[JW-ERP Store Authorization] Information Security Policy

1. Policy Purpose

2. Scope of Application

• Personnel: All employees, outsourced staff, cooperative suppliers, and relevant personnel involved in TikTok Shop business.
• Assets: Information systems, servers, terminal devices, data files, and other assets related to TikTok Shop business.
• Scenarios: Including but not limited to data collection, storage, transmission, processing, system operation and maintenance, business docking, and other links.

3. Core Security Specifications

(1) Data Security Management

• Data Classification and Protection

   

  Classify TikTok Shop-related data by sensitivity:
   
  • Core Data: User orders, personal information
  • General Data: Public product information
     
    Core data must be stored with AES-256 encryption; all transmission uses HTTPS. Transmission through non-encrypted channels (e.g., WeChat, plaintext email) is prohibited.
   
• Data Usage Restrictions

   

  Data may only be used for legitimate business purposes under TikTok Shop cooperation; no disclosure, resale, or abuse to third parties is allowed.

   

  Data retention periods strictly follow TikTok requirements and applicable laws; data must be securely destroyed upon expiration (e.g., data desensitization, physical destruction of storage media).

(2) System Security Management

• System Protection

   

  Deploy firewalls and intrusion detection systems (IDS) for business systems; conduct vulnerability scanning and penetration testing quarterly.

   

  Set strong passwords for servers and databases (length ≥ 12 characters, including letters, numbers, and special symbols), and change passwords every 90 days.
   
• Access Control

   

  Assign system accounts based on the least privilege principle: only grant access necessary for job roles.

   

  Enable two-factor authentication (2FA) for core systems (e.g., order management, data backend); account sharing and password reuse are prohibited.

(3) Personnel Security Management

• Training and Agreements

   

  New employees must complete specialized training on Information Security and TikTok Compliance and pass assessment before participating in related business.

   

  All personnel involved in TikTok Shop business must sign an Information Security and Confidentiality Agreement to clarify data protection obligations.
   
• Offboarding Management

   

  All TikTok business system accounts and permissions must be revoked within 1 business day after employee resignation.

   

  Relevant data files must be handed over before departure, and a Post-Resignation Information Security Commitment must be signed.

(4) Emergency Response Mechanism

• Incident Handling Process

   

  Report to the information security manager within 1 hour in case of data leakage, system intrusion, or other security incidents.

   

  Launch emergency response within 24 hours (e.g., isolate affected systems, desensitize data, notify TikTok contacts) and issue an Incident Handling Report.
   
• Drill Requirements

   

  Conduct information security emergency drills semi-annually covering data leakage, system failures, and other scenarios to continuously optimize response processes.

4. Compliance Audit and Supervision

• Internal Self-Inspection: The information security team conducts quarterly self-inspection on policy implementation and issues a Compliance Audit Report.
• External Cooperation: Cooperate with TikTok Shop and regulatory authorities in information security inspections, provide required materials promptly, and implement rectification.

5. Liability, Rewards and Punishments

• Accountability: Individuals who cause information security incidents due to violations will be held responsible per company rules; serious cases will be transferred to judicial authorities.
• Rewards: Recognize and reward personnel who proactively discover security vulnerabilities and avoid major risks.