感谢您的反馈!
-
用户反馈
用户反馈
网络异常,请重新提交!
重新提交
DARAZ OPEN PLATFORM DEVELOPERS PROGRAM
DATA PROTECTION POLICY
1.1 This Daraz Open Platform Developers Program Data Protection Policy (the "LAZOP DPP") prescribes the minimum data protection and information security standards that you and Your Personnel must meet and maintain in order to protect Protected Data from unauthorised use, access, disclosure, theft, manipulation, reproduction, any security breaches or otherwise.
1.2 You shall be fully responsible for ensuring that you, Your Personnel performing any activities covered by this LAZOP DPP from time to time and your Users consent to and comply with this LAZOP DPP. Any act or omission by any of Your Personnel or your Users amounting to a breach of this LAZOP DPP shall be deemed a breach by you. In the event of any such breach, (i) Daraz may terminate your use of the Platform; and (ii) in the event that such breach constitutes a Security Breach, Daraz may require you to indemnify, defend and hold Daraz harmless from and against all liabilities, costs, damages, claims and expenses relating to such breach.
1.3 Capitalised terms used but not defined herein shall have the meaning set forth in the Terms.
"Data Centre" means any location, whether owned by you or a third party, at which data Processing or transmission functions are being provided in support of your Application.
"Data Subject" means the person who is the subject of Personal Data.
"Incident" means any impairment, compromise or breach of the security of any Daraz Content, including but not limited to any actual or suspected (i) misuse of Daraz Content; or (ii) unauthorised access to or attempt to access Daraz Content.
"Processing" means any operation or set of operations which is performed upon Data, whether by automatic means or not, including but not limited to collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and the terms "Process" and "Processes" shall be construed accordingly.
"Protected Data" means Daraz Content and any Personal Data collected transmitted through your Applications.
"Section" means a section in this LAZOP DPP.
"Security Breach" means any actual or suspected impairment, compromise or breach of security of any system (including any System used by you or Your Personnel) containing Daraz Content, for example, any (i) misuse; (ii) loss; (iii) destruction; or (iv) unauthorised access, collection, retention, storage or transfer, of Daraz Content.
"Security Officer" has the meaning given to it under Section 4.3.
"Sub-processor" means any of Your Personnel that Processes Daraz Personal Data.
"Systems" has the meaning given to it under Section 5.1.
"Terms" means the Daraz Open Platform Developers Program Terms and Conditions.
Under no circumstances shall you or any of Your Personnel access, receive, transmit, process or store (or attempt to do any of the aforementioned) any highly sensitive or regulated information (i) that is restricted by Daraz to a limited group of persons on a need to-know basis, and (ii) whose access or whose release would likely have a material adverse financial or reputational effect on Daraz, Daraz customers, or Daraz clients. Such information shall not include Payment Card Industry regulated data.
4.1 You will develop, implement, maintain and enforce a written information privacy and security program that:
(a) aligns with industry recognised frameworks as may be designated by Daraz from time to time;
(b) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Daraz Content and Personal Data;
(c) is appropriate to the nature, size and complexity of your business operations; and
(d) complies with any Applicable Laws for the geographic region in which you do business.
4.2 You will provide details of any major change to your security program that may adversely affect the security of any Protected Data. Such details must be communicated in writing to Daraz (through the email address provided in Section 9) within ten (10) business days before such change is implemented.
4.3 You will designate a senior employee to be responsible for overseeing and carrying out your security program and for communicating with Daraz on information security matters (the “Security Officer”). Upon Daraz’s request, the Security Officer will provide Daraz with the contact information of one or more your representatives who will be available to discuss any security concerns (e.g. discovered vulnerability, exposed risk, reported concern) with Daraz and to communicate the level of risk associated with such concerns and any remediation thereof. Such representative shall be available during normal business hours. Any changes to the contact information of the Security Officer or designated representatives must be communicated in writing to Daraz (through the email address provided in Section 9) within twenty-four (24) hours.
4.4 You shall ensure that each of Your Personnel:
(a) consents to its compliance with this LAZOP DPP before being given access to any Daraz Content;
(b) complies with this LAZOP DPP at all times; and
(c) is given all reasonable resources and training to comply with this LAZOP DPP;
(d) provides their services with promptness, diligence, due care and skill and at all times in accordance with the best industry and professional standards and practices used in well-managed establishments, agencies, or operations involving the performance of similar services.
