ZEGOCLOUD Security Whitepaper

---

1 Introduction

ZEGOCLOUD PTE. LTD (hereinafter referred to as "ZEGOCLOUD") was officially established as a global cloud communication service provider in June 2015, which enables enterprises/developers to access the services provided by ZEGOCLOUD to obtain real-time audio and video communication capability with low threshold, especially in weak network environment. ZEGOCLOUD is a global cloud communication service provider. Since its establishment, ZEGOCLOUD has focused on self-researching audio and video engines, reaching international top level in audio pre-processing, network self-adaptation and cross-platform compatibility. At the same time, ZEGOClOUD makes full use of the capabilities of public cloud service providers, has built a MSDN massive and orderly self-learning data network, serving enterprises/developers around the world, with hundreds of audio and video interactive business scenarios, and over 3 billion minutes on one single day. To help developers and customers better understand ZEGOCLOUD's security and privacy protection capabilities, ZEGOCLOUD Security White Paper (hereinafter referred to as "White Paper") was released to introduce the security and compliance capabilities of our products and services. This White Paper is intended for small, medium and large enterprise customers and individuals who use ZEGOCLOUD services. You can learn about ZEGOCLOUD's information security and privacy protection framework and specific security measures in this White Paper.

2 Shared Responsibility Model

Cloud communication is a communication platform service that converges multiple communication methods, such as online voice, video image, email, text chat, etc., through a cloud computing business service model to reduce or even eliminate the possibility of communication lag. In the face of the rapid development trend, the security and compliance of cloud communication are also greatly challenged. ZEGOCLOUD, as a global cloud communication service provider, is committed to providing customers with a hosted environment that is flexible, instant, scalable, and secure and easy to use. In later sections, we describe how ZEGOCLOUD, as a third party for cloud communications, works with customers to ensure the security and compliance of cloud communications. We have drawn a Shared Responsibility Model to show the security responsibilities and capabilities of both parties in more detail, as shown in the following figure:

Figure 2-1 ZEGOCLOUD Shared Responsibility Model

As a third party of cloud communication, ZEGOCLOUD is responsible for the security of cloud communication itself; as a service user, the customer needs to be responsible for its own collected data, application platform and infrastructure, and based its own business characteristics to reasonably configure and control the security of ZEGOCLOUD services to ensure the security of its own data, applications, platforms, systems and networks.

3 Security Organization and Personnel

3.1 Security Organization

ZEGOCLOUD fully recognizes that the diversified storage of information will bring new challenges to the enterprise in the era of big data. In order to guarantee the security of ZEGOCLOUD itself and the data security of developers and users, ZEGOCLOUD has set up organizations and positions such as information security and privacy protection management and decision-making committee, information security group and information security officers of each department, which are responsible for the operation, maintenance and effective implementation of ZEGOCLOUD's information security and privacy protection system. At the same time, ZEGOCLOUD has appointed a global Data Privacy Officer (DPO) to coordinate and take charge of ZEGOCLOUD's global data security, privacy protection and compliance related work.

3.2 Human Resource Management

ZEGOCLOUD adopts the following specific security control measures at different stages before, during and after the employment, so as to establish the information security awareness of all employees, clearly communicate the internal information control requirements, and achieve the standardization of information security and privacy protection in personnel management, strengthen the internal orderly management and reduce the potential risks brought by personnel to business continuity and security.

1. Before employment: ZEGOCLOUD entrusts a third-party of independent professional organization to perform the authenticity and background check of the candidate's education, past work experience and on-the-job performance according to the characteristics of the position, and only after confirming their experience and background is correct can the employment procedures be carried out.

2. During employment: Once the employee is hired, ZEGOCLOUD shall sign the nondisclosure agreement (NDA) and intellectual property agreement in addition to the labor contract with the employee. The validity of nondisclosure agreement and intellectual property requirements will continue after the employee leaves the company. Employees shall comply with ZEGOCLOUD's security and privacy protection management requirements, shall not disclose company confidential information and customer personal information without authorization, and shall regularly participate in ZEGOCLOUD employee security and privacy compliance awareness training.

3. Termination of employment: After the employee submits his or her departure, he or she must follow the separation process defined by ZEGOCLOUD to ensure the timely revocation of logical and physical access rights and return related IT assets, so as to reduce the risk to organizational security caused by personnel changes.

