Tuya Korea PIPA Compliance Statement
Prepared and Administered by Tuya Compliance Team
Foreword
This document introduces our customers to South Korea's Personal Information Protection Act (PIPA) and explains how Tuya leverages industry-leading data privacy and security features to store, process, maintain, and protect customer data. We are committed to collaborating with our customers, utilizing Tuya's compliance capabilities to help them adhere to PIPA. We explain our data protection features, how they meet PIPA requirements, and how we share compliance responsibilities with our customers. This document focuses on the personal information of customers' end-users within the Tuya platform. For personal information provided directly to Tuya as a service provider, please refer to our Privacy Statement.
This white paper is for informational purposes only. It is not legal advice and should not be treated as legal advice. As each customer's requirements vary, Tuya strongly advises customers to consult with legal experts regarding their privacy and data protection needs.
1. Overview of Korea's Personal Information Protection Act (PIPA)
South Korea's Personal Information Protection Act (PIPA) is a data privacy law designed to regulate the collection, use, and processing of personal data of data subjects (i.e., South Korean residents). PIPA was enacted in September 2011, with recent amendments made in early 2023, effective September 15, 2023. The amendments enhanced data subject rights, including data portability and the right not to be subject to automated decision-making. New requirements for cross-border personal data transfers were also introduced.
PIPA primarily applies to personal information controllers. Unlike other privacy laws, it does not prescribe separate obligations for data processors. Consequently, data processors are generally expected to comply with the same standards as personal information controllers. However, the law does consider the involvement of third parties in personal information processing and outlines different requirements for "providing" and "entrusting" data to data processors. Under the law, "providing" refers to data transfer for the benefit and business purposes of the recipient, while "entrusting" refers to data transfer for the benefit and business purposes of the transferor.
The Personal Information Protection Commission (PIPC) is the regulatory body for South Korea's PIPA and is responsible for its enforcement. The PIPC has issued guidance on various topics related to PIPA.
For more PIPA information, visit its official website: PIPC.
2. Tuya Data Protection and Shared Responsibility Model
Tuya's robust security and privacy controls enable customers to use the Tuya platform with confidence, in compliance with South Korea's Personal Information Protection Act (PIPA). Furthermore, we are continuously committed to enhancing our privacy and security capabilities to assist customers in achieving compliance.
2.1. Privacy Protection Certifications and Audits
To date, Tuya has obtained numerous global and industry-specific security compliance certifications, fully ensuring the security and compliance of customer deployments. Tuya's industry-leading third-party audits and certifications help support PIPA compliance and meet industry privacy standards. View certificates and audit reports.
| Certification/Attestation | Description |
|---|---|
| CCPA Attestation Report | The California Consumer Privacy Act (CCPA) is a law protecting the personal information of California residents. Tuya has completed a CCPA compliance audit. |
| GDPR Attestation Report | The EU General Data Protection Regulation (GDPR) aims to protect the fundamental privacy rights and personal data security of EU data subjects, comprehensively raising the standards for personal data privacy protection. Tuya has completed GDPR attestation and optimized internal data security protection and compliance requirements. |
| ISO/IEC 27001:2022 | An international standard for information security management systems, centered on risk management to ensure the continuous and effective operation of the information security management system. |
| ISO/IEC 27017:2015 | An international certification for information security in cloud computing, providing guidance for cloud service providers on implementing security controls. |
| ISO/IEC 27701:2019 | An international authoritative certification for privacy information management systems. Tuya's attainment of this certification demonstrates its robust system for personal data protection. |
| CSA STAR | CSA STAR is an authoritative international certification for cloud security levels, aimed at addressing cloud security issues and helping cloud computing service providers demonstrate their service maturity. |
| ISO 9001:2015 | ISO 9001 is a guiding framework and normative architecture for ensuring a company's product quality and operations, ensuring compliance with customer and relevant legal requirements. |
| SOC 2 Type II & SOC 3 | SOC audit reports are issued by independent third parties based on the standards of the American Institute of Certified Public Accountants (AICPA). The purpose of SOC 2 reports is to evaluate the organization's information systems related to security, availability, processing integrity, confidentiality, and privacy. |
2.2. Tuya Security Compliance Strategy
As a technology-focused company specializing in AI+IoT, Tuya places high importance on security and compliance from top to bottom. Tuya's security compliance strategy encompasses technical and management measures, aiming to ensure its products and services meet the security and compliance standards and requirements of various regions as much as possible.
Security Compliance Team: Tuya has a professional security compliance team dedicated to ensuring the security quality, security assessment, and security operations of the Tuya Cloud platform. For privacy compliance, Tuya collaborates closely with external professional privacy protection organizations, and global law firms specializing in cybersecurity and privacy protection provide professional consulting services to Tuya. The compliance team works closely with the legal team to ensure stricter protection for Tuya's products and services.