5.1 The logical security processes in this Section 5 apply to all systems used by you or Your Personnel to access Process, store or maintain any Protected Data, including any third party hosted systems and any system that can connect to the system on which Daraz Content is stored via any form of communication interface, (collectively, the "Systems").
5.2 You and Your Personnel shall at all times employ access control mechanisms that:
(a) prevent unauthorised access to Protected Data;
(b) limit access of Protected Data to Your Personnel a need-to-know basis;
(c) allow access to information and resources only to the extent allowed under the Terms; and
(d) are capable of detecting, logging, and reporting (i) access to the System; and (ii) any Security Breach or attempt to breach security of any System.
5.3 In respect of any of Your Personnel, you shall revoke the relevant person's access to physical locations, Systems, and applications that contain or Process Protected Data within twenty-four (24) hours of the cessation of the relevance or need for such access by such person.
5.4 Each of Your Personnel must have an individual account that authenticates that individual’s access to Protected Data. You must not allow sharing of accounts.
5.5 Access controls and passwords must be configured in accordance with industry standards and best practices.
5.6 You will review, at least once per annum, access controls for any System that contains Protected Data. The relevant access processes in respect of such System, including the process to establish and delete individual accounts should be documented in your written information privacy and security program (referred to in Section 4.1 above).
5.7 You will require two-factor authentication for remote access to any network storing, transmitting, or containing Protected Data.
5.8 You shall do the following to ensure telecommunication and network security:
(a) deploy appropriate firewall technology in the operation of your Applications, sites, and protect and authenticate traffic between Daraz using industry standard cryptographic technologies;
(b) review firewall rule sets annually to ensure that legacy rules are removed and active rules are configured correctly;
(c) deploy intrusion detection and prevention systems in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host;
(d) deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year;
(e) establish and maintain appropriate network segmentation to restrict network access to Systems storing Protected Data, and prohibit direct connections from public networks into any network segment storing Daraz Content.
(f) in the event that you deploy a wireless network, you will configure and maintain the use, configuration and management of wireless networks to meet the following:
(i) all wireless devices shall be protected using appropriate physical controls to minimise the risk of theft, unauthorised use, or damage;
(ii) network access to wireless networks shall be restricted to those authorised;
(iii) access points shall be segmented from an internal, wired LAN using a gateway device;
(iv) the service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value;
(v) encryption of all wireless connections will be enabled using industry standard encryption algorithms (i.e. WPA2/WPA with 802.1X authentication and AES encryption);
(vi) if supported, auditing features on wireless devices shall be enabled and resulting logs shall be reviewed periodically by designated staff or a wireless intrusion prevention system. Logs must be retained for ninety (90) days or longer; and
(vii) SNMP shall be disabled if not required for network management purposes. If SNMP is required for network management purposes, SNMP will be read-only with appropriate access controls that prohibit wireless devices from requesting and retrieving information and all default community strings will be changed; and
(g) maintain a program to detect rogue access points at least quarter-yearly to ensure that only authorised wireless access points are in place; if you have not deployed a wireless solution, you are still required to conduct this quarterly audit to ensure that user-deployed wireless access points are not in use.
5.9 All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server, and virus definitions shall be updated within twenty-four (24) hours of release by the anti-virus software vendor. You will configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Daraz or your computing environment.
6.1 You shall maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that Process or store any Protected Data. You must employ documented secure programming guidelines, standards, and protocols in the development of applications that Process or store any Protected Data. You shall be responsible for verifying that all development staff have been successfully trained in secure programming techniques. Your Personnel must be trained on all current application vulnerabilities, including how to recognise these issues and how to remediate them.
6.2 You will employ an effective, documented change management program with respect to services provided pursuant to the Terms or any of your Applications. This includes logically or physically separate environments from production for all development and testing. No Protected Data will be transmitted, stored or Processed in a non-production environment.
6.3 You must run internal and external network vulnerability scans at least quarter-yearly and following any material change in the network configuration. Vulnerabilities identified and rated as high risk by you must be remedied within ninety (90) days of discovery.
