**Scope of Application:** This policy applies to all company employees, business partners, all information systems, cloud service resources, and all business processes involving the handling of data related to users and merchants within the United States region.

**Purpose:** To safeguard the security of the Company’s information assets; to standardize the management of data throughout its entire lifecycle; to ensure compliance with the U.S. *California Consumer Privacy Act* (CCPA), the *California Privacy Rights Act* (CPRA), and the data security regulations of various U.S. online platforms; to prevent security incidents such as data leakage, tampering, and loss; and to protect the legitimate rights and interests of users and merchants.

**Chapter 1: General Provisions**

**1.1 Core Principles**

Adhere to the principles of legality and compliance, data minimization (collecting only what is strictly necessary), clear allocation of rights and responsibilities, proactive prevention, and continuous improvement. Implement a tiered and categorized protection scheme for information assets and data to ensure that all processing activities comply with local U.S. data regulations and platform-specific requirements.

**1.2 Applicable Subjects**

This policy applies to all Company employees, outsourced personnel, business partners, and vendors, as well as any individuals or systems that access, process, store, or transmit the Company’s information assets and data.

**1.3 Compliance Basis**

*   Relevant U.S. federal and California data privacy laws and regulations (CCPA, CPRA).

*   Agreements governing U.S. websites and store open platforms, and U.S. Data Security (USDS) audit requirements.

*   General standards and specifications related to information security management.

**Chapter 2: Organization and Security Responsibilities**

**2.1 Security Management Organization**

An Information Security Leadership Group shall be established, led by a principal executive of the Company. Reporting to this group shall be an Information Security Officer (also serving as the Data Protection Officer), who is responsible for coordinating and overseeing all Company-wide information security and data privacy management initiatives.

**2.2 Core Responsibilities**

1. **Information Security Officer:** Lead the formulation and updating of security policies; oversee the implementation of these policies; serve as the primary liaison for platform compliance audits; handle data security incidents; and organize security training and audits.
2. **Technical Department:** Responsible for the implementation and operational maintenance of technical measures, including system security, network security, data encryption, log auditing, vulnerability remediation, and data backup and recovery.
3. **Business Departments:** Responsible for ensuring the compliant use of data within their respective business processes; ensuring that only the minimum necessary data is collected and used; and cooperating with security inspections and incident response efforts.
4. **All Personnel:** Strictly adhere to this policy; sign confidentiality agreements; promptly report any discovered security risks or vulnerabilities; and refrain from engaging in unauthorized operations or causing data leakage. Chapter 3: Data Classification, Grading, and Full Lifecycle Management

3.1 Data Classification and Grading

Based on business and compliance requirements, data is categorized into four levels. Specifically, U.S. data is classified under the “Sensitive Data” or “Highly Sensitive Data” levels and is subject to the highest level of protection.

1. Public Data: Non-core information that may be publicly disclosed and poses no risk of leakage.
2. Internal Data: Information regarding internal company operations, accessible only to internal personnel.
3. Sensitive Data: Data related to orders, including merchant store information, anonymized order data, logistics information, after-sales service information, anonymized user personal information, etc.
4. Highly Sensitive Data: Information that can directly identify an individual, sensitive payment-related information, core platform API keys, etc.

3.2 Data Collection

We collect only the data necessary to fulfill business functions, adhering to the principle of “minimum necessity.” We do not collect information unrelated to business operations, nor do we collect non-essential data such as biometric information, precise location data, or social relationship data. U.S. data is acquired exclusively through official open APIs and is not collected through other channels in violation of regulations.

3.3 Data Storage

1. All U.S. data is stored entirely on compliant cloud servers located within the United States (AWS U.S. regions) and is not stored on servers located outside the United States.
2. Sensitive Data and Highly Sensitive Data are stored using AES-256 encryption; encryption keys are managed by designated personnel and rotated periodically.
3. Adhering to the principle of “minimum retention,” data is either anonymized or permanently deleted once the relevant business process is completed and the applicable regulatory retention period has expired. Records of such data destruction are maintained.

3.4 Data Transmission

1. All data transmissions—including API communications, data synchronization, and file transfers—utilize TLS 1.3 or higher encryption protocols. The transmission of Sensitive Data in plaintext is strictly prohibited.
2. Core TikTok USDS data is transmitted exclusively within the geographical boundaries of the United States and is not transmitted across borders in violation of regulations. In instances where cross-border transmission is deemed absolutely necessary, only anonymized, de-identified, and aggregated data is transmitted, in full compliance with relevant regulatory requirements in both the U.S. and China.

3.5 Data Usage and Sharing

1. Data is utilized solely for authorized business scenarios—including order management, after-sales processing, system operations and maintenance, feature optimization, and platform compliance audits. It is not used for unauthorized purposes such as targeted advertising, user profiling, or commercial marketing. Furthermore, we do not sell, rent, or exchange any data. 2. If data sharing with third parties is deemed necessary, only the minimum required data shall be shared with compliant partners (e.g., cloud service providers, compliant technology service providers) who have signed a **Data Processing Agreement (DPA)**. Furthermore, such partners shall be monitored to ensure they implement equivalent security protection measures.

