Tuya Thailand PDPA Compliance Explained

Preface

This document outlines Tuya Inc.'s commitment to and compliance with Thailand's Personal Data Protection Act (PDPA). It details the measures and standards Tuya adheres to in safeguarding personal data.

1. PDPA Overview

The Personal Data Protection Act (PDPA) in Thailand, enacted with provisions effective from June 1, 2022, aims to protect personal data. Non-compliance can result in significant penalties, including fines up to 500,000 THB (approximately 13,500 USD) and imprisonment for certain offenses.

Tuya PDPA compliance is a continuous effort, ensuring adherence to the principles and requirements of the Act.

1.1. PDPA Compliance

Tuya Inc. is dedicated to meeting the requirements of the PDPA. This involves implementing robust data protection policies and practices across its operations.

1.2. International Standards and Certifications

Tuya aligns its data protection practices with globally recognized standards and frameworks to ensure comprehensive compliance and security. These include:

CCPA (California Consumer Privacy Act)
GDPR (General Data Protection Regulation)
ISO/IEC 27001:2022 (Information Security Management)
ISO/IEC 27017:2015 (Information Security for Cloud Services)
ISO/IEC 27701:2019 (Privacy Information Management)
CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk)
ISO 9001:2015 (Quality Management)
SOC 2 Type II & SOC 3 (Service Organization Control)

Tuya's adherence to these standards, verified by third-party audits and certifications from bodies like BSI and CSA, demonstrates its commitment to data privacy and security. For instance, compliance with GDPR principles and CCPA requirements is integrated into its operational framework. The company's SOC 2 and SOC 3 reports, issued by AICPA-accredited firms, attest to its robust security and availability controls.

1.3. SDK and App Compliance

Tuya's Software Development Kit (SDK) and mobile applications are developed with data protection principles in mind. These components are designed to facilitate secure data handling and user privacy within the Tuya ecosystem.

2. Tuya AI+IoT Platform and Security

Tuya's AI+IoT platform provides comprehensive cloud services for smart devices. Security is a core component, integrated through various measures:

SSO (Single Sign-On): Streamlines user access securely.
OTP (One-Time Password): Enhances authentication security.
ACL (Access Control List): Manages permissions to restrict unauthorized access.
DBA (Database Access): Implements strict controls for database interactions.

Tuya's platform security is further detailed and accessible via its source code repository at https://src.tuya.com/.

The platform employs multiple layers of security, including:

1) Access Control: Robust mechanisms to manage user and device permissions.
2) Data Security: Measures to protect data integrity and confidentiality.
3) Authentication & Authorization: Secure methods for verifying identity and granting access.
4) Audit Logs: Comprehensive logging for monitoring and accountability.

3. Security Measures

Tuya implements advanced security measures to protect data throughout its lifecycle:

Encryption: Data is protected using industry-standard encryption protocols.
AES 256 Encryption: Utilizes Advanced Encryption Standard with 256-bit keys for strong data protection.
KMS (Key Management Service): Securely manages encryption keys to protect sensitive data.
Secure Data Transmission: Employs protocols like TLS/SSL to secure data in transit.
Regular Security Audits: Conducts periodic assessments to identify and address vulnerabilities.

4. PDPA Compliance in Practice

Tuya actively implements PDPA principles, including "Privacy by Design" and "Privacy by Default," into its product development and service operations. This proactive approach ensures that data protection is considered from the outset.

Key aspects of Tuya's PDPA compliance include:

Data Minimization: Collecting only necessary personal data.
Purpose Limitation: Using data only for specified, legitimate purposes.
Data Accuracy: Maintaining accurate and up-to-date personal data.
Storage Limitation: Retaining data only as long as required.
Security Safeguards: Implementing technical and organizational measures to protect data.
Data Subject Rights: Facilitating the exercise of rights by data subjects (e.g., access, correction, deletion).

Tuya processes data primarily within the AWS cloud infrastructure, which adheres to stringent security and compliance standards. Data retention policies are in place, typically retaining data for a maximum of 72 hours where applicable, in line with operational and legal requirements.

The Data Protection Officer (DPO) and relevant teams oversee compliance efforts, working closely with the Thailand Personal Data Protection Committee (PDPC) and other regulatory bodies as needed.

Tuya ensures that data processing agreements are in place with third-party service providers, including cloud hosting providers like AWS, to guarantee continued compliance and data protection.

5. IoT and PDPA

In the context of the Internet of Things (IoT), Tuya is committed to ensuring that connected devices and platforms comply with PDPA regulations. This includes transparent data collection practices, secure data storage, and providing users with control over their personal information generated by IoT devices.

Tuya's adherence to PDPA principles helps build trust and ensures responsible data management within the rapidly evolving IoT landscape.

	Tuya's Compliance with India's Digital Personal Data Protection Act (DPDPA) This white paper details Tuya Inc.'s commitment to complying with India's Digital Personal Data Protection Act (DPDPA). It outlines Tuya's security and privacy strategies, how customers maintain control over their data, and the shared responsibility model for data protection.
	Tuya Korea PIPA Compliance Statement This document outlines Tuya Inc.'s commitment to complying with South Korea's Personal Information Protection Act (PIPA), detailing its data protection measures, shared responsibility model, and customer data control rights.
	涂鸦越南个人数据保护法令(PDPD)遵从性说明指南本指南详细介绍了涂鸦科技如何遵守越南个人数据保护法令(PDPD)，包括其数据保护策略、安全合规战略以及与客户共同承担的责任模型，旨在帮助客户理解并实现合规。
	Tuya APPI Compliance White Paper A white paper detailing Tuya's compliance with Japan's Act on the Protection of Personal Information (APPI), outlining data protection measures, shared responsibility models, and customer control over data.
	Tuya Compliance with the Australian Privacy Act This document outlines Tuya's commitment to data privacy and compliance with the Australian Privacy Act 1988 (Cth). It details Tuya's security strategies, data handling practices, adherence to Australian Privacy Principles (APPs), and the shared responsibility model for ensuring data protection.
	BSI Certificate of Registration for Hangzhou Tuya Information Technology Co., Ltd. - CSA STAR Certification 2021 Official BSI Certificate of Registration confirming CSA STAR Certification 2021 for Hangzhou Tuya Information Technology Co., Ltd., covering their IoT Development Platform services.
	TUYA Strategic Priorities Assessment: PIPEDA and Quebec Law 25 Compliance Report TrustArc's findings report on TUYA's compliance with Canada's PIPEDA and Quebec Law 25, detailing privacy program assessment, identified gaps, and recommendations for data protection.
	Tuya UK GDPR Compliance Guide This document details Tuya's commitment and practices for complying with the UK General Data Protection Regulation (UK GDPR), covering data protection, security, and shared responsibilities.