Agreement with data controller: Huawei Cloud strictly complies with the customer's instructions or the Data Processing Addendum (DPA) signed with the customer in storing or processing personal data.

Huawei Cloud has established a comprehensive privacy protection system that includes a series of privacy protection policies at the corporate and process levels to protect customer privacy. In addition, Huawei Cloud has established a data protection department with dedicated personnel responsible for annual supervision, reviews, and audits on effective implementation of Huawei Cloud privacy protection measures.

Huawei Cloud implements and maintains the following security measures:

Customer isolation: Huawei Cloud provides an isolated cloud service environment for each account. Users can access only their own cloud services.

Permission control: Huawei Cloud uses the identity authentication system to restrict unauthorized access and manages Huawei Cloud employee permissions based on the principle of least privilege.

Data encryption: Huawei Cloud helps customers encrypt personal data for storage and transmission.

Vulnerability management: The Huawei Cloud Security Incident Response Team has established a mature vulnerability response mechanism. Based on the characteristics of self-operations on the cloud, the team continuously improves the security vulnerability management process and technical means to ensure that the vulnerabilities of in-house, open-source, and third-party components in infrastructure, platforms, applications, cloud services, and O&M tools can be fixed as soon as possible, reducing risks and avoiding impact on tenant services.

Huawei Cloud customers have complete control over their personal data. Huawei Cloud strictly complies with customer instructions or the Data Processing Addendum (DPA) signed with the customer. Huawei Cloud always retains documents related to its processing activities in accordance with applicable privacy laws. To the extent that applicable privacy laws require Huawei Cloud to collect and maintain records of certain customer details, the customer will use the controls and functions provided by Huawei Cloud to provide such information and keep it accurate and up-to-date.

Huawei Cloud will sign a Data Processing Addendum (DPA) with the customer along with standard contractual clauses (SCCs), including clauses pertaining to transferring data from a processor to another processor (P-P) and from a processor to a controller (P-C). Huawei Cloud will strictly comply with the data transfer clauses specified in the preceding agreements and take appropriate data protection measures.

Customers can select any availability zone they consider appropriate to store their content data. Without the customer's consent, Huawei Cloud will never migrate customer's content data out of the region customers have selected. Huawei Cloud can transfer customer data in the region selected by the customer only when it is necessary to provide the services required by the customer or in other cases specified by legal requirements.

Huawei Cloud has established a cyber security incident response process that monitors potential cyber attacks in a timely manner to prevent data breaches. In the event of a personal data breach, a professional security incident response team is responsible for implementing emergency plans, disclosing the breach to the controller, and logging all incident records.

Huawei Cloud will notify the customer immediately after becoming aware of a personal data breach. Such notifications will use the contact details provided by the customer, including but not limited to emails and text messages. The customer is responsible for the accuracy of contact details they provide for their account.

A Huawei Cloud Customer can use the personal data management request to provide the information to Huawei Cloud as processor to update the RoPA, such as the name and contact details of each customer (as provided by the Customer) on behalf of which Huawei Cloud is acting, the categories of processing carried out on behalf of the Customer, list of Controllers, etc. Our privacy expert team will contact you to confirm the changes and to update the related RoPA in Huawei Cloud system.

Huawei Cloud could assistance customer on the internal technical and organizational measures to locate and extract relevant data and so on, case by case.

Customer could submit the request via the Personal Data Management Request.

When you register a Huawei Cloud account, you are asked to view the Privacy Statement provided by Huawei Cloud. The Privacy Statement describes how your personal data is collected and processed, the reasons for the data collection, the consequences of exercising the right to object to provide data, the purpose and method of data use, as well as the type of data recipients, the legitimate interests of the data controller or third parties (if any), and contact information of Huawei Cloud and the data protection officer. You are informed of data subject's rights in accordance with applicable laws and regulations, such as the right to access, to rectification, to erasure, to restriction of processing, the right to have data transferred, and right to withdraw consent.

Self-service management of personal data: You can access, correct, deregister, and withdraw your consent through the account center on the official website. You can also contact Huawei Cloud's dedicated department for personal information protection.

To exercise data subject's rights, you can access the data subject portal to contact Huawei Cloud. Huawei Cloud professional team will respond as soon as possible and complete the processing and send you the results within the time specified by the law and by Huawei's regulations.

To provide necessary transactions, services, and security support, Huawei Cloud may disclose some personal data to third parties, such as associated companies, branches, service providers, and subcontractors. If Huawei Cloud shares your personal data with a third party, the third party's responsibilities and obligations are subject to the contract. Huawei Cloud requires them to take appropriate measures to ensure security of processed personal data.

Huawei Cloud conducts due diligence and privacy security assessment on third parties as required by the law, and signs a Data Protection Agreement (DPA) with such third parties. The DPA specifies the privacy protection obligations of the third parties as processors/sub-processors, and the applicable laws and regulation requirements they must meet.

Huawei Cloud Privacy Statement describes the scenarios where personal data needs to be disclosed to third parties. You are asked to read the Privacy Statement and agree to it to give us the permission to collect and process your personal data.

