Tuya maintains the following privacy certifications, standards, and reports: · ISO/IEC 27001:2022 · ISO/IEC 27701:2019 · CSA STAR Cloud Security · SOC 2 type II · SOC 3 · Enterprise Privacy Certification (EPC) · GDPR Validation Report · CCPA Validation Report · PIPEDA & Quebec Law25 Assessment Report

As of January 2024, Tuya has implemented six data centers in USA East, USA West, Europe, India, and mainland China. In terms of cloud service providers, Tuya deploys Amazon Web Service (AWS) in Germany, USA West, and India; Microsoft Azure in USA East and the Netherlands, and Tencent Cloud and Alibaba Cloud in mainland China. Customers from USA and Europe can choose to use Microsoft Azure or AWS to store their data at their discretion. Tuya strictly adheres to regional laws and regulations about data security and privacy, we have multiple data servers operated in different countries/regions. According to user’s choice, data will be stored to the corresponding data center, further ensuring the high reliability and availability. Customers can test a product's server IP and find which data center it flows to.

Tuya provides data storage and processing services to its customers through cloud service providers. When a customer or end-user transfers data to Tuya, Tuya bears the responsibility to securely store and process these data. By explaining abstractly, Tuya creates an independent account for each customer. Accounts are logically isolated from each other, and the access control mechanism permits customers to only access/manage data under their possession as well as access to public underlying data. Tuya divides customer data into two categories: Tuya Developer Platform data and customer detail data customer data in detail. Tuya Developer Platform data: After registering an account on the Tuya Developer Platform, customers can view the data created or managed under their account. For example, the user name, phone number, and email address, etc. in the account repository; device details, user feedback, product services provided to end-users under device statistics. Under such circumstances, customers can only access their personal data and service data statistics under the contracted service, which are managed independently through their Tuya Developer Platform accounts. Display of any raw personal data related to a customer or detail data related to products or services in the public area of the Tuya Developer Platform is strictly banned. Customer detail data in detail: All personal data (for example, phone numbers, email addresses, IP addresses, etc.), audio streaming files like recordings, video, or images generated by a customer or end-user who voluntarily transfers such data to Tuya for the purpose of using products or services, and any calculations derived from such content by the customer or end-user in connection with the use of products or services provided by Tuya. Tuya stores all itemized data generated from such product and service interactions in the database of cloud service providers, either alone or in combination with other data, data that identifies an individual or various data that reflect the activities of a particular individual. At this point, Tuya shall secure customer data under this section using technical and organizational security measures. For details of data collection and use, please see the Tuya Terms of Use and the Tuya Privacy Policy.

Data Owner: The individual user is the owner of the personal data, which is owned by the individual user. Data Controller: In the case of products or services provided by Tuya to its corporate customers, a legally binding contract is utilized by Tuya's corporate customers. The customer determines the purpose of collection, the scope of collection, and the manner of processing personal data, and in this case, the customer's dominance determines its status as a data controller. Data Processors: Tuya provides personal data processing services to our customers on an ongoing basis in accordance with their data processing instructions, ensuring and improving the ongoing provision of our agreed services. As a service provider and data processor, Tuya is the customer's data processor and has a strict data processing agreement with the customer, including the scope of data processing, processing methods, etc. Tuya has strict internal permission and access control policy and technical assurance structure to ensure that data can only be accessed or processed with the customer's authorization. To ensure data compliance, Tuya has globally deployed multiple independent data nodes that perform localized data storage and processing, as well as strict data encryption protection.

When Tuya's products and services collect personal data, they are guided by the following basic principles: clarity of purpose, choice of consent, data minimization, transparency, and security. Data security processing: Tuya divides data into personal data, platform information data, and internal corporate data. Security requirements and countermeasures are implemented depending on data types. Strict data access control and approval mechanisms are adopted. Data filtering is used to enforce strict verification of data type, length, and format for all service entrances to ensure data integrity and non-contamination. For data destruction, Tuya adopts the underlying deletion mechanism of cloud services to permanently delete the data. For more detailed introduction, please see the Tuya Security Compliance White Paper

Tuya provides a channel for data subject rights requests and is equipped with a professional team to respond to relevant requests from data subjects. Upon receiving the request, they complete the response and request processing within the specified time and provide feedback on the processing results to the data subject. You can make corresponding requests through feedback in the APP, which includes the following channels: · In the Mobile APP ->Me ->Help Center ->Frequently Asked Questions and Feedback; · Through Tuya customer service team email service@tuya.com Or call the customer service hotline：Call 400-881-8611 to make the corresponding request, which will be internally confirmed and processed by the customer service team Turn; · By Tuya Privacy Compliance Office email privacy@tuya.com Make a request. · Submit a personal data subject rights response request through Tuya official website - Trust Center - Data Privacy - Personal Data Rights Request · If you downloaded our APP from Google Play, you can exercise your right to deletion through the online link on Google Play;