As of January 2024, Tuya has implemented six data centers in USA East, USA West, Europe, India, and mainland China. In terms of cloud service providers, Tuya deploys Amazon Web Service (AWS) in Germany, USA West, and India; Microsoft Azure in USA East and the Netherlands, and Tencent Cloud and Alibaba Cloud in mainland China. Customers from USA and Europe can choose to use Microsoft Azure or AWS to store their data at their discretion. Tuya strictly adheres to regional laws and regulations about data security and privacy, we have multiple data servers operated in different countries/regions. According to user’s choice, data will be stored to the corresponding data center, further ensuring the high reliability and availability. Customers can test a product's server IP and find which data center it flows to.

Tuya provides data storage and processing services to its customers through cloud service providers. When a customer or end-user transfers data to Tuya, Tuya bears the responsibility to securely store and process these data. By explaining abstractly, Tuya creates an independent account for each customer. Accounts are logically isolated from each other, and the access control mechanism permits customers to only access/manage data under their possession as well as access to public underlying data. Tuya divides customer data into two categories: Tuya Developer Platform data and customer detail data customer data in detail. Tuya Developer Platform data: After registering an account on the Tuya Developer Platform, customers can view the data created or managed under their account. For example, the user name, phone number, and email address, etc. in the account repository; device details, user feedback, product services provided to end-users under device statistics. Under such circumstances, customers can only access their personal data and service data statistics under the contracted service, which are managed independently through their Tuya Developer Platform accounts. Display of any raw personal data related to a customer or detail data related to products or services in the public area of the Tuya Developer Platform is strictly banned. Customer detail data in detail: All personal data (for example, phone numbers, email addresses, IP addresses, etc.), audio streaming files like recordings, video, or images generated by a customer or end-user who voluntarily transfers such data to Tuya for the purpose of using products or services, and any calculations derived from such content by the customer or end-user in connection with the use of products or services provided by Tuya. Tuya stores all itemized data generated from such product and service interactions in the database of cloud service providers, either alone or in combination with other data, data that identifies an individual or various data that reflect the activities of a particular individual. At this point, Tuya shall secure customer data under this section using technical and organizational security measures. For details of data collection and use, please see the Tuya Terms of Use and the Tuya Privacy Policy.

Data Owner: The individual user is the owner of the personal data, which is owned by the individual user. Data Controller: In the case of products or services provided by Tuya to its corporate customers, a legally binding contract is utilized by Tuya's corporate customers. The customer determines the purpose of collection, the scope of collection, and the manner of processing personal data, and in this case, the customer's dominance determines its status as a data controller. Data Processors: Tuya provides personal data processing services to our customers on an ongoing basis in accordance with their data processing instructions, ensuring and improving the ongoing provision of our agreed services. As a service provider and data processor, Tuya is the customer's data processor and has a strict data processing agreement with the customer, including the scope of data processing, processing methods, etc. Tuya has strict internal permission and access control policy and technical assurance structure to ensure that data can only be accessed or processed with the customer's authorization. To ensure data compliance, Tuya has globally deployed multiple independent data nodes that perform localized data storage and processing, as well as strict data encryption protection.

When Tuya's products and services collect personal data, they are guided by the following basic principles: clarity of purpose, choice of consent, data minimization, transparency, and security. Data security storage: Tuya IoT PaaS isolates corporate data to ensure the security of customer data. At the same time, Tuya IoT PaaS provides different data storage services for different business scenarios. Sensitive data of customers or end-users are stored with AES-256 encryption, some sensitive data are desensitized as necessary, and the keys are managed and distributed through the key management center for unified security. Data security processing: Tuya divides data into personal data, platform information data, and internal corporate data. Security requirements and countermeasures are implemented depending on data types. Strict data access control and approval mechanisms are adopted. Data filtering is used to enforce strict verification of data type, length, and format for all service entrances to ensure data integrity and non-contamination. For data destruction, Tuya adopts the underlying deletion mechanism of cloud services to permanently delete the data.

In terms of data security construction, Tuya has a sizeable team of professional information security experts and a comprehensive information security system, including the implementation of strict software development security and the construction of an advanced security attack and defense system. In addition, Tuya completes annual penetration tests by third-party professional security agencies and implements a high-value vulnerability bounty program to test the security capabilities of its products and services. In terms of privacy compliance, Tuya has established a compliance committee, a security and privacy compliance team, and a legal team to track and respond to the latest global legal requirements. At the same time, Tuya has entered into strategic partnerships with a team of professional external law firms and third-party privacy compliance and security consultants to optimize and upgrade privacy compliance and security solutions on a long-term and ongoing basis.