3.3 Security Awareness Education and Training

ZEGOCLOUD conducts security awareness training and advocacy in multiple dimensions, including newcomer onboarding training, on-the-job security training and promotional activities, in order to raise employees' awareness of information security and privacy protection, reduce the risk and impact of network security breaches, and guarantee the normal operation of the organization's business.

1. On-board training: Off-line security and privacy protection training will be conducted when employees join the company, and employees are required to complete the corresponding on-line training and assessment during the probationary period.

2. On-the-job security training: ZEGOCLOUD conducts different frequency and targeted security training for employees responsible for different business modules, mainly focusing on cyber security awareness, customer data and privacy protection requirements and other cyber security learning and online exams, and regularly updates the course content and exam syllabus according to business characteristics.

3. Special promotion activities: ZEGOCLOUD regularly conducts cyber security and privacy protection promotion activities for all employees, including but not limited to the classic case studies and the laws and regulations requirements related to cyber security and privacy protection and so on.

3.4 Security Violation Accountability and Incentives

ZEGOCLOUD has established a rigorous security responsibility system and implemented accountability measures against security violations. ZEGOCLOUD holds employee accountable for violations of information security policies and standards according to the degree, nature and severity of consequences caused by the violations. Those who violates of national laws will be held legally accountable according to the law. Meanwhile, ZEGOCLOUD establishes an internal reward mechanism. ZEGOCLOUD encourages employees to actively report the security risks or system vulnerabilities they find, and after evaluated the extent, the nature and the potential loss, ZEGOCLOUD gives the person concerned appropriate rewards, so as to reduce the security risks and vulnerabilities within ZEGOCLOUD and its products, improve the security of ZEGOCLOUD products, and form a good internal security culture.

3.5 Third-Party Security Management

In order to strengthen the management of suppliers/service providers (collectively referred to as "third parties" hereafter), ZEGOCLOUD has established security control measures in the dimensions of third-party assessment and access, due diligence, service security management, service monitoring and evaluation, and service termination to reduce security risks, prevent the loss of the company's information assets, and protect the security of customer data and privacy.

1. Third-party assessment and access: Before the introduction of third party services, ZEGOCLOUD will identify and assess the risks of the third-party according to its service content, scope and nature, and formulate corresponding risk disposal measures, so as not to increase the overall security residual risks due to the introduction of third party activities.

2. Third-party due diligence: For important third-parties, ZEGOCLOUD will conduct in-depth due diligence before signing contracts with them, including but not limited to: service capabilities and supporting technologies, service experience, personnel skills, market & regulatory evaluation, ongoing operations and so on.

3. Service contract and requirements: When signing a service contract with a third-party, ZEGOCLOUD will agree on the scope of services, service content, service level, security and data protection responsibilities of both parties, breach of contract and compensation terms, etc.

4. Service security management: ZEGOCLOUD has established adequate information security control measures such as third-party personnel access control, service change management and so on to prevent from risks like information leakage, tampering, unavailability, illegal invasion and damage to physical environment or facilities caused by third-party activities.

5. Service monitoring and evaluation: ZEGOCLOUD continuously monitors the process of third-party services, conducts regular security checks, and obtains reports issued by third-party self-assessment or independent auditors.

6. Service interruption or termination: ZEGOCLOUD has formulated business continuity plans and contingency plans for third-party services in order to prevent the risk of service interruption or termination of important third parties, and eliminate the impact of third-party service emergencies on the organization.

4. Development Security

ZEGOCLOUD organically integrates security and privacy requirements in the existing product development lifecycle, and implements corresponding security controls in all phases, including requirements analysis and review, design, coding, testing and maintenance, and source code management, in order to reduce the number of vulnerabilities in the product, achieve a "left shift" in security, reduce the cost of fixing vulnerabilities, and minimize risks, build more secure software components and address security compliance requirements.