2.3. Shared Responsibility Model
Building IoT applications using the Tuya platform establishes a shared responsibility model between customers and Tuya, as both parties play crucial roles in security operations and management. Tuya is responsible for securing various components, from software SDKs, Apps, and the cloud platform to Tuya chip modules. Customers are responsible for managing their own software, hardware, and Apps (if any), and for their security and compliance. Customers should also properly safeguard their Tuya platform accounts and passwords and configure application functions and security settings reasonably according to their company's security policies.
Customers and Tuya should collaborate to ensure the security and compliance of their business operations. If any security vulnerabilities or compliance issues are discovered, customers and Tuya should notify each other immediately and work together to resolve the problems.
The respective roles of customers and Tuya in the shared responsibility model are illustrated in Figure 1:
Figure 1 - Tuya Shared Responsibility Model
Diagram Description: Figure 1 illustrates the shared responsibility model between Tuya and its customers for IoT applications. The diagram is divided into layers representing different components and responsibilities. Tuya is responsible for the lower layers, including Infrastructure (e.g., AWS, Microsoft Azure, Google Cloud, Tencent Cloud in regions like US, Europe, India, China), Tuya Cloud (covering Data Services like data storage, databases, data isolation, log services, data analysis; and Platform Services like device control, scenario linkage, AI services, operations platform), and SDKs/Modules. Customers are responsible for the upper layers, including their own Apps (Tuya App/OEM App/ODM App, Customer's App), and their embedded/hardware components. The diagram also shows shared responsibilities for security operations management, access control, and permission control.
3. Customer Data Control Rights
Data belongs to the customer, not Tuya. We process customer data solely based on agreements signed with the customer. Tuya provides customers with the ability to control and access their data, while also offering security configuration capabilities to help customers comply with their organization's consistent security policies. Customer data stored and managed on the Tuya platform is used only to provide services to the customer as per the contract and is not used for any other purpose. Customers have full control over their content data during their use of Tuya services.
3.1. Customer Can Decide Data Storage Region
Tuya currently operates data centers in multiple regions globally, including Europe, the Americas, and Asia. Each regional data center is physically isolated. When customers build their own Apps on the Tuya platform, they can independently choose the data storage region. Tuya will not transfer customer content data to other regions without the customer's explicit consent or other legal obligations. Through Tuya's Data Processing Agreements and Standard Contractual Clauses, European customers can conduct their global business compliantly.
Figure 2 - Tuya Global Data Centers
Diagram Description: Figure 2 depicts Tuya's global data center presence and edge acceleration nodes. The map highlights various locations where Tuya operates data centers and acceleration points. Key locations mentioned include: Europe (Amsterdam, Frankfurt), USA (Oregon, Virginia), Asia (Mumbai, Singapore, Osaka), Australia (Melbourne), Kenya (Nairobi), Mexico (Querétaro), Colombia (Bogotá), and Brazil (São Paulo). The diagram also indicates the cloud providers used for these data centers, such as Azure, AWS, Google Cloud, and Tencent Cloud.
3.2. Customer Can Decide Data Protection Policies
Through Tuya platform's security settings, customers can decide whether to enable multi-factor authentication, choose their user password policies, and customize session durations. Customers can delete or export their data at any time. Customers should consider how to manage and protect personal data security, safeguard their Tuya platform accounts and passwords, prevent personal data leakage, and notify regulatory authorities and affected data subjects promptly in case of a leakage incident, in accordance with relevant laws and regulations.
3.3. Customer Decides Who Can Access Their Data
Tuya highly values your privacy. Customers can control who accesses their data. Tuya maintains transparency regarding how customer-uploaded user data is processed on the Tuya platform, and customers can access and delete their data at any time, as well as configure their data access policies. Unless explicitly authorized by the customer, Tuya will not access any customer data. Tuya commits not to use customer data for purposes other than those specified in the contract and privacy policy.
3.4. Government Access Requests
Tuya must comply with the laws of the countries in which it operates, including South Korea. Law enforcement agencies typically issue data requests to their subjects of investigation and rarely to cloud platform providers processing PII of their subjects. Tuya carefully reviews government requests to ensure they are legal, enforceable, and correctly scoped. Illegal requests will be rejected.
