中兴通讯作为全球综合通信与信息技术解决方案提供商,有义务、有责任遵守法律法规、遵循行业标准,最大程度地保障通信网络设备安全性,通过推动自身及其供应商向客户提供安全可信的产品和服务,使全球用户享受安全可靠的网络连接和数字生活。
As a world-leading provider of integrated ICT solutions, ZTE has the obligation to comply with laws and regulations, comply with industry standards, and guarantee the security of communications network devices to the maximum extent. By promoting itself and its suppliers to provide customers with secure and reliable products and services, ZTE enables global users to enjoy secure and reliable network connections and digital life.
本准则体现了中兴通讯对其供应链上的供应商在产品安全、数据保护、信息安全和物理安全等方面的基本要求,希望所有供应商都能够遵守该准则。
This Code of Conduct defines the basic requirements of ZTE on cyber security, data protection, information security, and physical security for the suppliers in ZTE's supply chain. All the suppliers are expected to comply with this Code of Conduct.
1安全保障体系
1 Security Assurance System
A) 供方应建立安全保障体系,实施信息安全管理、产品安全管理、开源合规及数据保护合规管理,并定期自检,同时提供自检报告给需方。需方及/或客户有权对供方的安全保障体系及执行情况进行审核。
A) The Supplier shall establish a security assurance system, implement information security management, cyber security management, open source compliance, and data protection compliance management, perform regular self-checks, and provide self-check reports to the Buyer. The Buyer and/or customer have the right to review the security assurance system and implementation of the Supplier.
B) 供方应建立并遵守符合AEO(Authorized Economic Operator)认证要求的守法合规和贸易安全的管理制度。
B) The Supplier shall establish and comply with the management system of law-abiding compliance and trade security that complies with the AEO (Authorized Economic Operator) certification requirements.
C) 供方应识别安全风险,并采取必要措施以控制和减轻此类风险。
C) The Supplier shall identify security risks and take necessary measures to control and reduce such risks.
2人力资源安全
2 Human Resource Security
A) 供方应确保任何履行协议的安全关键岗位员工是值得信赖的,满足既定的安全标准,且经过适当的筛选和背景验证。
A) The Supplier shall ensure that the employees in critical security positions who perform the Agreement are trustworthy, meet the established security standards, and pass the appropriate screening and background verification.
B) 供方应对安全关键岗位员工进行安全管理,包括但不限于跟员工签署安全协议、进行安全培训、审核员工的安全规范遵守情况、改善审核发现的问题,调离不合规范的员工等。
B) The Supplier shall conduct security management for employees in critical security positions, including but not limited to signing security agreements with employees, conducting security training, reviewing employees' compliance with security regulations, improving problems found in the review, and transferring employees who do not comply with regulations.
C) 供方应对所有员工持续开展产品安全意识培训。
C) The Supplier shall continuously carry out cyber security awareness training for all employees.
D) 供方应制定基于角色的安全培训计划,该计划应确定产品安全活动所需的专业知识,并每年审查当前的安全培训计划以确保培训内容相关且最新。
D) The Supplier shall formulate a role-based security training plan, which shall determine the professional knowledge required for cyber security activities, and review the current security training plan every year to ensure that the training contents are relevant and up-to-date.
3资产管理
3 Asset Management
A) 供方应建立一个明确和文档化的资产管理系统,并确保对所有相关资产及其所有人维护最新记录。信息资产包括但不限于IT系统以及包含敏感信息、访问权限、软件和配置的备份和/或可移动介质。
A) The Supplier shall establish a clear and documented asset management system, and ensure that the latest records of all related assets and their owners are maintained. Information assets include but are not limited to IT systems and backup and/or removable media containing sensitive information, right of access restrictions, software, and configurations.
B) 供方应根据当时有效的安全标准(包括可移动介质存储、处置和物理转移),按照预定义的信息分类系统来标记、处理和保护信息。
B) The Supplier shall mark, process, and protect the information in accordance with the predefined information classification system in accordance with the security standards (including removable media storage, disposal, and physical transfer) in effect at the time.
C) 供方应建立并实施信息分级方案。
C) The Supplier shall establish and implement information grading schemes.
D) 供方应识别并保护可能影响产品安全的敏感信息(如签名密钥、安全漏洞)。
D) The Supplier shall identify and protect sensitive information (such as signature keys and security vulnerabilities) that may affect cyber security.
4访问控制
4 Access Control
A) 供方应制定一个针对设施、站点、网络、系统、应用程序和信息/数据访问(包括物理、逻辑和远程访问控制)的明确和文档化的访问控制策略、用户访问和特权的授权程序,以及撤销访问权和供方人员可接受使用的访问权限的程序。
A) The Supplier shall formulate a clear and documented access control policy for facilities, sites, networks, systems, application programs, and information/data access (including physical, logical, and remote access control), an authorization procedure for user access and privileges, and a procedure for canceling the right of access and the right of access limits acceptable to the Supplier's personnel.
B) 供方应制定一个正式和文档化的用户注册和注销程序,以实现对访问权限的分配。
B) The Supplier shall formulate a formal and documented user registration and logout procedure to implement the allocation of right of access limits.
C) 供方应根据最小特权原则分配所有访问权限,尤其研发和生产环境系统的访问权限。
C) The Supplier shall allocate all right of access limits in accordance with the minimum privilege principle, especially the right of access limits of the R&D and production environment system.
D) 在使用包含需方数据的系统时,供方应对系统管理员或其他高权限用户(包括远程访问用户)采取强身份验证(双因素)。
D) When using the system containing the data of the Buyer, the Supplier shall perform strong authentication (two-factor) for the system administrator or other high-permission users (including remote access users).
E) 供方应确保供方人员具有个人和唯一的识别符(用户ID),并采用适当的身份验证技术,以确认并确保用户的身份。
E) The Supplier shall ensure that the Supplier's personnel have an individual and a unique identifier (user ID), and use appropriate identity verification technologies to confirm and ensure the identity of the user.
F) 供方应控制对源代码、开发工具和软件库的访问和修改。
F) The Supplier shall control the access to and modification of source codes, development tools, and software libraries.
G) 供方应制定并实施研发和生产环境的远程访问保护要求。
G) The Supplier shall formulate and implement the remote access protection requirements for R&D and production environments.
H) 供方的研发和生产环境系统的访问权限应遵循最小特权原则。
H) The right of access limit of the Supplier's R&D and production environment system shall comply with the principle of minimum privilege.
I) 供方应隔离开发、测试和生产环境。
I) The Supplier shall isolate the development, test, and production environments.