4.1 Requirements Analysis and Review

Compliance analysis and business risk analysis are conducted before product development. Compliance analysis is based on local laws and regulations, industry standards and management methods, etc., to determine the legitimacy of the business at the compliance level. ZEGOCLOUD has sufficient security resources to invest in development and construction, so as to ensure the ability to meet the compliance requirements of the business. Risk analysis is a service security risk analysis activity based on the investigation of common security risks in the industry and the internal knowledge base of the organization, so as to output the basic content of service security requirements and guide the subsequent security design. Once the requirement analysis is complete, the organization internally convenes members of different roles to conduct a security requirement review meeting to discuss and confirm the content of the security requirement analysis results one by one, and optimize and adjust the security requirements that do not meet the requirements in accordance with the PDCA closed-loop approach to ensure that the security requirement analysis results are to meet compliance requirements and effectively control the security risk.

4.2 Design Phrase

Based on the basic security design principles such as separation of authority principle, least privilege principle, and defense-in-depth principle, ZEGOCLOUD development team uses security requirement analysis results as input and common software architecture as the cornerstone for product security architecture design, reduces the opportunity for attackers to exploit potential weaknesses or vulnerabilities to reduce the attack surface by referring to STRIDE's threat modeling method, and avoids the risk caused by security functions failing to cover security and privacy protection requirements. ZEGOCLOUD uses a variety of identification tools such as attack intent identification, identification of high-risk functional modules, and attack trees to sort out various types of threat situations that software may face and form threat assessment results that match the actual situation.

4.3 Coding Phrase

ZEGOCLOUD has issued internal security coding specifications for general and special coding languages. Developers follow the corresponding development specifications according to the coding language they choose, and strictly implement security isolation elements, parameter name standardization and other specification contents in the coding phase to ensure that the source code can achieve business functions and security functions well under the premise of conforming to the specifications, meeting both business and security requirements, and reducing the risk of producing unsafe code. Developers must be approved and authorized to create accounts on the developing and testing server. Each developer has unique User ID and is granted minimum and necessary access to complete the work, which meets the requirement of minimal privileges. In terms of environment isolation, physical or logical isolation is adopted to strictly isolate the development environment, pre-release environment and production environment from each other, and the real data of production environment is prohibited to be used in non-production environment to ensure the security of production data and reduce the risk of data leakage.

4.4 Testing Phrase

Based on the results of the threat assessment, ZEGOCLOUD performs security activities on the products including but not limited to verification of security function implementation, security policy implementation and threat mitigation measure implementation, and security implementation testing. When security vulnerabilities are detected during security testing, ZEGOCLOUD adopts a closed-loop vulnerability management process of vulnerability identifying, grading, tracking and repair to avoid the risk of product going online with diseases. If the product involves third-party components, ZEGOCLOUD also regularly verifies the security patches and updates provided by the third-party and synchronizes the updates to protect the product from known vulnerabilities of the third-party components. Finally, all ZEGOCLOUD services or products undergo the complete security test and the test results are reviewed and approved before they are officially released.

4.5 Source Code Security

In terms of source code protection, ZEGOCLOUD implements various security protection measures such as account management, access control, version control, security audit and so on to ensure the integrity of source code and avoid unauthorized modification and access of source code, which would directly affect the security of product.

5. Operational Security

5.1 Access Control

1. Security Areas Access Control

ZEGOCLOUD has established a clear security area access control policy. For physical access control, ZEGOCLOUD divides the physical area according to the sensitivity of information assets and sets up different levels of isolated areas, with access control systems between each area and access control based on personnel roles, to avoid system interruption, equipment loss or damage, data breach or tampering due to unauthorized entry. For network access control, ZEGOCLOUD deploys firewall and other access control devices at the network boundary and between each network zone, and adopts a combination of white-list and black-list access control strategy to control the contents and protocols contained in the data flow through the network, so as to establish a reliable network boundary.

2. Employee Access Control

ZEGOCLOUD deploys endpoint security management system and establishes internal account lifecycle management (LCM) process based on zero trust principle to update the status of account identity information (account ID as a unique identifier) of all internal employees and third-party personnel, including onboarding, transferring and termination process. Meanwhile, ZEGOCLOUD has defined appropriate access control rules, access rights and restrictions for specific employee roles, clearly manages identity and access rights, defines access policies, and anticipates risks so that the right people can access the right resources in different scenarios and prevent unauthorized access, thereby fending off potential threats and protecting critical assets.