3.6 Data Destruction

Data that is no longer required shall be thoroughly destroyed using methods such as formatting or data erasure to ensure it is irrecoverable. The entire destruction process shall be fully documented and archived.

Chapter 4: Identity Authentication and Access Control

4.1 Identity Management

All personnel accessing information systems and data must utilize individual accounts; the sharing or lending of accounts is strictly prohibited. Access to core systems and critical data requires the mandatory enablement of Multi-Factor Authentication (MFA).

4.2 Permission Control

Adherence to the principle of least privilege is mandatory; personnel shall be granted only the minimum permissions necessary to fulfill their specific job responsibilities. All permission assignments must undergo an approval process. Permissions shall be reviewed periodically (on a quarterly basis), and access rights for personnel who have resigned or transferred to a different role shall be revoked promptly.

4.3 Access Auditing

Operation logs must be retained for all data access, export, modification, and deletion activities. These logs shall record the operator, timestamp, specific action performed, and the result of the operation. Logs must be stored for a minimum of 180 days, be protected against tampering, and support retrospective auditing.

Chapter 5: System and Network Security

5.1 Security Configuration

Servers, cloud platforms, application systems, and network devices shall undergo security hardening. Unnecessary ports and services shall be disabled, robust password policies shall be established, and system patches shall be applied on a regular basis.

5.2 Vulnerability and Risk Management

Regular vulnerability scans, code audits, and penetration tests shall be conducted. Discovered security vulnerabilities shall be prioritized and remediated according to their severity level; high-risk vulnerabilities must be resolved within 24 hours. Intrusion detection and prevention mechanisms shall be established to promptly detect and block malicious attack attempts.

5.3 API Security

APIs shall be utilized in strict compliance with the specifications of the respective open platforms. API keys must be managed securely and kept confidential. Measures such as interface authentication, rate limiting, injection prevention, and privilege escalation prevention shall be implemented. APIs must not be invoked with privileges exceeding those authorized, nor shall sensitive data be cached.

Chapter 6: Security Incident Emergency Response

6.1 Incident Classification

Security incidents—such as data breaches, system intrusions, and data loss—shall be classified into three tiers: General, Major, and Critical. Specific response procedures shall be clearly defined for each incident classification level. 6.2 Emergency Response Procedures

1. Discovery and Reporting: Any individual who discovers a security incident must immediately report it to the Information Security Lead.
2. Isolation and Remediation: Rapidly activate the emergency response plan to isolate affected systems and data, patch vulnerabilities, and prevent the incident from escalating.
3. Notification and Reporting: In the event of a data breach, and in accordance with U.S. regulatory requirements, notify the Platform, relevant regulatory bodies, and affected parties within the prescribed timeframe.
4. Post-Incident Review and Remediation: Upon completion of incident remediation, conduct a post-mortem analysis to formulate corrective measures, thereby preventing the recurrence of similar incidents; maintain comprehensive records of the entire remediation process.

Chapter 7: Backup and Disaster Recovery

7.1 Data Backup

Implement regular backups of core business data, utilizing off-site backup storage methods. Backup data must be stored in an encrypted format to ensure its integrity and availability.

7.2 Recovery Mechanisms

Establish a comprehensive disaster recovery plan and conduct periodic recovery tests to ensure that, in the event of system failures, data loss, or similar incidents, business operations and data can be rapidly restored, thereby safeguarding service continuity.

Chapter 8: Personnel Security Management and Training

8.1 Confidentiality Requirements

All personnel with access to information assets or U.S. data are required to sign a Non-Disclosure Agreement (NDA) clearly defining their confidentiality obligations and liabilities for breach. These confidentiality obligations remain binding even after their departure from the organization.

8.2 Security Training

New employees are required to complete mandatory training on information security and data compliance upon onboarding. Existing personnel must undergo security refresher training at least once annually. Training content covers data regulations, Platform rules, secure operational procedures, and emergency response protocols, ensuring that all personnel possess the requisite security awareness and operational competence.

8.3 Third-Party Management

For third parties—including outsourced personnel and business partners—clearly define security requirements and execute confidentiality and data processing agreements. Furthermore, actively monitor and govern their data handling activities to ensure compliance.

Chapter 9: Compliance Audits and Policy Updates

9.1 Compliance Audits

Conduct periodic internal audits of information security and data compliance practices. Cooperate fully with inspections conducted by regulatory bodies, promptly remediate any identified issues, and maintain comprehensive records of all audit findings and remediation actions.

9.2 Policy Review and Updates

This policy shall be reviewed at least once annually. In the event of significant changes to applicable laws and regulations, Platform rules, or business models, the policy shall be promptly revised and updated to ensure its continued relevance and effectiveness. Following any policy revisions, comprehensive dissemination and training sessions shall be organized for all personnel. Chapter 10: Supplementary Provisions

1. This Policy shall be interpreted by the Company’s Information Security Leadership Group.
2. Any violation of this Policy shall be addressed by the Company in accordance with the severity of the circumstances; should such violations result in security incidents or compliance risks, the responsible personnel shall be held accountable.
3. This Policy shall take effect as of the date of its issuance.