1.  The scope of policy

The policy applies to the Group, all subsidiaries and all employees (including part-time employees), with a view to improving data security and privacy protection awareness and avoiding risks or losses caused by improper conduct to the company. We encourage all suppliers and partners to jointly refer to the requirements of this document, and improve data security and privacy protection capabilities.

2.  Our practice

As a leading carrier-neutral hyperscale data center solution provider and a first mover in building next-generation hyperscale data centers. We focus on the whole life cycle of facility planning, investment, design, construction and operation of ecosystem infrastructure in the IT industry. In the process of providing data center operation services to customers, we achieve thorough network segregation between the Group and customer service areas, eliminating any potential detriment to customer information security from the source.

We take technological innovation as the core driving force for development. Our product and service development will only focus on the full-process energy efficiency technological innovation of data centers to meet the physical stability needs of customers. We will not collect, use or process customer and user information for any reason during the development of operational management systems or operational structures, which are related to the improvement of our environmental performance.

We use the "Panshi" modular data center architecture to power the excellent energy efficiency performance. "Panshi" will support the continued growth of computing power with higher efficiency and lower energy consumption. We use the Kunpeng IDC Operation Platform to realize standardized and intelligent operation and maintenance management, which will realize energy consumption analysis and automatic parameter optimization. We use efficient UPS (uninterruptible power supply) or HVDC (high-voltage direct current) power supply modes, to support direct supply of municipal electricity at the end and use redundant power sources as backup, to improve power stability.

For suppliers, the company has formulated the Supplier Management Regulations and signed "Service Agreements" and "Confidentiality Agreements" with suppliers to regulate supplier service levels, service scope, confidentiality responsibilities, compliance requirements, etc. When the contract with the supplier is terminated, the company removes the involved supplier's data center access rights and system access rights, and takes back the relevant hardware equipment.

(1) Customer and User Information

As an operator of data centers, we are only involved in the operation and maintenance of the physical aspects of the data center. We do not contact and will not collect user data from customers and third parties for any purpose. Besides, we do not rent, sell or provide personal data to third parties for any purpose, including transactional or service purposes.

In terms of identity and access management, the company sets up production network, Kunpeng network and office network in the data center to support data center business operations. Kunpeng network is used to support the operation of the Kunpeng so that engineers from the operation support center can centrally monitor and manage key equipment in the data center through the platform. The office network provides company employees with access to external networks, internal OA systems and other support systems.

The data center access control monitoring network and video monitoring network are physically isolated from the office network and Kunpeng network. At the same time, the data center environmental monitoring network, power monitoring network and office network are physically isolated, and are isolated from the Kunpeng network through firewalls.

The relevant access control technology of one of its subsidiaries has passed the SOC2 TypeⅡ (System and Organization Controls) standard certification[1].

(2)  Data and information from the company’s operations

We will only have access to data and information about the company’s own operations. In order to fully protect data security, we strictly abide by laws, regulations and the requirements of regulatory authorities, continue to improve our own information security management system and guarantee mechanisms, and ensure the stability of corporate operations.

For data in our own operations, we strictly refer to the regulations and requirements of various information security system certifications such as the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and ISO 27001:2013 Information Security Management System Certification to ensure that the data and related logs shall be retained for no less than 6 months. And the data shall be deleted in accordance with the law after the period specified by the company. During the operation and supply process, review network topology, security policies, network access control, intrusion detection and prevention systems, etc., and make policy adjustments in a timely manner in accordance with audit and rectification requirements to avoid the occurrence of sensitive information Unauthorized access, thereby strengthening network security.

Regarding the personal information of visitors involved in the operation process when visitors visit the park, we ensure that visitors have full right to know about the use of their personal data and can clearly understand the purpose of the group's collection of personal information. By adding instructions on the use of personal information in the visitor system, employees who submit reservation applications must follow the relevant requirements displayed on the system page and send the instructions on the use of personal information together with the safety instructions for entering the park to the visitors waiting to enter the park. At the same time, visitors also have the right to request the company to access, correct and delete the entered personal information such as phone number and current company. After the reservation authorization date has passed, the visitor system will automatically perform scheduled tasks to desensitize the visitor's personal information. After desensitization, no one can view the visitor's personal information, and the data cannot be recovered.

Note: The company does not collect customer and user information in other operational links except when customers visit the park and collect necessary information about visitors’ phone numbers and current units considering data center security issues.

[1] SOC 2 is a high-security, high-confidentiality, and high-availability assurance standard specifically for data security and privacy protection services. It is a globally recognized, highly authoritative, and professional security audit report that can correctly, comprehensively, and in-depthly Reflect the overall security management of the audited enterprise.