When you register on the Huawei Cloud official website, you can choose whether to allow Huawei Cloud to use your personal data for marketing. Marketing information will be pushed to you only after we obtain your consent.

Huawei Cloud provides a range of notification options on its official website. You can set what information will be pushed to you and how you will receive it. If you do not want to receive marketing information, you can turn it off in the user center of the official website.

Huawei Cloud has released privacy protection policies and objectives and management regulations and process requirements to specify business specifications, and has provided corresponding operation guides, tools, and templates to help employees carry out business activities in an efficient manner. All these ensure the implementation of basic privacy protection principles in Huawei Cloud business activities, protecting personal data security and data subject rights.

Based on widely recognized privacy principles, Huawei Cloud integrates privacy into design and embeds personal information protection requirements into the end-to-end development process to ensure compliance with the requirements.

Huawei Cloud keeps complete records of personal data processing activities. Each service team assesses privacy impacts and lists the data owner categories, personal data types, data collection purpose, data transfer records, retention period, and security measures.

Huawei Cloud uses multiple industry-recognized security technologies to ensure the accuracy, integrity, and security of personal data during processing.

Customer isolation: Huawei Cloud provides an isolated cloud service environment for each account. Users can access only their own cloud services.

Permissions control: The identity authentication system restricts unauthorized access and allows you to manage employee permissions based on the principle of least privilege to prevent personal data modification.

Data encryption: Huawei Cloud encrypts your personal data for storage and transmission.

Risk monitoring: Huawei Cloud uses log recording system and audit technology to detect security risks in a timely manner, and take quick actions to handle security events.

Huawei Cloud regularly reviews the purposes of collection, use, and disclosure of personal data. If you request that your personal data be deleted, Huawei Cloud masks or deletes your data, unless otherwise required by applicable laws and regulations. After you deregister a Huawei Cloud account, Huawei Cloud masks or deletes unnecessary personal data after the data retention period ends, unless otherwise required by applicable laws and regulations.

In order to prevent data breaches, Huawei Cloud has established a cyber security incident response process that monitors potential cyber attacks in a timely manner. However, in the event of a data breach, a professional response team will execute the emergency plan, disclose the incident to the customer and local supervisory department, and log the incident.

The Huawei Cloud incident response team will notify regulators and customers of the personal data breach within the time specified by the local laws and internal regulations.

To effectively identify and mitigate privacy risks, Huawei Cloud carries out privacy risk analysis and management in every cloud service.

For services or cloud services that may cause high risks to the rights and freedoms of natural persons, Huawei Cloud requires that a data protection impact assessment (DPIA) be conducted. The assessment process includes identifying personal data based on the service scenario and processing operation, conducting analysis on regulatory compliance and the impacts on data subjects, and planning the privacy risk control measures. Services can be carried out only after privacy risks are deemed acceptable.

According to laws and regulations, Huawei Cloud can appoint a DPO based on its own data processing activities.

Huawei Cloud has appointed a data protection officer (DPO) in each country and region where it has businesses to help it carry out activities in compliance with applicable privacy laws and regulations. The DPO contact information is published in the Privacy Statement.

Huawei Cloud has established a privacy protection expert team consisting of experts in the privacy protection field, legal affairs personnel, and cyber and information security personnel, to provide professional support for the privacy protection strategy and practice of Huawei Cloud.

Huawei Cloud notifies customers in the Privacy Statement that Huawei Cloud may store customers' personal data in countries/regions where Huawei Cloud, Huawei Cloud affiliates, or Huawei Cloud service providers or subcontractors are located. This means that a customer's personal data may be transferred to, and assessed in other jurisdictions than where the customer is located or where its data is collected.

These jurisdictions may have different data protection laws, which may have less stringent data protection requirements. In this case, Huawei Cloud will ensure that the data transfer complies with applicable laws and regulations and the Privacy Statement, and ensure that data recipients outside China comply with the corresponding confidentiality and data protection obligations.

Permission control: Huawei Cloud has established an access control mechanism that implements the principles of least privilege and permission separation and periodically reviews employees' permissions to avoid any permission violations.

Log audit: Each time an employee logs in to Huawei Cloud, Huawei Cloud verifies the employee's identity. If an event occurs, Huawei Cloud can trace logs in a timely manner and hold the employee accountable. When the position of an employee changes, Huawei Cloud clears or modifies the employee's permissions in a timely manner to prevent any permission violations. Employees' login and operation logs will be retained for a period of time for review.

Privacy protection training: Huawei Cloud trains employees to ensure their qualifications, capabilities, and behaviors meet privacy protection requirements, and has arranged positions related to privacy protection and clearly defined the responsibilities of these positions. It conducts background investigations and skill appraisals on new employees to ensure that they meet certain requirements, and requires that they pass privacy protection appraisals every year. When an employee is repositioned, Huawei Cloud ensures that the employee's original permissions are canceled.

Privacy protection system: Huawei Cloud has established a comprehensive privacy protection system that includes a series of privacy protection policies at the corporate and process levels to protect customer privacy. In addition, Huawei Cloud has established a data protection department with dedicated personnel responsible for annual supervision, reviews, and audits on effective implementation of Huawei Cloud privacy protection measures.