Skip to main content

Data security and privacy review

Protecting Customer Data

TikTok, like many organizations, faces cybersecurity threats and we are committed to protecting the data of our customers and stakeholders. It is a top priority to keep our data, systems, and assets safe from emerging cybersecurity threats and this diligence extends to our third-party service providers.

All prospective and current vendors must validate access, processing and/or storage Protected Data, business headquarters location, level of foreign ownership, primary and alternate workforce location(s), system location(s), and subcontractor(s) utilization.

What we expect from partners

Before launching your app to the TikTok Shop App Store, we require all potential partners to complete the Data Security and Privacy Review ("DSPR"). This review assesses the maturity of each partner's privacy and security practices, ensuring they align with both regulatory requirements and TikTok's compliance standards before accessing customer data.

Privacy

Compliance with privacy laws and industry standards is essential for all stakeholders involved with TikTok Shop, including our partners. Our objective is to create a best-in-class system to protect and safeguard all data through transparent disclosure and privacy safeguards throughout the data lifecycle (including data collection, storage, process, transfer, and disposal).

The privacy mechanisms listed below are required to comply with all regional privacy laws (ie GDPR, CPRA), industry standards and our own data management standards. Failure to comply may result in significant regulatory penalties and/or loss of access to TikTok Shop data.

Dedicated Roles & Responsibilities

Within your organization, there should be individuals responsible for overseeing data privacy compliance to ensure personal data is processed and protected properly, and act as point of contact for any privacy-related inquiries. A Data Protection Officer is also required under certain jurisdictions.

Privacy Notice

A privacy notice provides clear explanations for each aspect of the data lifecycle, including what data will be collected, why this data is collected, how this data will be used, where this data will be transferred, how this data will be protected, and how long this data will be stored.

Data Subject Rights

Data subject rights provide individuals control over their data, including the ability to access, download, update, and delete their data upon request. Partners must be able to assist sellers in fulfilling these rights, especially when required by local regulations.

Data Retention

Personal data must not be kept longer than necessary to fulfill the purpose it was originally collected and processed. When a seller no longer authorizes sharing data with a partner, the partner must delete the personal data in a timely manner. Furthermore, organizations must provide data deletion capabilities to users in certain states in accordance with state law.

Data Minimization

Partners must only request/access the minimum amount of data required by the service you are providing. To achieve so, by only requesting access to API's required to achieve their specific business purpose.

Security

Security the foundation for any data transfers. It is essential for our partners to have proper organizational and technical controls to protect sellers' and buyers' sensitive data, to maintain trust, and to comply with regulatory compliance.

For our partners, we expect you have implemented the following security measures to protect customers' data.

Information Security Policies

Partners must have an established information security framework as daily operation baselines to ensure data safety. The policy or guideline should be regularly reviewed, updated, and signed off by senior leadership to ensure correct security measures are enforced throughout the organization.

Network Security

Partners must segregate network environments to protect internal network accesses, and implement network security tools (such as NIDS/HIPS) to monitor external threats.

Endpoint Protection

Partners must install anti-virus or host intrusion prevention systems (HIPS) to ensure endpoint safety. Security scans should be conducted regularly, and virus policies should be updated near to date.

Security Baselines

Partners must adopt a series of workplace security measures through domain control or other security tools to ensure daily operation security. Such as minimum password requirements (Upper/lower cases, length, special characters, etc.), Multifactor Authentication (MFA) for administrator accounts, Screen auto-lock after a time period (e.g. 15mins), periodic awareness training, etc.

Data Protection

Partners must have a published Access Control policy. Partners should encrypt all personal data at-rest using at least AES-256 or RSA-1024 higher, data in-transit with TLSv1.2 or above.

Access Control

Partners must have a published Access Control policy based on "Need-to-know" and "Least-privilege" principle. Employees and contractors should be granted privileges based on specific roles. System access logs should be retained and user privileges to company systems should be reviewed at least annually.

Vulnerability Management:

Partners must have security measures to ensure threats are constantly monitored, tracked, and remediated. Vulnerability scans or penetration testings should be conducted and reports should be retained.

Incident Management

Partners must have a published Incident responses policy. Incident drills should be conducted at least annually to test the effectiveness of recovery procedures. Incident reports should be properly documented for review.

Notes

The assessment will normally take 2 weeks. We recommend you provide more details as to faster the approval process. If your application is rejected, please refer to the assessor's comments to provide additional information.

Please be noted, nothing mentioned in this page is intended to replace minimum security requirements as stated in Developer Terms of Service nor contributed to legal advice. If you have further questions, please submit a ticket:

As a final reminder, you will not be able to launch an app in the TikTok Shop App Store without completing the data security and privacy review process. There are no exceptions.