Platform Service Agreement
Before agreeing to this agreement, you should carefully read and comply with all the provisions of this agreement. Please review and fully understand the content of each clause, particularly those marked in bold and underlined, including but not limited to clauses that exempt or limit the liability of "TurboLink," clauses that restrict user rights, dispute resolution, and applicable law. If you have any questions regarding the terms of this agreement, please inquire through the customer service channel of "TurboLink." "TurboLink" will explain the terms to you. If you do not agree to any content of this agreement or if you are unable to accurately understand the interpretation of the terms by "TurboLink," please refrain from proceeding. Otherwise, it will be deemed that you have accepted the terms and conditions described below and agreed to be bound by this agreement. In that case, you should not claim the invalidity of this agreement due to failure to read its content or failure to obtain clarification from "TurboLink" regarding your inquiries.
Effective Date: January 1, 2022
Section 1. Background of the Agreement
1.1 In order to regulate the actions of users (hereinafter referred to as "users" or "you") on the "TurboLink" platform, including but not limited to using statistical analysis services, vertical industry data solutions, industry report services, developer operation tools, and other products and related services offered on the "TurboLink" platform (hereinafter collectively referred to as the "TurboLink Services"), clarify the rights and obligations of users, create a standardized, orderly, and secure environment on the "TurboLink" platform, and safeguard the legal rights and interests of users, this agreement is formulated.
Section 2. Parties to the Agreement
2.1 This agreement is jointly entered into by you and the operator of the "TurboLink" platform. This agreement is legally binding on you and the operator of the "TurboLink" platform.
2.2 The operator of the "TurboLink" platform refers to the legal entity operating the "TurboLink" platform. Under this agreement, the operator of the "TurboLink" platform may change due to adjustments in the business of the "TurboLink" platform. The changed operator of the "TurboLink" platform shall fulfill this agreement with you and provide services to you. The change in the operator of the "TurboLink" platform shall not affect your rights under this agreement. In the event of a dispute, you can determine the party to fulfill the agreement and the counterparty to the dispute based on the specific service you use and the specific object that affects your rights.
Section 3: Effectiveness and Scope of Application of the Agreement
3.1 By clicking to confirm on the web page or by any other means, including but not limited to using the "TurboLink" Services without clicking to confirm this agreement, you indicate that you and "TurboLink" have reached an agreement and agreed to accept all the provisions of this agreement. This agreement shall become effective from the moment you confirm acceptance or from the occurrence of your actions (whichever is earlier).
3.2 The content of this agreement includes the main text of the agreement and all types of rules (including the TurboLink European Union Data Processing Terms, business norms, etc., hereinafter referred to as the "Rules") that "TurboLink" has already published or may publish in the future regarding "TurboLink" Services. All rules are an integral part of this agreement and have the same legal effect as the main text of the agreement. "TurboLink" has the right to formulate and modify this agreement and/or various rules as needed. Any changes to this agreement will be announced on the "TurboLink" website with the updated time indicated. Except for mandatory provisions stipulated by laws and regulations or regulatory requirements, the modified agreement and rules will take effect automatically upon notification or announcement, becoming part of this agreement. If you do not agree to the relevant changes, you should immediately stop using the "TurboLink" Services. If you continue to use the "TurboLink" Services, it will be deemed that you do not object to the modified agreement and rules and agree to comply with them.
3.3 If the services you provide are subject to the General Data Protection Regulation (GDPR), the TurboLink European Union Data Processing Terms shall apply to you. This clause is an integral part of the agreement and has the same legal effect as the main text of the agreement. For specific provisions regarding TurboLink data processing, please refer to the TurboLink European Union Data Processing Terms.
Section 4: Data Processing
When processing the personal data of end users provided by the User or on behalf of the User, TurboLink shall:
(a) Process personal data solely based on the User's written instructions (unless required by applicable law), and in the event that TurboLink believes that any instruction violates data protection legislation, use reasonable commercial efforts to notify the User;
(b) Ensure that all personnel of TurboLink who have access to personal data are subject to appropriate confidentiality obligations;
(c) Implement and maintain technical and organizational measures to ensure the security and prevent the unauthorized disclosure of personal data. In the event of a personal data breach, TurboLink shall promptly notify the User;
(d) Obtain a general authorization to use subcontractors, provided that TurboLink shall be fully responsible for the actions of any subcontractor and shall use reasonable commercial efforts to inform the User of the identity of subcontractors, any changes to subcontractors, and consider any reasonable objections raised by the User regarding such changes (if applicable);
(e) Considering the nature of data processing, bear the costs and provide reasonable assistance to the User, within the scope of its capabilities, through appropriate technical and organizational measures, to fulfill its obligations under data protection legislation regarding the exercise of rights by data subjects;
(f) Considering the nature of data processing and the information available to TurboLink, provide reasonable assistance to the User, at the User's expense, to fulfill the User's obligations under data protection legislation regarding security, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities;
(g) Upon the User's choice, delete or return all personal data or terminate the agreement, subject to any legal obligations to the contrary;
(h) Upon the User's request and at the User's expense, provide reasonable and necessary information to demonstrate compliance with this Data Processing Clause and allow the User to conduct audits. Upon receiving such a request, the parties shall discuss the scope, duration, and applicable confidentiality agreement for the audit or review (For clarity, none of the foregoing requires TurboLink to provide any other user's data, materials, or information of TurboLink).