6.4 For all internet-facing applications that collect, transmit or display Daraz Content, you agree to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognised organisations, annually and for all major releases. The scope of the security assessment will primarily focus on application security, including, but not limited to, a penetration test of the application, as well as a code review.
6.5 For all mobile applications that collect, transmit or display Daraz Content, you agree to conduct an application security assessment review to identify and remediate industry-recognised vulnerabilities specific to mobile applications.
6.6 You must use a qualified third party to conduct the application security assessments. You may alternatively conduct the security assessment review yourself, provided that Your Personnel performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Daraz in writing. Vulnerabilities identified and considered as high risk by you will be remedied within ninety (90) days of discovery.
6.7 You will patch all workstations and servers with all current operating system, database and application patches deployed in your computing environment according to a schedule predicated on the criticality of the patch. You must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed thirty (30) days from the date of release.
If you are sending emails to your Users, appropriate email identity solutions will be utilised. If you utilise Daraz-owned domain names to send emails, you will adhere to the Daraz email security requirements, provided upon request.
8.1 You shall, upon reasonable notice, allow your data processing facilities, procedures and documentation to be inspected by Daraz (or its designee) in order to ascertain compliance with Applicable Laws, this LAZOP DPP, or any agreements between you and Daraz.
8.2 You shall fully cooperate with audit requests by providing Daraz access to relevant knowledgeable personnel, physical premises, documentation, infrastructure, and application software.
9.1 You will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. Upon discovering or otherwise becoming aware of an Incident and/or Security Breach that may put Daraz Content at risk, you shall take all reasonable measures to mitigate the harmful effects of the Incident. You shall also notify Daraz of the Security Breach as soon as practicable, but in no event later than twenty-four (24) hours after the Security Breach, to security.reporting@Daraz.com. Such notification shall include:
(a) the identification of the Daraz Content which has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Incident;
(b) a description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
(c) the scope of the Incident, including a description of the type of Daraz Content involved in the Incident;
(d) a description of your response to the Incident, including steps you have taken to mitigate the harm caused by the Incident; and
(e) other information as Daraz may reasonably request.
9.2 You must ensure that affected third parties are notified of the Security Breach, at Daraz’s sole discretion, either by notifying such third parties after Daraz has reviewed and approved the language and method of notice, or by enabling Daraz to notify such third parties itself. You agree to cover the costs of any such notification, including reimbursing Daraz for any reasonable costs such as to provide credit monitoring to affected Data Subjects.
9.3 You will retain all data related to known and reported Incidents or investigations indefinitely or until Daraz notifies you that the image is no longer needed. Upon Daraz’s request, you will permit Daraz or its third party auditor to review and verify relevant records, access logs and data pertaining to any Incident investigation. Upon conclusion of investigative, corrective, and remedial actions with respect to an Incident, you will prepare and deliver to Daraz a final report that describes in detail:
(a) the extent of the Incident;
(b) the Daraz Content disclosed, destroyed, or otherwise compromised or altered;
(c) all supporting evidence, including, but not limited to, system, network, and application logs;
(d) all corrective and remedial actions completed; and
(e) all efforts taken to mitigate the risks of further Incidents.
10.1 You will physically or logically separate and segregate Daraz Content from your other clients’ data.
10.2 You will utilise industry standard encryption algorithms and key strengths to encrypt:
(a) all Protected Data that is in electronic form while in transit over all public wired networks (e.g., the internet) and all wireless networks;
(b) passwords with irreversible industry standard algorithms, with randomly generated "salt" added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings; and
(c) any mobile devices used outside of a Data Centre (e.g., laptop, desktop tablet) to perform any services pursuant to the Terms or any of your Applications.
10.3 To the extent you are operating a Data Centre or utilising a third party Data Centre, you will comply with physical security controls outlined in one or more of the following industry standards: ISO 27001, SSAE 16 or ISAE 3402, or PCI-DSS.
10.4 Except where prohibited by the Applicable Laws, upon the earlier of (i) the termination of the Terms; (ii) the cessation of the need of any Protected Data for the purposes of the Terms; or (iii) at any time upon written request from Daraz, you will:
(a) promptly remove the Protected Data from your environment and destroy it within a reasonable timeframe, but in no case longer than thirty (30) days thereafter,
(b) sanitise or destroy, as required in Section 10.5, all media used to store Protected Data, and
(c) provide Daraz a written certification regarding such removal, destruction, and/or cleaning upon request.