3. Customer Access control

ZEGOCLOUD service supports customers to designate access zones to meet the laws and regulations of different countries or regions, and the data and message transmission within the product will be limited to the ZEGOCLOUD servers within the designated zone. The specific zone scope, number of nodes, network quality and so on can be customized according to customer requirements. When the customer limits the access zone, the customer's audio and video data and messages will not access the servers outside the specified zone.

5.2 Vulnerability Management

ZEGOCLOUD has established mechanisms for vulnerability identification, risk assessment, vulnerability handling and reporting to reduce the possibility of vulnerabilities of information systems being exploited by external threats. ZEGOCLOUD actively monitors information sources such as well-known public vulnerability repositories, open-source communities, and security websites to perceive the vulnerability information related to ZEGOCLOUD products in a timely manner to timely identification and reporting of information system vulnerabilities. In addition, ZEGOCLOUD regularly purchases third-party penetration testing services to verify the product from an external perspective, uncover potential product vulnerabilities, as well as vulnerable links and weak points, and promptly repair them to strengthen product security. Meanwhile, ZEGOCLOUD evaluates the severity level of the identified vulnerabilities, combining the risk assessment results of the vulnerabilities being exploited in ZEGOCLOUD products or systems and the possible impacts, to decides the priority level of the vulnerabilities. And formulates and implements patching process for high level vulnerabilities, once the patching is completed, a vulnerability report is formed internally for experience accumulation, and vulnerability patching information is released to customers when necessary. During the whole vulnerability handling process, ZEGOCLOUD strictly controls the scope of vulnerability information, and only pass it among the relevant personnel handling the vulnerability to reduce the risk of being attacked by others.

5.3 Change Management

ZEGOCLOUD has strict change control for operating systems, applications, information processing facilities and systems including identification and recording of major changes, planning and testing of changes, change impact assessment, change approval, rollback plan and so on. Some of the changes are standardized and deployed automatically using self-developed system to reduce the risks brought by human operations, so that the security risks brought by changes to the organization will be orderly and controllable.

5.4 Security Logging & Event Management

ZEGOCLOUD records and regularly reviews system user activities, exceptions, failures, security events and so on. For logs involving users' personal information, ZEGOCLOUD collects log information for failure analysis based on the principle of "minimal use" after consented by users. At the same time, log information is retained as one of the key factors for incident tracing, as required by local laws and regulations. ZEGOCLOUD has established security incident management and response process and management accountability system to ensure that security incident handling procedures is fully implemented within the organization. ZEGOCLOUD grades security incidents according to the impact of security incidents on the company or customers, and handles security incidents according to incident reporting, incident investigation and handling, and corrective action procedures. After troubleshooting or taking necessary measures to reduce the impact, the cause, type, loss and responsibility of the incident will be identified, and the person responsible for the information security incident caused by violating the company's information security policy, procedures will be punished according to internal policies. At the same time, ZEGOCLOUD has established an incident reporting process based on national or business local laws and regulations standards to fully meet relevant regulation and law requirements.

5.5 Business Continuity and Disaster Recovery

In the event of a sudden or gradual disruption that may cause disruption to the organization's operations and service, ZEGOCLOUD has developed an organization-wide Business Continuity Plan (BCP), which is reviewed and revised periodically when there are significant changes in the internal and external environment, as shown in Figure 5-5-1.

Figure 5-5-1 Business Continuity Management Process

1. Business Impact Analysis and Assessment: ZEGOCLOUD identifies critical business through business impact analysis and risk assessment, and determines the recovery priority and requirements for critical business.

2. Business Continuity Strategy and Procedures: ZEGOCLOUD develops and implements business continuity recovery strategy and business continuity procedures based on the results of business impact analysis and the "cost-risk balance principle".

3. Drills and Tests: ZEGOCLOUD regularly conducts table-top exercises or functional exercises of the business continuity plan to verify the resilience of technology and communications including the availability of personnel.

4. Disaster Recovery and Redundancy: ZEGOCLOUD deploys multiple distributed data centers around the world. When a data center is attacked or fails, the distributed technology ensures that it will not affect the normal operation of the overall business and effectively guarantees the real-time availability of business data. At the same time, ZEGOCLOUD provides cloud backup service based on snapshot technology through public cloud, regularly backup important data in real time, and periodically restore backup data to verify data availability. Besides, ZEGOCLOUD deploys software load balancing (such as SLB, CLB, etc.) and redundancy of basic information processing facilities and equipment such as multi-link network and uninterruptible power supply (UPS) to guarantee business continuity from different aspects.