5密码学
5 Cryptography
A) 供方应确保对需方数据适当且有效地进行加密。
A) The Supplier shall ensure that the data of the Buyer is properly and effectively encrypted.
B) 供方应保护加密密钥。
B) The Supplier shall protect the encryption key.
6 物理和环境安全
6 Physical and Environmental Security
A) 供方应保护信息处理设施免受外部和环境的威胁和危害,如电源/布线故障和由配套设施故障导致的其他中断,包括对物理边界和访问的保护。
A) The Supplier shall protect the information processing facilities from external threats and hazards, such as power supply/cabling faults and other interruptions caused by auxiliary facility faults, including protection of physical boundaries and access.
B) 供方应保护代表需方所收到或发送的货物免受被盗、篡改和销毁。
B) The Supplier shall protect the goods received or sent on behalf of the Buyer from theft, tampering, and destruction.
7操作安全
7 Operation Security
A) 供方应建立一个变更管理系统,以便对业务流程、信息处理设施和相关系统实施变更。变更管理系统应包括在实施变更之前进行的测试和审查,如:处理紧急变更的程序、从失败的变更中恢复的回滚程序,以及显示变更的内容、时间和实施人员的日志。
A) The Supplier shall establish a change management system to implement changes in business processes, information processing facilities, and related systems. The change management system shall include the tests and reviews performed before the change is implemented, such as the procedures for handling emergency changes, the rollback procedures for recovering from failed changes, and the logs showing the contents, time, and implementation personnel of the changes.
B) 供方应制作关键信息的备份副本和测试备份副本,确保可与需方协商恢复相关信息。
B) The Supplier shall make backup copies of critical information and test backup copies to ensure that relevant information can be restored through negotiation with the Buyer.
C) 供方应记录和监控用户活动、故障和信息安全事件、例外情况等,并对其进行定期审查;供方应保护和存储(至少6个月)日志信息,并应需方要求向需方提供监控数据。
C) The Supplier shall record and monitor user activities, faults, information security events, and exceptions, and regularly review them. The Supplier shall protect and store log information (for at least six months), and provide monitoring data to the Buyer as required.
D) 供方应主动且及时地管理、修复所有相关技术(如:操作系统、数据库和应用程序)的安全漏洞。
D) The Supplier shall actively and promptly manage and fix the security vulnerabilities of all related technologies (such as operating systems, databases, and applications).
E) 供方应为所有相关技术(如:操作系统、数据库、应用程序)建立安全基线(强化)。
E) The Supplier shall establish security baselines (reinforcement) for all related technologies (such as operating systems, databases, and application programs).
F) 供方应对研发和生产环境端点设备进行保护(如,安全加固、部署防火墙等)。
F) The Supplier shall protect the endpoint devices in the R&D and production environments (such as security hardening and firewall deployment).
G) 供方应为研发和生产环境以及相关资产实施恶意软件防护措施。
G) The Supplier shall take malicious software protection measures for the R&D and production environment and related assets.
H) 供方应监控和审查特权用户对研发和生产环境系统的操作。
H) The Supplier shall monitor and review the operations of privileged users on the R&D and production environment systems.
8通信安全
8 Communication Security
A) 供方应实施网络的安全控制(如:服务级别、防火墙和隔离等),以确保信息系统的安全。
A) The Supplier shall implement network security control (such as service level, firewall, and isolation) to ensure the security of the information system.
B) 供方应确保包含需方数据的语音通信的安全。
B) The Supplier shall ensure the security of voice communication including the data of the Buyer.
9系统获取、开发和维护
9 System Acquisition, Development, and Maintenance
9.1总体
9.1 Overview
A) 供方应制定、传达、实施和维护组织的产品安全策略。
A) The Supplier shall formulate, communicate, implement, and maintain the cyber security policies of the organization.
B) 供方应基于产品安全策略制定安全规范。
B) The Supplier shall formulate security specifications based on cyber security policies.
C) 供方应建立并应用安全开发生命周期流程。
C) The Supplier shall establish and apply the security development lifecycle process.
D) 供方应将产品安全角色和职责整合到产品全生命周期的相关岗位描述中。
D) The Supplier shall integrate the cyber security roles and responsibilities into the position descriptions of the full product lifecycle.
E) 供方应在产品开发生命周期中设置安全检查点。
E) The Supplier shall set security checkpoints in the product development lifecycle.
F) 供方应对提供的产品和执行的过程进行安全评估。
F) The Supplier shall evaluate the security of the provided products and the implementation process.
G) 供方应将发现的问题反馈至缺陷管理系统中。
G) The Supplier shall report the discovered problems to the defect management system.
H) 供方应对提供的产品中的安全缺陷进行根本原因分析。
H) The Supplier shall analyze the root causes of the security defects in the provided products.
I) 供方应将安全缺陷根因分析产生的改进纳入产品开发生命周期的过程中。
I) The Supplier shall include the improvement caused by the root cause analysis of security defects in the product development lifecycle.
9.2第三方组件安全
9.2 Third-Party Component Security
A) 应从可信渠道获取第三方组件。
A) Third-party components shall be obtained from trusted channels.
(1) 供方使用的第三方工具、库以及源代码应从经批准的来源获取。
(1) The third-party tools, libraries, and source codes used by suppliers shall be obtained from approved sources.
(2) 供方应记录第三方工具、库以及源代码的来源、版本。
(2) The Supplier shall record the sources and versions of third-party tools, libraries, and source codes.
B) 当新引入第三方组件时,应对其进行安全风险评估。
B) When a third-party component is newly introduced, it shall be assessed for security risks.
(1) 供方应建立第三方组件的选择、导入和维护的流程。
(1) The Supplier shall establish the process of selecting, importing, and maintaining third-party components.
(2) 供方在导入第三方组件时,应对其进行安全评估。
(2) The Supplier shall evaluate the security of the third-party components when importing them.
C) 供方应对提供的产品中的第三方组件进行完整性和真实性验证。
C) The Supplier shall verify the integrity and authenticity of the third-party components in the provided products.
D) 供方提供的产品应仅使用受支持的第三方组件。
D) The products provided by the Supplier shall use only the supported third-party components.
E) 供方应持续对第三方组件的风险进行监控。
E) The Supplier shall continuously monitor the risks of third-party components.
(1) 供方应持续监控第三方组件新发现的漏洞信息。
(1) The Supplier shall continuously monitor the newly discovered vulnerabilities of third-party components.
(2) 供方应持续监控第三方组件的生命周期结束(EOL)。
(2) The Supplier shall continuously monitor the end-of-life (EOL) of the third-party components.