10.5 You will dispose of the relevant Protected Data when it is deemed no longer necessary to continue being preserved, or has exceeded industry best practices for the time/duration/age of the Protected Data. Protected Data should be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media. You will destroy any equipment containing Protected Data that is damaged or non-functional. All Protected Data must be rendered unreadable and unrecoverable regardless of the form (physical or electronic).
11.1 You acknowledge and agree that you have no ownership of, or right to use, Daraz Content other than as expressly permitted under the Terms or as authorised by Daraz in writing. For the avoidance of doubt, you have no right to copy, use, reproduce, display, perform, modify or transfer Daraz Content or any derivative works thereof, except as expressly provided in the Terms or as expressly authorised by Daraz in writing.
11.2 You acknowledge and agree that you will not use (or permit any third party to use) the Daraz Content for any purpose other than as expressly provided in the Terms.
12.1 This Section 12 applies whenever you transmit, Process, handle, access, maintain, or store credit card holder’s information in the course of providing services pursuant to the Terms or any of your Applications.
12.2 You shall comply with and have a program to ensure that you continue to comply with, or enter into an agreement with a third party provider of payment processing services that requires compliance with, the Payment Card Industry Data Security Standards ("PCI-DSS") published by the PCI Security Standards Council. You must, if requested, provided audit evidence to show such compliance with the PCI-DSS prior to access to relevant Daraz API(s).
12.3 You must comply with this Section 12 at all times. This requirement will survive the termination of the Terms until you return, destroy, or cause the destruction of any and all credit card holder’s information in its possession, custody, or control.
12.4 You will provide Daraz with evidence of full compliance with the PCI-DSS upon request.
Your obligations and Daraz’s rights under this LAZOP DPP shall become effective on the Effective Date of the Terms, and will continue in effect until the termination of the Terms and for any period thereafter during which you and Your Personnel have possession of or access to any Protected Data.
14.1 You shall Process Personal Data in accordance with Applicable Laws, and at all times maintain, and ensure compliance with, privacy policies which meet the minimum standards under the Applicable Laws.
14.2 Prior to sharing any Personal Data with Daraz, you shall ensure that Data Subjects are appropriately notified of and have consented to Daraz’s privacy practices. You warrant that you have legitimate basis and adequate title to collect and share Personal Data with Daraz.
14.3 The following provisions shall apply to the Processing of Personal Data which was obtained or derived from any Daraz Content:
(a) In relation to such Personal Data, as between you and Daraz, you are a data intermediary and shall Process the Personal Data on behalf of Daraz in accordance with this LAZOP DPP.
(b) You shall Process Personal Data only to the extent, and in such manner, as is required to develop, operate and maintain your Applications in accordance with the Terms and Daraz’s written instructions. If you reasonably believe that there is a conflict amongst Applicable Laws or that Daraz’s instructions conflict with any Applicable Laws, you will inform Daraz immediately and cooperate in good faith to resolve the conflict and (if the conflict is with Daraz's instruction) achieve the goals of such instruction.
(c) You are authorised to use Sub-processors, provided that you (i) enter into an agreement with the Sub-processor imposing data protection obligations on the Sub-processor that are at least as restrictive as the obligations under this LAZOP DPP, (ii) undertake to provide a copy of the aforesaid agreement to Daraz promptly upon request, and (iii) shall remain liable for any act or omission of any Sub-processor that does not comply with the requirements of this LAZOP DPP.
(d) You shall not cause or permit any Personal Data to be transferred across borders in breach of Applicable Laws. Cross-border transfers of Personal Data subject to legal restrictions by Applicable Laws shall require Daraz’s prior written consent. For the avoidance of doubt, this transfer restriction does not pertain to Daraz personnel access to Personal Data.
(e) To the extent legally permitted, you shall immediately notify Daraz in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Personal Data to any third party. You shall not disclose Personal Data to the third party without providing Daraz at least forty-eight (48) hours’ notice, so that Daraz may, at its own expense, exercise such rights as it may have under Applicable Laws to prevent or limit such disclosure. Notwithstanding the foregoing, you will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Personal Data; additionally, you will cooperate with Daraz with respect to any action taken pursuant to such order, demand, or other document request, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to Personal Data.