tuya does not use or disclose customer personal data unless authorized by the customer or required to comply with applicable laws, regulations, or binding orders from government authorities (if any). |
| Data Protection Impact Assessment (DPIA) "Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data." | When processing high-risk data, a DPIA must be performed to identify and mitigate potential risks. | 1. When processing high-risk data, Tuya assists customers with DPIAs and provides necessary information and support. 2. Based on DPIA results, Tuya proposes improvements to data protection measures to help customers mitigate risks in data processing. |
| Data Processing Agreement (DPA) "The controller and the processor shall have a written agreement or contract for the processing of personal data." | Sign a Data Processing Agreement with the data processor, providing written instructions to the processor. | As a data processor, Tuya signs Data Processing Agreements with controllers (customers) before data processing and strictly adheres to the agreement for data processing. |
| Data Transfer Mechanism "Where personal data is transferred to a third country or an international organisation, the transfer shall only take place if the controller and processor comply with the conditions set out in this Chapter." | 1. Customers, as data controllers, should establish data cross-border transfer assessment mechanisms, fully understand cross-border data regulations, select appropriate data storage solutions, and transparently inform users about international data transfers (e.g., in privacy statements). Obtain personal consent before transferring personal data to third parties outside the UK. | 1. User data within the UK is stored in European data centers. Tuya uses compliant mechanisms recognized by UK GDPR, such as Standard Contractual Clauses (SCCs) or ICO-approved appropriate safeguards, for data transfers to countries outside the EU. |
4. Conclusion
Tuya is committed to providing customers with consistent, reliable, secure, and compliant IoT access services, effectively ensuring the availability, confidentiality, and integrity of customer and user data. Tuya pledges to place data protection at its core, build upon its cloud security capabilities, leverage Tuya's unique IoT solutions to create industry-leading competitiveness, construct a robust cloud platform security assurance system, and consistently make information security assurance one of Tuya Cloud's key development strategies.
To ensure that businesses operating in various regions comply with local privacy protection regulations, Tuya continuously monitors updates to relevant laws and regulations, translates new regulatory requirements into Tuya's internal policies, and optimizes internal processes to guarantee that Tuya's activities meet legal and regulatory requirements. Tuya continuously develops and launches privacy protection-related services and solutions based on updated legal and regulatory requirements to help customers meet new privacy protection legal and regulatory demands.
Adhering to privacy protection legal and regulatory requirements is a long-term and multifaceted activity. Tuya is willing to continuously enhance its capabilities in the future to meet relevant legal and regulatory requirements and build a secure and trustworthy cloud platform for its customers.
Tuya customers need to evaluate their personal data processing methods and determine if UK GDPR requirements apply to them. It is recommended to consult legal experts for guidance on specific UK GDPR requirements applicable to your organization, as this document does not constitute legal advice.