5. Disaster Recovery Plan: In order to ensure the operability of the target system, application or computer facilities and infrastructures on the backup site can be restored as soon as possible in case of emergency, ZEGOCLOUD has established organization-wide Disaster Recovery Plan (DRP), which is reviewed and revised periodically when there are significant changes in the internal and external environment.

6. Infrastructure Security

6.1 Cloud Service Security

ZEGOCLOUD procures third-party IaaS services from internationally renowned cloud service providers and deploys multiple server nodes globally. In compliance with the regulation requirements of the place where the business is conducted, users are assigned server nodes according to the principle of geographical proximity and current load when using the service. At the same time, ZEGOCLOUD has deployed a solution for real-time monitoring and defense against DDoS attacks to ensure continuous availability of services by combining public cloud capability and deploying distributed server nodes. ZEGOCLOUD has developed security baselines for cloud servers according to its own security needs including login restrictions, service privilege minimization, patch updates and so on. ZEGOCLOUD also regularly renews the security baseline to ensure it fits business needs. Meanwhile, ZEGOCLOUD configures knowledge-based and behavior-based intrusion detection systems (IDS) for monitoring and analyzing the intrusion process, and combines risk remediation (including weak passwords, patches, vulnerabilities, etc.) into the host management process to secure the hosts.
With public cloud services as one of the key factors for business support, ZEGOCLOUD selects international cloud service providers to work with and regularly reviews or evaluates the audit reports published by the third-party service providers to ensure secure and reliable cloud services. Some of the cloud service providers' security capabilities can be found in the following links: Huawei Cloud (huaweicloud.com)-Trust Center Tencent Cloud (tencent.com)-Security Center Aliyun Trust Center - Home (aliyun.com) AWS Cloud Security - AWS Cloud Services (amazon.com)

6.2 Network Security

ZEGOCLOUD adopts a mature and reliable three-layer network architecture to ensure that important production and office networks are isolated from each other. Each security zone has deployed firewalls to achieve fine-grained network access control and Intrusion detection system (IDS) at key network locations to detect network attacks and anomalies early, to reduce the risk of security incidents. Besides, ZEGOCLOUD detects and blocks internal and external threats by deploying active security defenses such as honeypots, access control, permission restrictions, and intrusion prevention technology (IPS) in the office network. ZEGOCLOUD creates resource zones for each customer and formulates identification and role-based access control policies, allowing only the user groups that need the resources, ensuring resource isolation between different customers and guaranteeing the independence of different customer resources and the safety of the resource processing environment. In addition, ZEGOCLOUD is equipped with device security controls such as hardware trojans and vulnerability detection and USB port disabling on server devices for network and terminal devices to prevent network viruses from invading physical devices and causing data leakage or other security risks.

6.3 Physical and Environmental Security

In order to ensure that information systems will not be damaged by natural or human factors while performing information activities, which can lead to information security events such as activity interruptions and data leakage, ZEGOCLOUD provides independent physical isolation of areas that support critical business process (such as self-owned server rooms, etc.) and adopts access control systems (Role-based access control), fire alarm systems, CCTVs to avoid security threats and environmental hazards. Also, UPS (Uninterruptible Power Supply) is deployed for equipment supporting critical business processes to avoid damage from power failures or other power anomalies.

7. Data Security and Privacy Protection

7.1 Data Life Cycle Management

In order to ensure the business operation of the network system and maintain the confidentiality, availability and integrity of data, ZEGOCLOUD develops applicable technical and management security control measures for the whole life cycle of data (including the stages of data collection, transmission, storage, processing, sharing and destruction) to ensure that data will not be tampered with, lost or leaked and other situations that endanger the security of customer data. The security control measures for each stage are as follows:

1. Data Collection: ZEGOCLOUD takes local laws and regulations as the baseline, based on the principle of "minimization" and "business needs", and fully inform customers of the purpose, scope and usage of information collection in the privacy policy. ZEGOCLOUD only collects business data after obtaining the customer's authorization and consent. At the same time, ZEGOCLOUD ensures the integrity and authenticity of data through input check and identity verification etc. during collecting, and using TLS cryptographic protocol to ensure that data transmission is not tampered with or stolen, and to guarantee the authenticity of the authentication server. For details about the ZEGOCLOUD Privacy Policy, please refer to Privacy Policy - ZEGOCLOUDCLOUD Voice & Video APIs of Real-Time. The user data collected by ZEGOCLOUD’s customers, such as APP login information, account information and so on are kept and secured by customers, and are not stored in ZEGOCLOUD platform.