9.3安全设计与开发
9.3 Security Design and Development
A) 供方应定义并实施架构与设计遵循的安全原则。
A) The Supplier shall define and implement the security principles followed in the architecture and design.
B) 供方应对产品的设计进行威胁建模。
B) The Supplier shall conduct threat modeling for the product design.
C) 供方应持续收集并分析与交付的产品相关的威胁和漏洞信息。
C) The Supplier shall continuously collect and analyze the threats and vulnerabilities related to the delivered products.
D) 供方应建立产品开发中使用的所有编程语言的编码标准。
D) The Supplier shall establish coding standards for all programming languages used in product development.
E) 供方应限制不安全函数和API的使用。
E) The Supplier shall restrict the use of insecure functions and APIs.
F) 供方提供的产品应采取措施防止不信任的数据注入。
F) Measures shall be taken for the products provided by suppliers to prevent untrusted data injection.
G) 供方提供的产品应验证输入的有效性(如,字符集、长度、数值范围和可接受的值)。
G) The product provided by the Supplier shall verify the validity of the input (for example, character set, length, value range, and acceptable value).
H) 供方应对交付物的源代码进行独立审查。
H) The Supplier shall independently review the source code of the deliverables.
I) 供方提供的产品应通过适当的控制机制防止未经授权的访问。
I) The products provided by suppliers shall be protected against unauthorized access through appropriate control mechanisms.
(1) 供方提供的产品应对用户身份鉴别信息(如口令、密钥、生物特征数据)进行安全保护。
(1) The product provided by the Supplier shall provide security protection for user identity authentication information (such as passwords, keys, and biometric data).
(2) 在用户访问产品的受控资源或功能时,供方提供的产品应依据设置的访问控制策略进行访问控制。
(2) When a user accesses controlled resources or functions of a product, the product provided by the Supplier shall be controlled in accordance with the set access control policy.
J) 供方提供的产品不应在网络上明文传输口令。
J) The products provided by the Supplier shall not transmit passwords in plain text on the network.
K) 供方提供的产品不应在日志中输出明文口令。
K) The products provided by the Supplier shall not output plain text passwords in logs.
L) 供方提供的产品完成初始设置后不应保留缺省口令。
L) The default passwords shall not be kept after the initial setting of the products provided by the Supplier.
M) 供方提供的产品的口令应可更改。
M) The product passwords provided by the Supplier can be changed.
N) 供方提供的产品应具有日志记录功能,如,对登录成功及失败、增/删账户、修改鉴别信息、修改关键配置等信息进行记录。
N) The products provided by the Supplier shall have the log recording function, such as recording login success and failure, adding/deleting accounts, modifying authentication information, and modifying key configurations.
O) 供方提供的产品不应硬编码关键安全参数。
O) The products provided by the Supplier shall not be hard-coded with key security parameters.
P) 供方提供的产品若含有日志,则日志应有访问控制,在任何情况下都不得更改或删除日志。
P) If the products provided by the Supplier contain logs, the logs shall be subject to access control, and the logs shall not be modified or deleted under any circumstances.
Q) 供方提供的产品若含有加密算法,则应选择那些已经过广泛评审且证实有效的密码学算法。
Q) If the products provided by the Supplier contain encryption algorithms, the cryptographic algorithms that have been widely reviewed and proved to be valid shall be selected.
(1) 该密码学算法和密钥长度应符合法律、法规的规定。
(1) The cryptographic algorithm and key length shall comply with laws and regulations.
(2) 该密码学算法和密钥长度应符合国家和行业标准的要求。
(2) The cryptographic algorithm and key length shall meet the requirements of national and industrial standards.
(3) 供方提供的产品应在密钥生命周期内(如,密钥的生成、使用、销毁等)对其进行管理。
(3) The products provided by the Supplier shall be managed within the key lifecycle (for example, key generation, use, and destruction).
9.4安全测试
9.4 Security Test
A) 供方提供的产品在发布前应进行安全测试。
A) Security tests shall be performed on the products provided by suppliers before they are released.
(1) 供方应对提供的产品进行安全功能测试,安全功能测试应包括正、负测试。
(1) The Supplier shall test the security functions of the provided products, including positive and negative tests.
(2) 供方应对提供的产品执行边界值测试。
(2) The Supplier shall perform the boundary value test for the provided products.
(3) 供方应对提供的产品执行模糊测试。
(3) The Supplier shall perform fuzzy tests on the provided products.
(4) 供方应对提供的产品进行漏洞扫描。
(4) The Supplier shall scan the provided products for vulnerabilities.
(5) 供方应对提供的产品进行渗透测试。
(5) The Supplier shall perform penetration tests on the provided products.
(6) 供方应对提供的产品进行基于风险分析的结果开展测试。
(6) The Supplier shall test the provided products based on the results of the risk analysis.
(7) 供方应对提供的产品构建与潜在攻击者有关的攻击模式和滥用案例。
(7) The Supplier shall build attack modes and abuse cases related to potential attackers for the provided products.
B) 供方应对提供的产品执行恶意软件扫描。
B) The Supplier shall scan the provided products for malicious software.
C) 供方应为需方提供支持,以便需方对供方提供的产品实施安全测试和渗透测试。
C) The Supplier shall provide support to the Buyer, so that the Buyer can perform security tests and penetration tests on the products provided by the Supplier.
9.5版本发布
9.5 Version Release
A) 红线1:禁止产品中存在后门。供方提供的产品不应使用“后门”提供对服务或功能的访问,不得含有任何形式的木马、数据泄露、蠕虫、病毒、恶意代码、未知功能及未知权限等。
A) Redline 1: It is prohibited to have backdoors in the products. The products provided by the Supplier shall not use "backdoor" to provide access to services or functions, and shall not contain any form of Trojan, data leakage, worms, viruses, malicious code, unknown functions, or unknown permissions.
B) 供方提供的软件版本应具有唯一标识符,且该标识符能映射到特定的构建版本号。
B) The software versions provided by the Supplier shall have a unique identifier, which can be mapped to a specific build version number.
C) 供方在版本发布前应获得安全负责人批准。
C) The Supplier shall obtain the approval of the person in charge of security before the version is released.
D) 供方应对软件版本相关内容(如,文档、源代码、二进制文件等)存档。
D) The Supplier shall archive the contents related to the software version (such as documents, source codes, and binary files).
9.6产品制造安全
9.6 Product Manufacturing Security
A) 供方应对提供的产品在软件安装之前进行完整性校验。
A) The Supplier shall check the integrity of the provided products before software installation.