4. How Tuya Complies with Korean PIPA Requirements
We summarize PIPA's data protection requirements in the table below, along with Tuya's practices related to these requirements.
| Data Protection Requirement | Tuya's Support for PIPA Requirements |
|---|---|
| Processing Notification Customer Concern: Personal information controllers shall establish and publicly disclose a privacy policy. The privacy policy must be written in Korean and specifically formulated to comply with PIPA. The privacy policy must include certain information required by PIPA, such as the purpose of processing personal information, relevant retention periods, whether personal information is provided to third parties, procedures for personal information destruction, and whether personal information is entrusted for processing. | Tuya's Practice: Tuya commits to accessing or using your data only as contractually agreed or stated in the privacy policy to complete the products and services you order. Customer Concern: Customers have full control over their data and act as data controllers. They should ensure that personal data collection is based on lawful, specific, and clear purposes, inform data subjects, and obtain their consent. Customers can use the features provided by Tuya products and services or their own capabilities to better practice notification, consent, and withdrawal of consent requirements. |
| Selection and Consent Customer Concern: Before collecting personal information, personal information controllers must obtain explicit consent from the individual. Processing sensitive personal data requires separate explicit consent from the individual, obtained distinctly from other consents. | Tuya's Practice: Tuya has developed different levels of consent mechanisms for the use of personal data: active opt-in mechanisms. √ Active opt-in mechanisms for marketing solutions and personalized data processing activities; √ Consent will be technically recorded once the customer makes a decision; √ Users can easily withdraw consent, and methods for withdrawing consent have been defined. Tuya adheres to the core principle of Privacy by Design during product and service development, helping customers design diverse consent features. Permissions or personal data are requested only when the function is used. If sensitive personal data is collected, user consent is obtained separately, ensuring customer business legality and compliance. Customer Concern: Customers have full control over their end-users' personal data and can independently decide whether to use Tuya services to collect and use their users' personal data. They should ensure that the collection, use, or disclosure of personal data is limited to the declared lawful, specific, and clear purposes. Customers should ensure that the purpose of data processing is consistent with the purpose communicated to data subjects. |
| Purpose Limitation Customer Concern: For processing personal data, companies must disclose specific and lawful purposes to individuals. Data shall not be used for any purpose other than conducting business activities. | Tuya's Practice: Customers can decide which services to use, how to use them, and for what purposes. Tuya processes customer data only for the purposes specified in the contract and privacy policy and will not use your data for any other products or for advertising services. |
| Accuracy Customer Concern: Personal information controllers shall ensure the accuracy, completeness, and up-to-dateness of personal information to the extent necessary for the purposes of personal information processing. | Tuya's Practice: Tuya does not participate in maintaining the accuracy of customer personal information. However, Tuya ensures the integrity of the data placed within our services. Customer Concern: As a data controller, they should establish a mechanism for evaluating cross-border data transfers, fully understand the requirements of cross-border data regulations, choose appropriate data storage solutions, and transparently inform personal users about international data transfers, for example, in their privacy statements. Personal data should not be transferred to third parties outside of South Korea without obtaining personal consent first. |
| Data Transfer Customer Concern: Personal information controllers shall generally not transfer personal information abroad unless the data subject explicitly consents or it is necessary for the performance of a contract signed with the data subject. The privacy policy should include all relevant clauses to ensure the data subject's informed consent. | Tuya's Practice: Currently, Korean data is stored by default in Tuya's US AWS data centers. Tuya provides clear guidance on where our data centers are deployed. Tuya also offers customers a mechanism to independently select data centers, allowing customers to reasonably choose corresponding data centers to ensure data transfer compliance. Regardless of which Tuya data center you choose, the security and privacy protection policies are consistent and fully guaranteed. Customer Concern: Specify the retention period for personal data in business processing activities and destroy personal information immediately once the purpose is achieved or upon the individual's request. |
| Data Retention Customer Concern: Personal information controllers shall immediately destroy personal information when the personal information retention period expires, the processing purpose has been achieved, or the processing period for anonymized information has expired, making it no longer necessary; however, this does not apply if other laws or regulations require the retention of such personal information, and such personal data will need to be stored separately from any other personal data. | Tuya's Practice: Customers can choose to delete their data on Tuya Cloud at any time. Tuya will retain, return, destroy, or delete customer data according to the contract. If a customer deletes their data, Tuya commits to removing it from our systems within 7 days. Customer Concern: Customers should establish an emergency response system and process for personal data leakage incidents, develop effective solutions and response policies and procedures for data leakage, and conduct regular training and drills. Establish smooth communication channels with processors to promptly receive potential security incidents. |