2. Data Transmission: ZEGOCLOUD has implemented data transmission security control measures such as TLS/SSL encryption, AES/RSA data content encryption, signature verification, subject identification and authentication at both ends of the transmission channel, as well as audit and monitoring programs for data transmission security policy changes in different business scenarios to guarantee data CIA attributes (confidentiality, integrity and availability) during data transmission.

3. Data Storage: ZEGOCLOUD follows the principle of "minimizing retention period", and sets different data retention period strategies for the collected customer personal information according to the data sensitivity and the purposes of processing, and anonymizes or destroys the data once it has exceeded the retention period. At the same time, data stored in ZEGOCLOUD is encrypted, and backed up according to local regulation requirements. If customers apply for data processing such as modification, copy or deletion of their own data, ZEGOCLOUD will cooperate with customers under the condition that corresponding law& regulation requirements are met.

4. Data Usage: ZEGOCLOUD follows the principle of "purpose limitation" for data usage, the collected data will only be used for the purposes stated in the privacy policy, and will not be used for data processing activities that are not authorized by users, such as user profiling analysis and information system automated decision-making.
   Meanwhile, ZEGOCLOUD follows the principle of "least necessity", specifies the purpose of data processing in different business scenarios, controls the scope of use through access control and encryption measures, and ensures that the data does not exceed the agreed scope with the customer, except in cases where the customer additional agrees or to meet legal requirements and public interest. ZEGOCLOUD realizes isolation of data, system functions, operation environment and other resources based on core business scenarios, data importance and so on, to ensure the independence of different customers' data and the security of data processing environment. ZEGOCLOUD has log records of data usage activities, and effectively identifies and monitors data usage violations through automated tools and log audits, and regularly performs personal information security evaluations based on the purpose, the scope and the impact of data usage on personal information, to ensure the legitimacy, necessity, compliance and security of data usage.

5. Data Sharing: ZEGOCLOUD follows the principle of "least necessary" as well in sharing data internally and externally. When sharing data internally, ZEGOCLOUD ensures that internal sharing is legitimate and necessary. At the same time, ZEGOCLOUD ensures the security of transmissions (such as data transmission channels, software and hardware encryption), controls access rights based on service roles, and strengthens data protection awareness to reduce the risk of data theft and destruction caused by various types of threats during data transmission. Besides, ZEGOCLOUD has deployed a zero-trust management platform to monitor and audit employees' data sharing behaviors to ensure that there are no illegal operations or leaks. When sharing data externally, ZEGOCLOUD will inform users about the information of external third parties, the content and purpose of data sharing in the privacy policy, and provide the relevant content to third parties only after obtained consent. ZEGOCLOUD will also sign a data protection agreement (DPA) with the third party before data sharing to clarify the purpose and scope of data processing, and the third party's data protection obligations and so on to ensure the safety of user data.

6. Data Destruction: Under the scenarios of service termination, expiration of the retention period, withdrawal of consent by the individual, or when the purpose of processing has been achieved, cannot be achieved or is no longer necessary to achieve the purpose of processing (except for special requirements of local laws and regulations), ZEGOCLOUD will handle the collected data in two ways: hard destruction or anonymization. If the data to be destroyed involves a third-party, ZEGOCLOUD will also notify the relevant third-party in writing and track the results.

7.2 Privacy Impact Analysis（PIA）

As a cloud communication service provider, ZEGOCLOUD carries out privacy risk identification based on product functions, national or local data protection laws and related guideline requirements and so on. When new products or services are planned or products/service is changed which involving personal information, or there are significant changes occurred in the external environment, ZEGOCLOUD will perform privacy impact assessment on personal information processing activities, continuously revise personal information protection boundaries and adjust security control measures based on the assessment results, business status, threat environment, laws and regulations, standard requirements and so on, so that the personal information processing process is in a risk-controlled state.

