|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We have implemented robust processes for assessing, identifying and managing material risks from cybersecurity threats and monitoring the prevention, detection, mitigation and remediation of material cybersecurity incident. We have also integrated cybersecurity risk management into our overall enterprise risk management system.
We have invested heavily in data security and privacy protection as we attach paramount importance to the protection of the personal privacy of our users. Below are the schemes and measures we have adopted to assert our firm position in preventing any risks and threats that may jeopardize the confidentiality and integrity of our information systems or information on our systems:
|●
|We formulate comprehensive in-house policies to internalize the legal requirements on data privacy and information security and apply them across all our technology applications. These policies aim to establish data classification and grading standards, outline information security-related violation scenarios and associated responsibilities, and clarify investigation and review processes for violation cases. We earnestly enforce these policies. To begin with, we hold up to the overriding principle of data minimization, ensuring that only the minimum amount of data necessary for relevant services is collected and provided. Each data processing behavior is conducted with a specific processing purpose, and legal necessity serves as the criterion. This effectively limits the personal data we may hold that can ever be subject to the risks of leakage or misuse. We also make sure that users have access to and can control their personal information authorized for processing by us at any time and from anywhere. This function, aiming for openness and transparency, enables the customers to remain a defense line of their own personal data even after their information comes into our possession.
|●
|We establish distinct and stringent requirements for user data usage management. We use data sourced from customers only for lawful and authorized usage and only retain them within the time limit and scope allowed by law. We have set up regulations to minimize the risks of data leakage or abuses for both internal and external data circulation. For example, mandatory approval from the data applicant, the data circulation management team, and the data owner is required for any data circulation, either inside or outside our organization. In terms of sharing data with our suppliers and third-party service vendors, we rigorously enforce the requirement through agreements that they comply with the legal requirements and our privacy policies when processing our user data. Suppliers for projects involving data (including but not limited to user personal information, employee personal information, business operation data, company management data, etc.) should complete our personal information protection impact assessment before entering into the cooperative contracts, which should be executed with a “data security commitment letter” at the same time.
|●
|We deploy a variety of technical solutions to implement the aforementioned policies and identify and manage potential system vulnerabilities and risks. These measures include encryption, isolation, data masking, firewall, vulnerability scanning and log audit. For instance, we store and transmit all customer data in encrypted formats and have a team of professionals who are dedicated to the ongoing review and monitoring of data security practices. We maintain data access logs that record the attempted and successful access to our data and conduct automated monitoring and routine manual verification of large data requests.
|●
|We develop data security emergency response plan and establish a data security incident emergency working group. Sophisticated protocols have been set in place to deal with security incidents, including recording incident details, controlling the development of the situation, assessing the impact of the incident, notifying users, providing follow-up measures, and filling out the data security incident handling record. The Information Security and Data Compliance Committee described below has issued data security risk reporting standards and response procedures to all employees to strengthen their risk awareness and response capabilities. We also engaged third-party evaluation firms to conduct security test on our data security system and continued to improve the security level based on the feedback of the test. In 2023, we, with the assistance of third-party specialists, established a data security “blue army” and conducted two mock attack-defense exercises focusing on critical data leakage and compliance issues. By employing methods such as vulnerability exploitation, phishing, social engineering, nearby-source penetration, and intranet breakthroughs, we simulated defenses on sensitive data and core system assets, comprehensively enhancing our capabilities in data security defenses and emergency responsiveness.
|●
|We also require all external vendors involved in projects concerning data and information to complete our company’s Data Protection Impact Assessment (DPIA) process initiated for vendors before signing contracts, and to sign undertaking on data security.
As of the date of this annual report, we have not experienced any material cybersecurity incidents or identified any material cybersecurity threats that have affected or are reasonably likely to materially affect us, our business strategy, results of operations or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have implemented robust processes for assessing, identifying and managing material risks from cybersecurity threats and monitoring the prevention, detection, mitigation and remediation of material cybersecurity incident. We have also integrated cybersecurity risk management into our overall enterprise risk management system.
We have invested heavily in data security and privacy protection as we attach paramount importance to the protection of the personal privacy of our users. Below are the schemes and measures we have adopted to assert our firm position in preventing any risks and threats that may jeopardize the confidentiality and integrity of our information systems or information on our systems:
|●
|We formulate comprehensive in-house policies to internalize the legal requirements on data privacy and information security and apply them across all our technology applications. These policies aim to establish data classification and grading standards, outline information security-related violation scenarios and associated responsibilities, and clarify investigation and review processes for violation cases. We earnestly enforce these policies. To begin with, we hold up to the overriding principle of data minimization, ensuring that only the minimum amount of data necessary for relevant services is collected and provided. Each data processing behavior is conducted with a specific processing purpose, and legal necessity serves as the criterion. This effectively limits the personal data we may hold that can ever be subject to the risks of leakage or misuse. We also make sure that users have access to and can control their personal information authorized for processing by us at any time and from anywhere. This function, aiming for openness and transparency, enables the customers to remain a defense line of their own personal data even after their information comes into our possession.
