Customer Security Assessment Policy and Guidelines

Last updated: 2021-08-20 17:59:25

Within the term of products and services purchased by you from Tencent Cloud, you may conduct a security assessment on the code, data, applications and components you deploy on Tencent Cloud. The security assessment includes, but is not limited to, vulnerability scans, penetration tests, stress tests and vulnerability mining (same for the full text). If you intend to proceed with the security assessment, your consent to and compliance with the following policy and guidelines (hereinafter referred to as these “Guidelines”) shall be required:

1.You shall not perform any security assessment on the infrastructure, platform, products or services of Tencent Cloud, including but not limited to servers, database systems and underlying applications, etc.

2.If you found any security vulnerability relating to the infrastructure, platform, products or services of Tencent Cloud in the course of your security assessment, please contact the Tencent Cloud security team (cloud_sec@tencent.com) immediately. You shall not disclose all or part of the information relating to such vulnerability to the public nor provide it to any third parties.

3.In conducting the security assessment, you shall not violate these Guidelines, nor perform the assessment beyond the scope of resources you purchase and create through your Tencent Cloud account.

4.If you want to carry out a stress test while conducting the security assessment, you shall be required to make an application for the test to the Tencent Cloud security team (cloud_sec@tencent.com). When making the application, a complete stress test proposal shall be submitted and such stress test shall be performed only after the application is approved. The stress test must be carried out in strict compliance with the stress test proposal during the test.

5.If a phishing test (i.e. sending phishing emails, phishing links and phishing documents, etc. to the users of your business) is to be included while conducting the security assessment, you shall conduct the phishing test in compliance with laws and regulations and publicly explain to such users about the act of performing the phishing test and the details of such test following the completion of the assessment so as to avoid any disputes arising from the phishing act. Please be aware that simulated phishing attacks can lead to adverse press and compromise user trust, therefore the group of persons selected for simulated phishing attacks must consent to participating in security and similar assessments. In the event of any complaints from users, disputes or other issues, you shall resolve them on your own and any consequences in connection therewith shall be solely borne by yourself.

6.If the procedures involving data, code and other information (including but not limited to the assessment of a disaster recovery emergency plan and destructive data or code test, etc.) are to be carried out while conducting the security assessment, you shall keep a backup of your data, code and other information properly by yourself and solely bear any consequences as a result therefrom.

7.Prior to the security assessment, you should be aware of any potential risk that may be caused by the security assessment and ensure that you have the lawful right to conduct the security assessment on the targets of such assessment. You shall solely assume all consequences and liabilities arising from the security assessment, and Tencent Cloud shall not be liable for any losses in connection with any loss of information (such as code and data) and any interruption, suspension of or impact on business operations caused by the security assessment.

8.Prior to the security assessment, you should make yourself fully familiar with and observe the provisions of applicable laws and regulations with respect to the relevant tasks, conduct the security assessment in compliance with laws and regulations and observe all requirements under these Guidelines. If you are in breach of any provisions of these Guidelines, laws and regulations and Tencent service agreements, etc., you shall solely take all responsibilities for such breach and be liable to indemnify any third parties such as Tencent Cloud or other Tencent Cloud users against any losses suffered by them arising therefrom. Further, you understand and agree that the consent given to you by Tencent Cloud with respect to the conducting of the stress test and any other security assessments does not indicate that you will be exempt from all liabilities in connection with the stress test and any other security assessments. If a security incident occurs due to your failure to perform the stress test pursuant to the stress test proposal during the test or the third parties such as Tencent Cloud and other Tencent Cloud users are affected by the securities assessments, you shall still be required to take all responsibilities in respect thereof and be liable to indemnify any third parties such as Tencent Cloud and other Tencent Cloud users against any losses suffered by them as a result thereof. Please be mindful that there are regulations in many jurisdictions that make it an offence to engage in certain computer or electronic activities that may compromise security or lead to unlawful access to information. This can include actions perceived to be pre-emptive of computer crimes, such as scanning third party systems. Therefore, you must ensure that any security assessments or penetration tests are conducted only where it is lawful and with any necessary consents from customers.