B) 供方提供的产品关键组件应可追溯到来源、生产环节和人员。
B) The key components of the product provided by the Supplier shall be traceable to the source, production link, and personnel.
9.7安全交付
9.7 Secure Delivery
A) 供方应定义并实施产品生命周期维护支持计划,至少包括产品的安全问题修复。
A) The Supplier shall define and implement the product lifecycle maintenance support plan, at least including the fixing of cyber security problems.
B) 供方应对提供的产品在退市(EOL)前提供安全维护。
B) The Supplier shall provide security maintenance for the provided products before the end-of-life (EOL).
C) 供方应在产品停止销售前6个月向中兴通讯告知产品退市计划。
C) The Supplier shall inform ZTE of the product end-of-life plan six months before the end-of-sales of the product.
D) 供方应定义并实施安全交付产品的计划,至少包括产品的安全传输方式。
D) The Supplier shall define and implement a secure product delivery plan, including at least the secure transmission mode of the product.
E) 红线2:禁止交付的产品中存在中危及以上级别的漏洞。
E) Redline 2: It is prohibited to have vulnerabilities of medium or higher levels in the delivered products.
F) 供方提供产品时应同时提供产品安全测试报告。
F) The Supplier shall provide the cyber security test report when providing the product.
G) 供方应提供版本和补丁的完整性和真实性保护措施。
G) The Supplier shall provide protection measures for the integrity and authenticity of versions and patches.
H) 供方应提供软件完整性和真实性验证方法。
H) The Supplier shall provide software integrity and authenticity verification methods.
I) 供方应提供通用的、机器可读格式编制的软件材料清单(SBOM)。
I) The Supplier shall provide the software material list (SBOM) in the general and machine-readable format.
(1) 供方应提供通用的(如,SPDX、CycloneDX和SWID)、机器可读格式编制的软件材料清单(SBOM)。
(1) The Supplier shall provide the general software material list, such as SPDX, CycloneDX, and SWID), and machine-readable format (SBOM).
(2) 供方提供的SBOM应至少包括第三方组件和自研组件。
(2) The SBOM provided by the Supplier shall at least include third-party components and self-developed components.
J) 供方应对提供的产品实施安全加固。
J) The Supplier shall implement security hardening for the provided products.
K) 供方提供的产品用户文档应包含安全文档,如,安全加固文档、安全操作文档、安全功能描述等。
K) The product user documents provided by the Supplier shall include security documents, such as security hardening documents, security operation documents, and security function descriptions.
L) 供方提供产品或其升级给客户时,用户文档应反映产品的当前功能。
L) When the Supplier provides the product or upgrades the product to the customer, the user document shall reflect the current functions of the product.
M) 供方提供的产品的所有端口须向需方说明,不得存在隐藏端口。开启的端口应是系统运行和维护所必需的,无用的端口应关闭。开启/关闭端口须有权限控制,且开启/关闭的方法应向需方说明。
M) All ports of the products provided by the Supplier shall be described to the Buyer, and there shall be no hidden ports. The enabled ports must be required for system operation and maintenance, and useless ports must be disabled. Permission control is required for enabling or disabling a port. The method of enabling or disabling a port should be described to the Buyer.
N) 供方提供的产品中,所有能对系统进行管理或控制的通信端口(包括但不限于能对系统进行管理或控制的物理端口),均须有接入认证机制(无认证机制的标准协议除外);认证机制须具备防止暴力破解登录尝试、防止仿冒等内容;供方须提供所有认证的初始账号和口令清单。
N) In the products provided by the Supplier, all communication ports that can manage or control the system (including but not limited to physical ports that can manage or control the system) must have an access authentication mechanism (except for standard protocols without an authentication mechanism). The authentication mechanism must be capable of preventing violent login attempts and counterfeiting. The Supplier shall provide a list of all initial accounts and passwords for authentication.
O) 供方提供的产品若含有软件(包括但不限于供方自研软件、第三方组件等)升级的功能,须向需方说明,且客户/最终用户有权决定是否使用或关闭此功能。
O) If the product provided by the Supplier contains the software (including but not limited to the software developed by the Supplier and third-party components) upgrade function, it shall be described to the Buyer, and the customer/end-user has the right to determine whether to use or disable this function.
P) 供方应在提供的用户文档中描述安全的默认配置以及更改默认配置的安全风险。
P) The Supplier shall describe the default security configuration and the security risks of changing the default configuration in the provided user documents.
Q) 供方提供的用户文档有重大更新时,应向用户传达变更。
Q) If the user documents provided by the Supplier are updated significantly, the changes shall be communicated to the user.
R) 供方依双方约定提供物流服务的,供方须遵守所在国相关的法律法规以及C-TPAT或TAPA标准和需方的安全要求,并对物流服务过程进行安全管控,确保物流服务过程不存在安全隐患或问题(包括但不限于货损货差、改变性状等)。
R) If the Supplier provides logistics services as agreed by both parties, the Supplier shall comply with the relevant laws and regulations of the country where the Supplier is located, C-TPAT or TAPA standards, and the safety requirements of the Buyer, and shall manage and control the logistics service process to ensure that there is no potential safety risk or problem (including but not limited to goods damage, goods difference, and change of performance) during the logistics service process.
9.8数据保护
9.8 Data Protection
A) 供方应对产品要处理的数据进行分类和分级。
A) The Supplier shall classify and grade the data to be processed by the product.
B) 供方提供的产品在存储和传输数据时应实施安全保护。
B) The products provided by the Supplier shall be protected for data storage and transmission.
C) 供方提供的产品在产生错误消息时不应泄露敏感信息。
C) The products provided by suppliers shall not disclose sensitive information when error messages are generated.
D) 供方提供的产品在处理个人数据时应遵循适用的法律法规要求。
D) The products provided by suppliers shall comply with applicable laws and regulations when handling personal data.
E) 供方提供的产品在处理个人数据时应遵循最小必要原则。
E) The products provided by suppliers shall comply with the principle of minimum necessity when handling personal data.
F) 供方提供的产品若含有采集或转移客户/最终用户数据(含个人数据)的功能,须向需方进行说明,且客户/最终用户有权决定是否使用或关闭此功能。
F) If the product provided by the Supplier contains the function of collecting or transferring customer/end-user data (including personal data), it shall be described to the Buyer, and the customer/end-user has the right to determine whether to use or disable this function.
9.9配置管理
9.9 Configuration Management
A) 供方应使用配置管理工具对配置项进行版本控制。
A) The Supplier shall use the configuration management tool to control the version of configuration items.