|●
|We establish distinct and stringent requirements for user data usage management. We use data sourced from customers only for lawful and authorized usage and only retain them within the time limit and scope allowed by law. We have set up regulations to minimize the risks of data leakage or abuses for both internal and external data circulation. For example, mandatory approval from the data applicant, the data circulation management team, and the data owner is required for any data circulation, either inside or outside our organization. In terms of sharing data with our suppliers and third-party service vendors, we rigorously enforce the requirement through agreements that they comply with the legal requirements and our privacy policies when processing our user data. Suppliers for projects involving data (including but not limited to user personal information, employee personal information, business operation data, company management data, etc.) should complete our personal information protection impact assessment before entering into the cooperative contracts, which should be executed with a “data security commitment letter” at the same time.
|●
|We deploy a variety of technical solutions to implement the aforementioned policies and identify and manage potential system vulnerabilities and risks. These measures include encryption, isolation, data masking, firewall, vulnerability scanning and log audit. For instance, we store and transmit all customer data in encrypted formats and have a team of professionals who are dedicated to the ongoing review and monitoring of data security practices. We maintain data access logs that record the attempted and successful access to our data and conduct automated monitoring and routine manual verification of large data requests.
|●
|We develop data security emergency response plan and establish a data security incident emergency working group. Sophisticated protocols have been set in place to deal with security incidents, including recording incident details, controlling the development of the situation, assessing the impact of the incident, notifying users, providing follow-up measures, and filling out the data security incident handling record. The Information Security and Data Compliance Committee described below has issued data security risk reporting standards and response procedures to all employees to strengthen their risk awareness and response capabilities. We also engaged third-party evaluation firms to conduct security test on our data security system and continued to improve the security level based on the feedback of the test. In 2023, we, with the assistance of third-party specialists, established a data security “blue army” and conducted two mock attack-defense exercises focusing on critical data leakage and compliance issues. By employing methods such as vulnerability exploitation, phishing, social engineering, nearby-source penetration, and intranet breakthroughs, we simulated defenses on sensitive data and core system assets, comprehensively enhancing our capabilities in data security defenses and emergency responsiveness.
|●
|We also require all external vendors involved in projects concerning data and information to complete our company’s Data Protection Impact Assessment (DPIA) process initiated for vendors before signing contracts, and to sign undertaking on data security.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our corporate governance committee of the board of directors is responsible for overseeing our cybersecurity risk management, assuming the following responsibilities: (i) maintaining oversight of the disclosure related to cybersecurity matters in periodic reports of our company, (ii) reviewing updates to the status of any material cybersecurity incidents or material risks from cybersecurity threats to our company, and the relevant disclosure issues, if any, presented by our chief executive officer, chief financial officer and the Information Security and Data Compliance Committee described below, if necessary, on a quarterly basis, and (iii) review disclosure concerning cybersecurity matters in our annual report on Form 20-F presented by our chief executive officer, chief financial officer and the Information Security and Data Compliance Committee, if necessary.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|board of directors
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|(ii) reviewing updates to the status of any material cybersecurity incidents or material risks from cybersecurity threats to our company, and the relevant disclosure issues, if any, presented by our chief executive officer, chief financial officer and the Information Security and Data Compliance Committee described below, if necessary, on a quarterly basis, and (iii) review disclosure concerning cybersecurity matters in our annual report on Form 20-F presented by our chief executive officer, chief financial officer and the Information Security and Data Compliance Committee, if necessary
|Cybersecurity Risk Role of Management [Text Block]
|
At the management level, we have an Information Security and Data Compliance Committee as the decision-making body of our information security and data compliance, which consists of our chief executive officer, chief financial officer, leaders of legal, information security, professional ethics and compliance and leaders from each business line. Certain members of the committee are experienced in assessing and managing cybersecurity threats, possessing expertise such as a doctor degree in software engineering with a specialization in cyberspace security and extensive work experiences. With the committee’s oversight, the departments responsible for legal, information security, and compliance work together as a working group, are responsible for developing crucial risk management strategies and enhancing risk management through collaborative efforts with various departments. Progress reports on the work of information security and data compliance are reported to the committee. Meanwhile, we have set up defense lines consisting of multiple departments to ensure that all relevant functional departments continue to prevent risks related to information security and privacy protection before, during and after the event.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Information Security and Data Compliance Committee
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Certain members of the committee are experienced in assessing and managing cybersecurity threats, possessing expertise such as a doctor degree in software engineering with a specialization in cyberspace security and extensive work experiences.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Progress reports on the work of information security and data compliance are reported to the committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true