Privacy and Data Security

Policy

As a global leader in building Internet communities, NetDragon highly values privacy and data security. China has established one of the strictest regulations on Internet user private information protection in the world. In March 2020, the National Information Safety Standardization Technique Committee released the national standard GB/T 35273-2020 <Information Safety Technology and Personal Information Safety Standard>. In March 2021, <Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications> were released by four governing ministry-level bodies. In May 2021, the <Civil Code> was approved by the National Congress. In June, the <Data Security Law> was approved, and the <Personal Information Protection Law> was approved in August. These laws, regulations, and national standards have set up a complete legal protection system for privacy and data security.

To ensure we strictly follow these laws and regulations, NetDragon enforces a complete set of internal policies and procedures on information security management (based on the framework in the GB/T 35273-2020 <Standard>) that cover all our relevant business lines. These policies and procedures include the following:

Full-cycle preventive measures covering data collection, transmission, storage and usage phases

Clear definition of data owners’ right

Mechanism to handle collection of complaints and response procedures

Mechanism for reporting of data breach incidences

Data protection impact assessment

Organizational measures to strengthen information security management

Regular engagement and cooperation with the regulatory bodies

Below are our Privacy and Data Security Principles:

Data Collection Phase：

Principle of Legality: No data collected from any illegal channels

Principle of Minimum Necessity: Only collect the data necessary to fulfill the application

Principle of Autonomy: Set isolated application scenarios and provide unbundled services, allowing for user’s autonomy

Principle of Authorized Consent: Fully inform users about the intent, method and range of the data collection before their authorization, and no data collection without user authorization

Data Storage and Transmission Phase：

Shortest Time Principle: The storage period is the minimum time required

De-Identification Management: Apply de-identification after the data collection, store the data separately and strengthen access and usage control

Encryption Measures: Apply national encryption standard during data storage and transmission

Data Access and Application Phase：

Principle of Access Control: Implement minimum access control strategy, internal supervision and approval process for data revision and download

Principle of Purpose Limitation: Data application must comply with the purpose stated during collection phase, any applications beyond the stated purpose need separate authorization

Principle of Publicity Restrictions: Utilize de-identification technology to exclude sensitive information in the presentation of personal data to protect privacy and security

NetDragon is committed to protecting personal data owners’ rights during all business operations. Users have explicit rights and convenient channels to inquire, revise, delete, revoke the authorization of all their personal data.

Cross-border Issues of Personal Data：

NetDragon fully complies with all relevant laws and regulations on cross border transmission of personal data to ensure our users’ privacy and personal data are safe and protected. We achieved segregated management of onshore and offshore personal data by implementing effective business structures together with the use of our technology infrastructures. Going forward, we will continue to strive to uphold the highest global standard to enhance Privacy and Data Security.

Employee Training and External Audit

Similar to business ethics polices, employee training on privacy and data security covers all relevant employees. We also require all relevant suppliers and business partners to adopt similar principles to fully protect Privacy and Data Security. NetDragon has passed ISO/IEC27001 Information Security Management System Evaluation. We also invite external audit to conduct Category Three Evaluation (please refer to GB/T 28448-2019 <Information Security Protection Evaluation Requirements> annually. In addition, our major overseas subsidiary – Promethean has acquired iKeepSafe FERPA and COPPA certification in the US.