B) 供方对产品的变更应得到授权。
B) The Supplier shall be authorized to change the product.
C) 供方应制定配置管理规程,并跟踪控制在配置管理下的配置项的变更。
C) The Supplier shall formulate configuration management regulations, and track and control the changes of configuration items under configuration management.
D) 供方构建过程的所有数据(如,源代码、构建脚本、构建工具和构建环境等)应直接来自配置管理系统。
D) All data (such as source code, construction scripts, construction tools, and construction environment) of the Supplier construction process shall come directly from the configuration management system.
E) 供方软件开发应使用经批准的工具链及其相关配置参数。
E) The Supplier shall use the approved toolchain and related configuration parameters for software development.
F) 供方提供的产品的配置项变更应遵循职责分离原则。
F) The changes in configuration items of products provided by suppliers shall comply with the principle of separation of responsibilities.
G) 供方应在提供的产品及/或服务发生重大变更之前提前通知需方,并评估变更带来的安全风险,采取措施对风险进行控制。特别注意,服务供应商发生的重大变更包括但不限于:技术基础设施的变更(例如操作系统或应用软件的重大升级,或虚拟服务器或存储区域网络等系统的重大重新配置);将技术基础设施迁至不同的地理区域;更换或使用新的分包商。
G) The Supplier shall notify the Buyer in advance of a major change in the products and/or services provided, evaluate the security risks caused by the change, and take measures to control the risks. Note that major changes in service providers include but are not limited to changes in technical infrastructure (for example, major upgrade of operating systems or application software, or major reconfiguration of virtual servers or storage area networks). Move the technical infrastructure to different geographical areas. Replace or use a new subcontractor.
10 对下级供应商进行监控的合同约定
10 Contractual Provisions for Monitoring Sub-Suppliers
A) 供方向需方提供产品及或服务所直接或间接涉及的下级供应商、商业伙伴或第三方,供方应跟其签订合同以遵守本协议。
A) The Supplier shall sign a contract with the sub-suppliers, business partners, or third parties directly or indirectly involved in the products and services provided by the Supplier to the Buyer to comply with this Agreement.
B) 供方应以合同的形式保证需方对下级供应商、商业伙伴或第三方进行约束的权力跟对供方的约束一致,不论其在供应链上的层级。当需方和供方对下级供应商、商业伙伴或第三方的要求产生冲突时,以需方的要求为准。
B) The Supplier shall ensure in the form of a contract that the Buyer has the same right to bind its sub-suppliers, business partners, or third parties as the Supplier, regardless of its level in the Supply Chain. If the Buyer and the Supplier conflict with the requirements of sub-suppliers, business partners, or third parties, the requirements of the Buyer shall prevail.
C) 供方应评估验证下级供应商、商业伙伴或第三方对上述合同约定的安全要求的遵守程度。
C) The Supplier shall evaluate and verify the compliance of sub-suppliers, business partners, or third parties with the above security requirements.
D) 在需方要求供方提供书面资料以证明同本协议提出的要求相一致的合同要求已经施加于下级供应商、商业伙伴或第三方时,供方应向需方提供同下级供应商、商业伙伴或第三方签订的包含权力和义务的相关合同复印件。
D) When the Buyer requires the Supplier to provide written materials to prove that the contract requirements that are consistent with the requirements specified in this Agreement have been imposed on the sub-supplier, business partner, or third party, the Supplier shall provide the Buyer with a copy of the contract that includes rights and obligations signed with the sub-supplier, business partner, or third party.
E) 当下级供应商、商业伙伴或第三方违反本协议的安全要求时,供方需要对其行为承担责任。
E) If a sub-supplier, business partner, or third party violates the security requirements of this Agreement, the Supplier shall be responsible for the violation.
11安全事件与漏洞管理
11 Security Incident and Vulnerability Management
A) 供方应制定安全事件响应计划,定期举行演练并保留记录。
A) The Supplier shall formulate a security incident response plan, hold regular drills, and keep records.
B) 供方应制定和公布漏洞披露政策。
B) The Supplier shall formulate and publicize the vulnerability disclosure policy.
C) 红线3:禁止瞒报、拖延或忽视安全事件。供方应对信息安全问题、产品安全问题(含安全漏洞)、开源软件合规问题及问题的解决方案(含安全补丁),通过邮件、传真或其他书面方式向需方进行通报。
C) Redline 3: It is prohibited to conceal, delay the reporting of, or ignore security incidents. The Supplier shall report information security problems, cyber security problems (including security vulnerabilities), open-source software compliance problems, and solutions (including security patches) to the Buyer by email, fax, or other written means.
D) 供方发现其所提供产品存在安全漏洞后,应在24小时内通过邮件或其他书面方式向需方报告受影响产品的安全漏洞。
D) After discovering security vulnerabilities in the products provided by the Supplier, the Supplier shall report the security vulnerabilities of the affected products to the Buyer by email or other written means within 24 hours.
E) 供方发现其所提供产品存在安全漏洞后,应在2天(自然日)内完成漏洞验证。
E) After discovering security vulnerabilities in the products provided by the Supplier, the Supplier shall complete vulnerability verification within two days (calendar days).
F) 当需方发现或媒体报道供方产品存在产品安全漏洞时,供方应在规定的时间内发布漏洞缓解或补救措施。
F) When the Buyer discovers or reports that there are cyber security vulnerabilities in the Supplier's products, the Supplier shall release the vulnerability mitigation or remedial measures within the specified time.
(1) 供方如不能及时补救漏洞,应在7天(自然日)内提供漏洞缓解措施。
(1) If the Supplier cannot remedy the vulnerability in a timely manner, it shall provide vulnerability mitigation measures within 7 days (calendar days).
(2) 供方应在30天(自然日)内提供中危及以上漏洞补救措施。
(2) The Supplier shall provide remedial measures for the above vulnerabilities within 30 days (calendar days).
G) 当供方对外发布产品安全问题(含安全漏洞)、开源软件合规问题时,须提前通过正式版本发布渠道通知需方。
G) When the Supplier releases cyber security problems (including security vulnerabilities) or open-source software compliance problems, the Supplier shall notify the Buyer in advance through the official version release channel.
H) 供方应将安全事件/漏洞接口人信息通告给需方。
H) The Supplier shall notify the information of the security event/vulnerability contact person to the Buyer.
I) 供方应提供接收安全事件/漏洞报告的渠道并保持畅通。
I) The Supplier shall provide channels for receiving security incidents/vulnerability reports and keep them open.