Section 5. Cross-Border Transfer
If the processing of personal data of end users involves transferring personal data of end users outside the European Economic Area and data protection legislation restricts such transfers, and if TurboLink has not implemented alternative solutions that meet the requirements of data protection legislation, the Standard Contractual Clauses shall apply. In case of any conflict between these Data Processing Terms and the Standard Contractual Clauses mentioned in the link above, the Standard Contractual Clauses shall prevail to the extent of the conflict. Attachment 1 and Attachment 2 of these Data Processing Terms both serve as annexes to the Standard Contractual Clauses and together constitute the entire content of the Standard Contractual Clauses.
Appendix 1
Data Exporter
The User is the data exporter.
Data Importer
TurboLink is the data importer.
Data Subjects
Data subjects may include the User's employees, suppliers, and end users.
Data Types
Personal data includes any information, content, materials, and data in electronic form that may be uploaded to the TurboLink service.
Processing Activities
TurboLink will process personal data for the purpose of providing the TurboLink service and other purposes agreed upon in the service agreement.
Appendix 2
TurboLink shall implement the following technical and organizational security measures in accordance with Articles 4(d) and 5(c) to protect personal data from accidental loss, destruction, alteration, unauthorized disclosure, unauthorized access, or unlawful destruction.
1. Confidentiality
Physical Access Control
Unauthorized access to data processing facilities is prohibited.
Network Domain Access Control
Network domains are divided based on the level of security measures.
(1) Restricted Access Network Domain
This network domain is not allowed to provide external access and requires the highest level of security protection (including strict verification of authorized personnel, network isolation from other domains, strict security audits and immediate vulnerability fixes for systems and applications in this domain, comprehensive auditing measures, etc.), such as database clusters and production environments.
(2) Authorized Access Network Domain
This network domain requires a higher level of security protection (including strict restrictions on externally open ports, disallowing non-service access from outside the company, authorized verification for internal access, security audits and immediate fixes for important vulnerabilities in applications in this domain, auditing measures for critical operations), such as all machines in the production network, development environments, and testing environments.
(3) Limited Free Access Network Domain
This network domain requires a certain level of security protection (including restrictions on externally open ports, authorized verification for management operations from outside the company, applications in this domain that comply with the company's security policies, auditing measures for critical operations), such as office networks, Alibaba Cloud networks, and elastic computing clusters.
(4) Uncontrolled Access Network Domain
Computers that do not meet the above requirements are considered as computers with uncontrolled access, belonging to the uncontrolled access network domain, such as third-party service clusters and public networks not hosted on Alibaba Cloud.
Original Data Anonymization
Processing of original data through techniques such as de-identification to shield real data and achieve irreversible data protection.
Anonymization
Anonymization includes but is not limited to specific name ID anonymization, specific ID hashing, anonymization of amounts and quantities (segmenting intervals, rounding to single digits or integers, star masking).
Irreversible
Methods that prevent the inference of real data from sample data.
2. Integrity
Data Storage
Ensure the integrity of data by establishing disaster recovery and backup mechanisms. All data storage must use internal company products or services, and external products are not allowed.
Data Input Control
Verification of input, identification of individuals responsible for inputting, modifying, or deleting personal data into the data processing system, and confirmation of whether personal data has been entered, modified, or deleted. For example, log and file management.
3. Availability and Recovery Capability
Data Transmission
Network domains must be classified according to the network domain security policy, and monitoring mechanisms and access controls must be established at the boundaries of different-level network domains.
Data Destruction
Proper handling of data media when they are scrapped, idle, or transferred to other users; timely destruction of paper materials containing sensitive data that are no longer in use; data ownership departments or data management departments should regularly conduct data availability assessments and promptly destroy data that is no longer in use or has not been used for a long time.
Rapid Recovery
Establish disaster recovery and backup mechanisms for data.
4. Regular Testing, Assessment, and Evaluation Procedures
Data Protection Governance
Incident Response Management
Data Responsibility System
Penalties for Violations