7.3 Data Classification and Risk Assessment

By combining the characteristics of data types, business operation needs and so on, ZEGOCLOUD specified the principles and methods of data classification, established a data classification management system, and defined different control requirements for different levels of information assets in terms of information access control, release control, labeling and storage and so on. At the same time, based on the risk elements of assets, security measures, threats and vulnerabilities, ZEGOCLOUD analyzes the value of information assets, potential threats to assets, protective measures taken and so on, with reference international risk management standards and guidelines(like ISO 27005), to determine the probability of security events and possible losses, identifies the security risks faced by ZEGOCLOUD. According to the results of risk assessment, corresponding control measures are implemented, and regular follow-ups and re-evaluations are conducted to dynamically monitor and closed-loop management of risks.

8. Security&Privacy Qualifications and Legal Compliance

Currently, ZEGOCLOUD has obtained several internationally recognized information security and privacy protection management system certifications: ISO/IEC27001:2013, ISO/IEC27701:2019, and ISO/IEC27018:2019, so as to prove its privacy compliance and security management capabilities.

8.1 ISO/IEC Certificaitons

1. ISO/IEC 27001:2013 ISO/IEC 27001: 2013 is an information security management system, which has become the most widely adopted and typical information security management standard in the world with its strict review standard and authoritative certification system, mainly for regulating the development security, communication security, operation security and information system security of the organization etc. ZEGOCLOUD has obtained ISO/IEC 27001:2013 certification from the international certification organization DNV, which proves that ZEGOCLOUD has made fruitful efforts in security management, security technology and security organization and personnel, and shows that the management has fulfilled the relevant responsibilities.

2. ISO/IEC27701:2019 ISO/IEC27701:2019 is Privacy Information Management System, a standard for privacy information management system published by the International Organization for Standardization, known as Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and Guidelines. The standard provides an internationally accepted privacy information management tool for organizations to achieve long-term, effective personal privacy security compliance by establishing a Privacy Information Management System (PIMS) that ensures that the interests of an organization's senior management, owners, and key stakeholders are met with privacy protection requirements. ZEGOCLOUD has obtained ISO/IEC 27701:2019 certification issued by the international certification organization – DNV, it represents that ZEGOCLOUD has established a scientifically sound system in privacy protection and can largely meet the requirements of the relevant privacy protection laws and regulations in different countries.

3. ISO/IEC 27018:2019 ISO/IEC 27018:2019 is a management system guideline for personally identifiable information in the public cloud, which focuses on the code of practice for securing personal data in the cloud. It is based on ISO/IEC Information Security Standard 27002, which provides guidance on ISO/IEC 27002 controls applicable to personally identifiable information (PII) in the public cloud. ZEGOCLOUD has obtained ISO/IEC 27018:2019 certification from DNV, an international certification organization, which represents the further improvement of ZEGOCLOUD's ability in cloud storage and processing of personal data protection level.

8.2 Regulation Compliancy

In addition to ISO certifications, ZEGOCLOUD also ensures compliance with regulatory requirements of local laws and regulations, such as:

1. China's laws, regulations and national standards: Cybersecurity Law of the People's Republic of China, Personal Information Protection Law of the People’s Republic of China, Data Security Law of the People's Republic of China and so on.

2. Singapore's laws, regulations and national standards: Personal Data Protection Act, Personal Data Protection (Notification of Data Breaches) Regulations, Personal Data Protection (Do Not Call Registry) Regulations and so on.

3. India's laws and regulations and national standards: Information Technology Act, Medical Council Act and so on. In addition, the ZEGOCLOUD security compliance team conducts regular product security and privacy impact assessments every year to ensure that products are always in compliance with relevant legal and regulatory requirements.

9. Summary

This Whitepaper describes the efforts made by ZEGOCLOUD to provide customers with cloud communication services in terms of information security and privacy protection, which helps customers to understand ZEGOCLOUD security control measures in detail, so that they can use ZEGOCLOUD cloud communication services safely and securely. This document is for informational purposes only and does not have legal effect or constitute legal advice. Customers should evaluate their own usage of cloud communication services as appropriate and ensure their own data security, application security, and infrastructure security when using ZEGOCLOUD services.