(1) 安全事件/漏洞和开源软件合规事件联系接口人:_________________________________________________
(1) Contact Person for Security Incident/Vulnerability and Open-Source Software Compliance Incident:___________________________________
(2) 安全事件/漏洞和开源软件合规事件联系邮箱: _________________________________________________
(2) Security Incident/Vulnerability and Open-Source Software Compliance Incident Contact Email: _______________________________________
(3) 安全事件/漏洞和开源软件合规事件联系电话: _________________________________________________
(3) Security Incident/Vulnerability and Open-Source Software Compliance Incident Tel: ____________________________________
12供方行为安全准则
12 Code of Conduct for Suppliers
12.1运维服务行为准则
12.1 Operation and Maintenance Service Code of Conduct
供方在提供跟产品相关的工程实施、安装、调试、维护、升级等服务过程中,应遵守如下的安全要求:
The Supplier shall comply with the following security requirements when providing product-related engineering implementation, installation, debugging, maintenance, and upgrade services:
A) 红线4:禁止未经客户授权情况下访问客户网络或数据。
A) Redline 4: It is prohibited to access the customer's network or data without the customer's authorization.
B) 遵守所在国相关法律法规以及需方及/或客户的安全要求,确保服务过程不存在安全隐患或问题。
B) Comply with the relevant laws and regulations of the local country and the security requirements of the Buyer and/or customer to ensure that there is no potential security risk or problem during the service process.
C) 遵守所适用的关于保护个人数据和隐私、通信自由及保障网络安全运行等方面的法律法规。严格遵从双方的约定、需方及/或客户的指示进行个人数据处理、转移及其他相关业务。
C) Comply with applicable laws and regulations on personal data and privacy protection, communication freedom, and network security operation. personal data processing, transfer, and other related services shall be carried out in strict accordance with the agreement between both parties and the instructions of the Buyer and/or the customer.
D) 不得攻击、破坏需方或客户的网络、不得窃取需方或客户网络中的任何数据或信息、不得破解需方或客户的账户密码。
D) It is prohibited to attack or damage the network of the Buyer or customer, steal any data or information in the network of the Buyer or customer, or crack the account password of the Buyer or customer.
E) 不得在需方及/或客户的设备或系统中植入非法代码、恶意软件或后门,不得预留任何未公开接口或账号。
E) Illegal code, malicious software, or backdoors shall not be installed in the equipment or systems of the Buyer and/or the customer, and no undisclosed interface or account shall be reserved.
F) 未经需方及/或客户书面授权,不得使用非授权账号或他人账号登录设备进行操作或账号和密码与他人共享。在产品进入商用或转入维护阶段后,不得保留或使用管理员账号或其它非授权账号。
F) Without the written authorization of the Buyer and/or customer, it is forbidden to use unauthorized accounts or other accounts to log in to the device or share accounts and passwords with others. After the product enters the commercial use or maintenance phase, the administrator account or other unauthorized accounts shall not be kept or used.
G) 未经客户书面许可,不得使用个人便携设备、存储介质接入客户网络。
G) It is forbidden to use personal portable devices or storage media to access the customer's network without the customer's written permission.
H) 须使用需方及/或客户提供的或指示渠道获得的软件版本、补丁及许可,不得使用非法软件在需方及/或客户的网络上运行。
H) Software versions, patches, and licenses provided by the Buyer and/or the customer or obtained through instruction shall be used. Illegal software shall not be used to operate on the network of the Buyer and/or the customer.
I) 未经需方及/或客户的许可或授权,不得提供需方指定的服务之外的任何服务。
I) It is forbidden to provide any services other than those specified by the Buyer without the permission or authorization of the Buyer and/or the customer.
J) 确保供方服务人员在服务过程中使用的电脑等办公用具不含有非法软件或病毒。
J) Ensure that the computers and other office appliances used by the service personnel of the Supplier do not contain illegal software or viruses.
K) 对在提供服务期间获悉的需方及/或客户的任何信息或数据应承担严格的保密义务,直至相关信息或数据被合法披露为止,并不得利用该信息或数据谋取个人利益或用于其它非法目的。
K) Any information or data obtained from the Buyer and/or customer during the period when the service is provided shall be strictly obligations of secrecy until the relevant information or data is disclosed legally. The information or data shall not be used for personal favors or other illegal purposes.
12.2进入需方场所行为准则
12.2 Code of Conduct for Entering the Buyer's Premises
供方在进入需方场所(如:数据中心大楼、办公楼、技术站点)时须遵守以下规定:
The Supplier shall comply with the following requirements when entering the premises of the Buyer (such as data center buildings, office buildings, and technical sites):
A) 进入需方场所工作时,需要提前报告访问名单,并配合需方根据需方合规要求完成合规扫描。
A) When entering the premises of the Buyer to work, report the visit list in advance, and cooperate with the Buyer to complete compliance screening in accordance with the compliance requirements of the Buyer.
B) 供方人员在需方的场所内工作时,应随身携带身份证或访客识别卡。
B) When working in the premises of the Buyer, the Supplier's personnel shall carry their ID cards or visitor identification cards.
C) 完成任务后,或供方人员转移到其他任务场地时,供方应立即通知需方更改并退回任何钥匙、钥匙卡、证件、访客识别卡和类似物品。
C) After the task is completed, or when the Supplier's personnel are transferred to other task sites, the Supplier shall immediately notify the Buyer to change and return any keys, key cards, certificates, visitor identification cards, and similar items.
D) 未经许可,供方禁止在需方场所拍摄照片。
D) Without permission, the Supplier is forbidden to take photos on the premises of the Buyer.
E) 未经许可,需方的货物不得从需方场所移走。
E) Without permission, the goods of the Buyer shall not be removed from the Buyer's premises.
13业务连续性管理
13 Business Continuity Management
A) 供方应识别业务连续性风险,并采取必要措施以控制和减轻此类风险。
A) The Supplier shall identify business continuity risks and take necessary measures to control and mitigate such risks.
B) 供方应制定文件化的处理业务连续性的流程和例行程序。
B) The Supplier shall formulate a documented process and routine procedure for handling business continuity.
C) 供方应定期评估其业务连续性管理的效率,以及其是否符合可用性要求(如有)。
C) The Supplier shall regularly evaluate the efficiency of its BCM and whether it meets the availability requirements (if any).
14合规要求
14 Compliance Requirements
14.1 法律合规要求
14.1 Legal and Compliance Requirements
A) 供方应遵守所有适用的安全相关法律法规、标准要求和合同要求。
A) The Supplier shall comply with all applicable security laws and regulations, standards, and contract requirements.