| Data Breach Notification Customer Concern: Upon discovering a personal information breach, organizations must take the following measures: ● Notify affected data subjects within 72 hours. ● If the breach involves the following, notify the PIPC or Korea Internet & Security Agency (KISA) within 72 hours: ○ Personal information of 1,000 or more individuals. ○ Sensitive information or personally identifiable information. ○ Illegal external access. | Tuya's Practice: Tuya has established an "Incident and Data Breach Response Plan" to remediate data breach incidents and notify data controllers. Tuya commits to notifying data controllers immediately upon becoming aware of an incident. Customer Concern: Personal data controllers should sign data processing agreements with data processors and provide clear written instructions to processors. |
| Data Processing Agreement (DPA) Customer Concern: Outsourcing personal data processing to third-party data processors requires a written agreement that must include: ● Clauses prohibiting the data processor from processing personal data for any purpose other than executing the outsourced tasks; ● Technical and administrative safeguards implemented to protect personal data; and ● Other matters related to personal information security management as stipulated by PIPA. | Tuya's Practice: As a data processor, Tuya signs data processing agreements with data controllers (customers) before processing data and strictly conducts data processing in accordance with the agreements. |
| Privacy Impact Assessment Customer Concern: Personal information controllers should proactively conduct privacy impact assessments if there is a risk of personal information leakage when managing personal information files. | Tuya's Practice: 1. When customers require it, Tuya will assist customers with PIA and provide necessary information and support. 2. Based on the DPIA results, Tuya will propose improvements to data protection measures to help customers mitigate risks in data processing. |
| Data Subject Rights Customer Concern: PIPA grants data subjects the right to know, access, correct, delete, withdraw consent, and not be subject to automated decision-making. | Tuya's Practice: Tuya has established a "Personal Rights Handling Procedure for Privacy" that details internal processes for exercising data subject rights. Regarding customer's personal data: Tuya ensures customers can exercise their rights as data subjects to access and correct their personal data. Tuya provides dedicated channels (see Tuya Privacy Policy) to receive and respond to customer requests and feedback. Regarding end-users' personal data: Tuya helps customers provide functionalities for end-users (data subjects) to access, correct, delete, and export data. Tuya assists customers in responding to individual requests. |
| Data Security Customer Concern: Personal information controllers shall take technical, management, and physical measures, such as establishing internal management plans and maintaining access logs, to prevent the loss, theft, leakage, falsification, alteration, or damage of personal information. | Tuya's Practice: Tuya provides comprehensive protection for the personal data lifecycle: 1) Minimization and strict account authentication mechanisms during data collection; 2) Dual encryption of transmission channels and content during transmission; 3) AES 256 encryption for personal data during storage, with unique keys for each user. Highly sensitive data is protected with irreversible algorithms, and keys are uniformly protected and managed via a Key Management System (KMS) for distribution. 4) For sensitive data like images or videos, Tuya encrypts data using unique keys generated for specific users and devices. 5) Logical isolation of individuals during the usage phase; anonymization processing during the display phase. 6) During destruction, all personal data will be automatically zero-value overwritten. Tuya provides detailed information; customers can learn more about our security practices via the following links: • Our Security and Privacy Protection Certifications • Our Security Compliance White Paper |
5. Key Definitions
Personal Information Controller: Refers to public institutions, corporations, organizations, and individuals who directly or indirectly process personal information and operate personal information files in their activities.
Personal Information: Refers to the following information related to a living individual:
- (a) Information that can identify a specific individual through name, resident registration number, image, etc.;
- (b) Information that, even if it cannot identify a specific individual alone, can be easily combined with other information to identify a specific individual.
Sensitive Information: Is defined as personal data concerning an individual's ideology, beliefs, union or political party membership, political opinions, health status, sexual behavior, and other personal data that could lead to a significant invasion of privacy. It also includes genetic information, criminal records, and physical, physiological, and behavioral characteristics generated through certain technical means to identify a specific individual.
Pseudonymization: Refers to a procedure of processing personal information by partially deleting, completely or partially replacing it, such that personal information cannot identify a specific individual without supplementary information.
6. Conclusion
Tuya is committed to providing customers with consistent, reliable, secure, and regulatory-compliant IoT access services, effectively ensuring the availability, confidentiality, and integrity of customer and user data. Tuya pledges to focus on data protection as its core, build upon cloud security capabilities as its foundation, and leverage Tuya's unique IoT solutions to create industry-leading competitiveness. We are building a comprehensive cloud platform security assurance system and consistently making information security assurance one of Tuya Cloud's key development strategies.
To ensure that business operations in various regions comply with local privacy protection regulations, Tuya continuously monitors updates in relevant laws and regulations, translates new regulatory requirements into Tuya's internal policies, and optimizes internal processes to guarantee that Tuya's various activities meet legal and regulatory requirements. Tuya continuously evolves and launches privacy protection-related services and solutions based on updated legal and regulatory requirements, helping customers meet new privacy protection legal and regulatory demands.
Adhering to privacy protection laws and regulations is a long-term and multifaceted activity. Tuya is willing to continuously enhance its capabilities in the future to meet relevant legal and regulatory requirements and build a secure and trustworthy cloud platform for its customers.
Tuya customers need to evaluate their personal data processing methods and determine if PIPA requirements apply to them. We recommend consulting legal experts for guidance on the specific PIPA requirements applicable to your organization, as this document does not constitute legal advice.
