Data Security Policy of Shanghai Yuanhui E-commerce Co., Ltd.
Shanghai Yuanhui E-commerce Co., Ltd. (company address: Room 1203, No. 337, Shahe Road, Jiangqiao Town, Jiading District, Shanghai, company phone: 19292429434) is a cross-border e-commerce company focusing on selling home furnishings to Canada. It deeply understands the importance of data security to the company's operations and user rights. In order to protect the confidentiality, integrity and availability of the company's and user data, this data security policy is specially formulated.
I. Scope of application
This policy applies to all employees, partners and users of the company's services, covering all data collected, stored, used, transmitted, shared and destroyed by the company during business operations, including but not limited to user personal information, transaction data, product information, company trade secrets, etc.
II. Data security management framework
The company has established a data security management team, headed by the company's senior management, and members include the heads of information technology, legal affairs, operations and other departments. The team is responsible for coordinating data security work, formulating data security strategies, and supervising the implementation of policies.
Each department shall designate a person as a data security liaison to assist the data security management team in carrying out the data security work of the department and promptly feedback data security issues.
III. Data Collection Security
Data collection shall follow the principles of legality, legitimacy and necessity, and only collect data related to the company's business and necessary to achieve the service purpose.
When collecting data, the user shall be clearly informed of the purpose, scope, method and use of data collection, and the user's explicit consent shall be obtained, unless otherwise provided by laws and regulations.
Establish a data collection review mechanism to strictly review the collected data to ensure the accuracy, completeness and legality of the data and prevent the collection of invalid or illegal data.
IV. Data Storage Security
Use a secure storage system that meets industry standards to encrypt data, including data transmission encryption and data storage encryption, to prevent unauthorized access, tampering or leakage of data during storage.
Back up the stored data regularly, and the backup data should be stored in a secure location and encrypted. The backup frequency is determined based on the importance and update frequency of the data to ensure timely recovery when the data is lost or damaged.
Strictly control the access rights to data storage, authorize only necessary staff, and use multi-factor authentication and other methods to strengthen identity authentication, record access logs, so as to trace access behavior.
For relevant data stored in Canada, it is necessary to ensure that the storage environment complies with local data security laws and regulations, and take security protection measures at the same level as in China.
V. Data Use Security
Data use should strictly follow the purpose informed at the time of collection, and should not be used beyond the scope. If the purpose needs to be changed, the user's consent should be obtained again.
Establish a data use authorization mechanism to clarify the data use rights of employees in different positions. Employees can only use data within the scope of their duties and may not use data for other purposes without authorization.
Monitor the data use process, regularly check data use records, and promptly discover and handle abnormal use behaviors.
VI. Data transmission security
During the data transmission process, encryption technology should be used to ensure the confidentiality and integrity of data transmission and prevent data from being stolen or tampered with during the transmission process.
When transmitting data with a third party, a data security agreement should be signed to clarify the data security responsibilities and obligations of both parties and ensure that the third party has the corresponding data security protection capabilities.
Carry out security assessment and management of data transmission channels, give priority to using secure and reliable transmission methods, and avoid transmitting sensitive data through unsecured networks or channels.
VII. Data Sharing Security
User data shall not be shared with any third party except as required by laws and regulations or necessary to achieve business purposes.
When data sharing is necessary, the shared data shall be desensitized to remove sensitive information that can identify the user, or obtain explicit authorization from the user.
Supervise and manage the use of data by third parties, and regularly check the implementation of data security measures by third parties to ensure that data is not abused.
VIII. Data Destruction Security
When data no longer needs to be stored or reaches the storage period, it should be destroyed in accordance with the prescribed process to ensure that the data cannot be recovered.
Data destruction can be carried out by physical destruction (such as hard disk shredding), logical destruction (such as data overwriting, formatting), etc., and the appropriate destruction method should be selected according to the storage medium and importance of the data.
The data destruction process should be recorded, including the destruction time, destruction method, participants and other information for inspection.
IX. Emergency handling of security incidents
Establish emergency plans for data security incidents, clarify emergency handling processes, division of responsibilities and disposal measures, organize emergency drills regularly, and improve the ability to respond to data security incidents.
When a data security incident occurs (such as data leakage, loss, tampering, etc.), the emergency plan should be immediately activated, measures should be taken to prevent the situation from escalating, and timely reports should be made to the company's data security management team and relevant regulatory departments in accordance with regulations.
Investigate and analyze data security incidents, find out the cause of the incident, assess the impact of the incident, and take corrective measures to prevent similar incidents from happening again.
X. Employee safety responsibilities
The company regularly conducts data security training for employees to improve their data security awareness and operational skills, and enable employees to understand data security policies and relevant laws and regulations.
Employees should strictly abide by this policy and other data security regulations of the company, properly keep their accounts and passwords, and must not disclose them to others without authorization, and must not operate data in violation of regulations.
When employees discover data security issues or suspicious situations, they should immediately report to the data security management team or the data security liaison of the department.
XI. Policy Update and Supervision
This policy will be updated in a timely manner according to changes in laws and regulations, business development and technological progress. The updated policy will be published on the company's website and will take effect from the date of publication.
The Data Security Management Team is responsible for supervising and inspecting the implementation of this policy, conducting data security assessments regularly, and handling violations of this policy.
If you have any questions about this data security policy, please contact us through the company's phone number (19292429434).