B) 若需方提出要求,则供方应向需方提供有关此类安全协议的合规状态报告等合规资料,且不出现任何不合理的延误。
B) If required by the Buyer, the Supplier shall provide the Buyer with compliance documents such as compliance status reports on such security agreements without any unreasonable delay.
C) 需方有权审核供方及其下级供应商、商业伙伴或第三方履行安全协议或相应要求所采取的方式。对于在审核中发现的任何对本协议的违反,供方均应及时采取补救措施直至符合本协议的要求,且补救过程中所产生的任何费用均由供方承担。
C) The Buyer has the right to review the way in which the Supplier and its sub-suppliers, business partners, or third parties perform security agreements or corresponding requirements. For any violation of this Agreement found in the audit, the Supplier shall take remedial measures in a timely manner until the requirements of this Agreement are met, and any costs incurred in the remedial process shall be borne by the Supplier.
14.2 开源合规要求
14.2 Compliance Requirements for Open Source
A) 供方提供的产品若包含开源软件,则必须进行开源合规扫描,并按照开源软件许可证要求进行合规治理与使用,同时解决开源软件中的相关知识产权方面的合规问题。
A) If a product provided by a Supplier contains open-source software, the Supplier shall conduct open-source software compliance scanning, conduct compliance management and use in accordance with the requirements of the open-source software license, and solve the compliance problems related to intellectual property in the open-source software.
B) 如供方提供的产品中包含开源成分,其中的开源成分包括但不限于包含开源源代码成分、开源二进制成分、引用(含动态调用等)开源组件成分或依赖的开源组件成分等,以下概称“开源软件”,本条款适用。供方承诺其为履行与需方的采购合同或采购协议或PO而使用的开源软件来源安全可靠、合法合规且遵循了相应的开源许可证(License)条款。供方应在向需方提供包含有开源成分的产品后10日内以书面形式详尽告知需方及需方关联公司使用的产品涉及的所有开源许可证及其版本号、传染性程度、许可证兼容性、使用开源软件的权利及义务、管辖法院与适用法律、开源组件依赖链条(如有)、闭源替代方案等,如上述产品涉及的开源许可证被更改,供方应及时书面通知需方及需方关联公司。如供方(一)违反开源许可证要求;或(二)使用存在兼容性风险、知识产权瑕疵、安全漏洞隐患等问题的开源软件;或(三)未尽告知义务导致需方或需方关联公司①无法继续合法使用软件;或②被要求披露相关开源软件使用情况或相关软件代码;或③被要求将相关软件开源;或④被索赔、声誉受损、涉入争议或侵权诉讼等,供方应承担全部责任。
B) If a product provided by a Supplier contains open-source components, including but not limited to open-source components, open-source binary components, references (including dynamic invocation) open-source component components, or dependent open-source component components, this clause is applicable. The Supplier promises that the open-source software used by the Supplier for fulfilling the purchase contract, purchase agreement, or PO with the Buyer is secure and reliable, legally compliant, and compliant with the corresponding open-source license terms. Within 10 days after providing a product containing open-source components to the Buyer, the Supplier shall inform the Buyer and its affiliated companies of all the open-source licenses involved in the product and its version number, infectious degree, license compatibility, rights, and obligations to use open-source software, courts of jurisdiction and applicable laws, dependency chains (if any) of open-source components, and closed source substitution solutions in written form. If the open-source licenses involved in the above products are changed, the Supplier shall notify the Buyer and its affiliated companies in written form in a timely manner. If the Supplier (1) violated the open-source license requirements, or (2) used open-source software with compatibility risks, intellectual property defects, and potential security vulnerabilities, or (3) failed to fulfill the obligation of notification, causing the Buyer or the Buyer's associated company to be (a) unable to continue using the software legally, or (b) required to disclose the use of related open-source software or related software codes, or (c) required to open the relevant software, or (d) claimed damages, suffer reputation damage, involved in disputes or infringement lawsuit, the Supplier shall be fully responsible.
14.3数据保护合规要求
14.3 Data Protection Compliance Requirements
供方如果处理(收集、储存、传输、披露等)需方或需方客户(含直接客户和间接客户)的个人数据或重要数据,则应严格遵守所适用的隐私保护或数据安全法律法规,对个人数据采取适当的技术性和组织性措施进行保护和处理。
If the Supplier processes (collects, stores, transmits, or discloses) the personal data or important data of the Buyer or Buyer's customers (including direct and indirect customers), the Supplier shall strictly comply with the applicable privacy protection or data security laws and regulations and take appropriate technical and organizational measures to protect and process the personal data.
红线5:禁止违规处理个人数据。供方在进行与需方及/或客户相关的个人数据处理活动时,应当遵守以下基本要求:
Redline 5: It is prohibited to handle personal data in violation of regulations. When conducting personal data processing activities related to the Buyer and/or customer, the Supplier shall comply with the following basic requirements:
A) 供方应按照需方的指示处理个人数据。
A) The Supplier shall handle the personal data in accordance with the instructions of the Buyer.
B) 供方应保存处理个人数据的记录。
B) The Supplier shall keep the records of handling the personal data.
C) 供方应按需方的要求提供有关个人数据及其处理和保护的信息。
C) The Supplier shall provide information about personal data and its processing and protection as required by the Buyer.
D) 供方应将对个人数据的访问限制为需要访问该数据的供方雇员。
D) The Supplier shall restrict access to the personal data to the employees of the Supplier who need to access the data.
E) 未经需方事先书面同意,供方不得向第三方披露个人数据。
E) The Supplier shall not disclose the personal data to any third party without the prior written consent of the Buyer.
F) 供方向需方提供的个人数据应当获得必要的个人同意之后才能提供给需方。
F) The personal data provided by the Supplier to the Buyer shall be provided to the Buyer only after the necessary personal consent is obtained.
G) 供方仅按照为履行合同义务的目的处理个人数据,不得将个人数据用于双方合同义务之外的其他目的。
G) The Supplier shall only handle the personal data for the purpose of fulfilling the contractual obligations, and shall not use the personal data for any purpose other than the contractual obligations of both parties.
H) 供方应与需方合作以确保实现个人对个人数据的权利,包括但不限于对个人数据的修订或删除等。
H) The Supplier shall cooperate with the Buyer to ensure the realization of personal rights to the personal data, including but not limited to the revision or deletion of the personal data.
I) 供方应执行所有适当和必要的保护措施,以避免个人数据受到未经授权或无意的披露、删除、更改、访问等。
I) The Supplier shall implement all appropriate and necessary protection measures to prevent personal data from unauthorized or unintentional disclosure, deletion, modification, and access.
