- Your cart is empty
- Continue Shopping
Sellers Security Requirements
In light of the privacy protection concerns in various countries/regions, as a seller on the Santhai platform, you are required to adhere to the following guidelines:
1. The personal data collected during your business relationship with Santhai is strictly for the purpose of completing transactions on the Santhai platform. You must not engage in any actions that involve copying, distributing, or publicly sharing the personal data of other users on the platform.
2. You must not use personal data in any manner that violates applicable laws and regulations.
3. You will be fully responsible for any leakage of personal data obtained during your business relationship with Santhai. In the event of such a breach, you must immediately notify Santhai and take appropriate actions to allow the affected party to engage with Santhai for remedies. Furthermore, you should ensure that accessible communication channels are provided to the affected party to effectively address any disputes or concerns.
4. You must implement appropriate technical and organizational measures to protect the personal data you handle from:
1. Accidental or unlawful destruction; and
2. Loss, alteration, unauthorized disclosure, or access.
(1) Data Security Policy:
Merchants must establish and enforce a written data security policy outlining the security standards implemented to protect the personal data they process. This policy must include the following:
– Merchants must take appropriate technical and organizational measures in accordance with applicable laws and regulations to prevent unauthorized access, illegal processing, accidental loss, damage, or destruction of personal data.
– The policy should specify the procedures to be followed in the event of actual or suspected data breaches or security vulnerabilities.
– Merchants must promptly implement and document major changes to security policies and maintain a historical record of all modifications.
– The designated Privacy Officer (if applicable) or the data security management manager/department shall oversee the implementation of the internal management plan. This includes managing access rights to personal data, maintaining and reviewing records of data access, and applying security measures such as encryption.
– The Privacy Officer (if applicable) or the person responsible for data security management shall conduct a comprehensive review of the internal management plan at least once a year to ensure compliance with security policies and practices.
(2) Physical Security:
Access to data processing facilities is restricted to officially authorized employees and partners and is controlled through keys, fingerprint readers, or other electronic security measures. Merchants must store files and secondary storage media containing personal data in secure locations with both physical and electronic access controls. Additionally, appropriate security measures must be implemented to regulate access to and the use of these storage media.
(3) Firewall and Anti-Malware Measures:
Merchants must implement appropriate firewall, antivirus, anti-spyware, and other anti-malware technologies and software across all networks and systems used for processing personal data. These security measures should be regularly updated to safeguard against evolving threats, including viruses, spyware, and other malicious software.
(4) Access Control:
Merchants must implement technical access control measures to restrict personal data access to authorized employees and partners only. Each processor of a personal data processing system—including the merchant’s own system—must be assigned a unique personal account, which should not be shared unless there is a legitimate reason.
Authorized employees and partners may only access personal data as necessary to perform their job duties. If their responsibilities change, merchants must immediately adjust or revoke their access rights. Additionally, all permission changes should be recorded and retained for at least three years.
Merchants must designate a system administrator responsible for managing data access rights, including granting, modifying, and revoking permissions. Secure authentication methods should be enforced, and necessary security measures should be in place to limit system access after multiple failed authentication attempts, ensuring that only authorized personnel can access the personal data processing system.
(5) Retention and Inspection of Access Logs:
Merchants are required to retain and manage logs of access to personal data processing systems by personal data processors for a minimum of one year. If merchants process the personal data of more than 50,000 data subjects, or handle unique identification or sensitive data, the retention period must be extended to at least two years.
Merchants must review access records at least once a month and verify the reasons for any personal data downloads. Additionally, adequate measures must be taken to ensure the secure storage of access logs.
(6) Preventive Access Control Measures:
Merchants must implement measures to prevent unauthorized access and intrusion through data and communication networks. These measures include:
1. Restricting system access using IP address filtering or similar methods.
2. Analyzing IP addresses of incoming access to detect and respond to potential data leakage risks.
To enhance security, merchants should utilize secure authentication methods such as digital certificates, security tokens, or one-time passwords for external access to personal data processing systems by authorized personnel. Additionally, merchants must take precautions to prevent the disclosure or leakage of processed personal data to unauthorized individuals via internet homepages, peer-to-peer (P2P) networks, sharing settings, and various devices.
Furthermore, merchants should implement necessary safeguards, such as automatically revoking the access rights of personal data processors who have not engaged in business operations within a specified period.
(7) Encryption:
Merchants must use secure encryption algorithms to protect personal data stored or transmitted through information and communication networks, ensuring compliance with applicable laws and regulations.
(8) Username and Password Management:
Access to personal data must be strictly controlled through access rights(as described above), unique usernames, and confidential passwords. Authorized employees and partners are prohibited from sharing or using the same username. Additionally, employees and partners must update their passwords regularly, at least once every six months.
All passwords must meet security standards, requiring a minimum of eight characters, including at least one uppercase letter and one number.
(9) Backup:
Merchants must perform regular backups of the personal data they process, at least once per week. These backups should be securely stored off-site and must be readily available for data recovery within a reasonable timeframe.
(10) Disaster Recovery and Business Continuity:
Merchants must establish and maintain appropriate disaster recovery and business continuity plans to ensure the availability, security, integrity, and, if necessary, recovery of personal data in the event of force majeure or other business disruptions. These plans should include well-defined response procedures, such as emergency response manuals, which must be reviewed and updated regularly. Upon request, merchants must provide the platform with a copy of their disaster recovery and business continuity plans upon request.
(11) Power Failure Protection:
Merchants must implement protective measures to safeguard personal data from loss, destruction, or damage caused by power failures or electrical interference within their data processing systems.
(12) Audits and Training:
Merchants should conduct regular audits to assess compliance with their data security policies and ensure proper implementation. Additionally, they must provide privacy and data protection training to personnel involved in data processing. If any issues are identified during the audit, merchants should review the findings and take appropriate corrective actions based on the specific circumstances.
(13) Printed Data Management:
Merchants must specify the purpose of printing personal data, whether in physical form (paper prints), digital screenshots, or file creation, within their data processing system. The amount of printed personal data should be minimized to only what is necessary. Additionally, merchants should implement strict security measures to manage and protect printed documents, copies, and external storage media, ensuring they are safeguarded against unauthorized access or misuse.
(14) Personal Data Destruction:
Once the purpose of collecting personal data has been fulfilled, merchants must promptly destroy the relevant data. The destruction process should ensure that the data cannot be recovered or misused. Merchants may use one of the following methods:
1. Complete destruction – Physically destroy the data through methods such as incineration or shredding.
2. Secure deletion – Erase data from storage devices using a magnetic field through a specialized erasing device.
3. Data overwriting – Initialize or overwrite the data to prevent any possibility of recovery.
If it is necessary to destroy only part of the data and the methods mentioned above are not feasible, merchants should apply one of the following approaches:
1. For electronic documents – Ensure that adequate controls and monitoring are in place to prevent personal data from being recovered or replicated after deletion.
2. For printed materials, written documents, or other forms of recorded media – Mask or perforate the relevant parts of the data to ensure it is properly deleted.
If merchants are obligated to retain personal data under applicable laws and regulations, they must store such data separately from the data of active users.