J) 供方如使用分包商处理需方或需方客户(含直接客户和间接客户)的个人数据,需经过需方的书面同意;经需方同意后使用分包商的,如分包商发生违反本条款的情况,则视同供方违反本条款。
J) If the Supplier uses a subcontractor to process the personal data of the Buyer or the Buyer's customers (including direct customers and indirect customers), the written consent of the Buyer shall be obtained. If a subcontractor is used with the consent of the Buyer, if the subcontractor violates this clause, it is deemed that the Supplier violates this clause.
K) 如果发生个人数据泄露,供方应在知情后的24小时内通知需方,并立即实施所有必要的补救措施。
K) If a personal data breach occurs, the Supplier shall notify the Buyer within twenty-four hours after being informed, and immediately implement all necessary remedial measures.
L) 供方应确保所有个人数据在需方的要求下被删除、销毁和/或在本协议终止或期满后退回需方。
L) The Supplier shall ensure that all personal data shall be deleted, destroyed, and/or returned to the Buyer after the termination or expiration of this Agreement as required by the Buyer.
M) 需方(或其授权代表)在合理的时间和合理的通知下,有权审计供方采取的技术性和组织性安全措施,以确保这些措施符合适用的个人数据保护的安全义务。
M) The Buyer (or its authorized representative) shall have the right to audit the technical and organizational security measures taken by the Supplier at a reasonable time and notice to ensure that these measures complywith the applicable security obligations of personal data protection.
N) 如供方将个人数据进行跨境转移时,需经需方事先明确同意并与需方签订数据传输协议。
N) If the Supplier transfers the personal data across borders, it shall obtain the explicit consent of the Buyer in advance and sign a data transmission agreement with the Buyer.
O) 若供方来自中国大陆地区,那么供方在向需方提供的产品或服务中涉及处理重要数据的,供方应按照适用的法律法规处理重要数据。
O) If the Supplier is from mainland China, the Supplier shall process important data in accordance with applicable laws and regulations if the Supplier is involved in the processing of important data in the products or services provided to the Buyer.
P) 由于供方造成的数据泄漏及违反适用的个人数据或重要数据相关法律法规要求造成的后果,按照本协议“违约责任”条款进行处理。
P) The consequences caused by data leakage or violation of applicable personal data or important data laws and regulations shall be handled in accordance with the "Liability for Breach" clause in this Agreement.
14.4存储类产品的数据处理合规要求
14.4 Compliance Requirements for Data Processing of Storage Products
针对需方从供方采购的存储类产品(如,HDD或SSD等)(以下简称“产品”),涉及需方退货给供方、或需要退还供方维修的,供方需严格按照本协议对产品中的数据进行保护。双方的权利和义务约定如下:
For the storage products (such as HDD or SSD) purchased by the Buyer from the Supplier (hereinafter referred to as "products"), if the Buyer returns the products to the Supplier or needs to return the products to the Supplier for repair, the Supplier shall strictly protect the data in the products in accordance with this Agreement. The rights and obligations of both parties are as follows:
A) 供方不得在未获得需方授权的情况下向其他任何个人/单位等第三方提供、拷贝、转移、披露产品中的数据(包括但不限于口头、书面、直接、间接等形式)。
A) Without the authorization of the Buyer, the Supplier shall not provide, copy, transfer, or disclose the data (including but not limited to oral, written, direct, and indirect forms) in the product to any other individuals/units or other third parties.
B) 供方不得对产品中的数据进行恢复、拷贝、转移或使用。
B) The Supplier shall not restore, copy, transfer, or use the data in the product.
C) 供方应按照需方要求对产品进行数据脱敏操作:对于需方退回的可识别的产品,供方应对产品中的数据进行永久擦除且不可恢复;对于不可识别的产品,供方应对其进行物理销毁。
C) The Supplier shall perform data masking operations for the products in accordance with the requirements of the Buyer: For the identifiable products returned by the Buyer, the Supplier shall permanently erase and unrecoverable the data in the products. For unidentifiable products, the Supplier shall physically destroy them.
D) 供方应保存对产品进行数据脱敏操作的相关记录,根据需方的要求提供相关记录。
D) The Supplier shall keep relevant records of data masking operations on the product, and provide relevant records as required by the Buyer.
E) 如供方委托第三方进行产品维修或前述数据脱敏操作,供方应事前主动向需方披露并经过需方书面同意,与第三方签订数据保密义务不低于本协议的数据保护协议并向需方披露该协议,对需方退货或退还产品履行数据保护义务,未经需方事先书面同意,供方不得向第三方提供未经数据脱敏的产品。
E) If the Supplier entrusts a third party to repair the product or perform the above data masking operations, the Supplier shall disclose the data to the Buyer in advance with the prior written consent of the Buyer, sign a data protection agreement with the third party with the data obligations of secrecy not lower than this Agreement, and disclose the agreement to the Buyer. The Supplier shall not provide the third party with products that are not data masking without the prior written consent of the Buyer.
F) 供方(和或其委托的第三方)应在中国境内执行数据脱敏操作,不得将未经数据脱敏的产品转移至中国境外。
F) The Supplier (and/or a third party entrusted by the Supplier) shall perform data masking operations within China, and shall not transfer products that have not undergone data masking to outside China.
G) 供方(和或其委托的第三方)应采取措施保障产品中的数据安全,避免数据泄露。
G) The Supplier (and the third party entrusted by the Supplier) shall take measures to ensure the data security in the product and avoid data leakage.
H) 需方(和或其授权代表)有权审计供方(和或其委托的第三方),评估所采取的技术性措施和组织性措施的有效性,确保数据脱敏操作符合双方约定以及法律法规要求。
H) The Buyer (and/or its authorized representative) has the right to audit the Supplier (and/or a third party entrusted by the Buyer), evaluate the effectiveness of the technical and organizational measures taken, and ensure that the data masking operation complies with the agreement of both parties and the requirements of laws and regulations.
I) 供方应严格遵守数据保护相关法律法规要求,同时保证其委托的第三方严格遵守上述要求。对于因供方(和或其委托的第三方)原因导致数据泄露或违法违规行为给需方或可能给需方造成损失的,供方需立即停止该行为,承担责任,并赔偿需方所遭受的一切损失。
I) The Supplier shall strictly comply with data protection laws and regulations, and ensure that the third party entrusted by the Supplier strictly complies with the above requirements. If the data breach or illegal behavior caused by the Supplier (and/or a third party entrusted by the Supplier) causes or may cause losses to the Buyer, the Supplier shall immediately stop the behavior, assume the responsibility, and compensate the Buyer for all the losses.