本《数据保护协议》（DATA PROCESSING ADDENDUM，以下简称“本协议”或“DPA”）规定了客户就购买和使用火山引擎产品和服务过程中所涉及的客户数据和个人信息的处理和安全性相关的义务。双方同意，除非存在单独的专门协议，否则火山引擎产品及功能服务中数据的处理和安全均受本协议约束。
This DATA PROCESSING ADDENDUM (hereinafter referred to as "this Agreement" or "DPA") stipulates Customer’s obligations regarding the processing and security of Customer Data and Personal Information involved in the purchase and use of Volcano Engine products and services.  The parties agree that, unless a separate special agreement exists, the processing and security of data in Volcano Engine products and functional services are governed by this Agreement.
如果本协议条款同其他与产品和服务相关的适用协议（以下简称“客户协议”）中的任何其他数据条款存在任何冲突或不一致，则应以本协议条款为准。本协议条款将取代火山引擎隐私政策中的任何冲突条款，这些冲突条款原本适用于此处定义的客户数据和个人信息的处理。
If there is any conflict or inconsistency between the terms of this Agreement and any other data terms in other applicable agreements related to products and services (hereinafter referred to as "Customer Agreement" ), the terms of this Agreement shall control.  The terms of this Agreement will supersede any conflicting terms in the Volcano Engine Privacy Policy that would otherwise apply to the processing of Customer Data and Personal Information as defined herein.

1 本协议的适用与更新
Application and Update of this Agreement

1.1. 更新限制： 当客户续订或购买产品的新订购或签订专业服务的订单时，将适用续订或购买当时生效的 DPA 条款，并且在客户的产品订购期内或该专业服务的有效期内不会更改。
Update Limitations: When a Customer renews or purchases a new subscription for a product or enters into an order for professional services, DPA terms in effect at the time of the renewal or purchase will apply and will not change during the Customer’s product subscription period or the term of such professional services.
1.2. 新功能、补充程序或相关产品及服务： 尽管已规定上述更新限制，在火山引擎推出新的功能、产品/服务、补充程序或相关软件（即以前的产品或服务不包含的内容）后，可以提供客户使用这些新的功能、产品/服务、补充程序或相关软件应遵循的条款或更新相应的条款协议。如果公司不安装或使用新功能、产品/服务、补充程序或相关软件，则相应的新条款将不适用。
New Functions, Supplements, or Related Products and Services: Notwithstanding the above update limitations, when Volcano Engine introduces new functions, products/services, supplements, or related software that were not included in the previous product or service, Volcano Engine may provide the terms or update the corresponding terms agreement that Customers should follow when using these new functions, products/services, supplements or related software.  If company does not install or use new functions, products/services, supplements or related software, the corresponding new terms will not apply.
1.3. 政府规定和要求： 尽管已规定上述更新限制，火山引擎仍可能出于以下原因，修改或终止所在国家/地区或管辖权地的产品或专业服务：
Government Regulations and Requirements: Notwithstanding the above update limitations, Volcano Engine may modify or discontinue products or professional services in the country or jurisdiction in which it is located for the following reasons:
i. 当前或未来的任何政府要求或义务要求火山引擎遵守并非普遍适用于在当地运营的所有企业的任何法规或要求；
Any current or future governmental requirement or obligation requiring Volcano Engine to comply with any regulations or requirements that are not generally applicable to all businesses operating there;
ii. 由于存在上述政府要求或义务，如果火山引擎不对产品或专业服务进行修改，则将无法继续运行产品或提供专业服务；
Due to the above governmental requirements or obligations, if Volcano Engine does not make modifications to the products or professional services, it will be unable to continue to operate the products or provide professional services;
iii. 基于上述政府要求或义务，火山引擎认为这些 DPA 条款或产品或专业服务可能与此类要求或义务相冲突。
Based on the above governmental requirements or obligations, Volcano Engine believes that these DPA terms or products or professional services may conflict with such requirements or obligations.
1.4. 电子通知： 火山引擎可能会通过电子方式向客户提供关于产品和服务的信息和通知，包括通过电子邮件、火山引擎官方网站或火山引擎指定的网站。通知自火山引擎发出之日或通知内声明生效日期起生效。
Electronic Notices: Volcano Engine may provide information and notices about products and services to Customers electronically, including via email, the Volcano Engine official website or a website designated by Volcano Engine.  The notice will be effective from the date of issuance by Volcano Engine or the effective date stated in the notice.
1.5. 历史版本： DPA 条款适用于当前可用的产品和服务。如需 DPA 条款的早期版本，客户可以联系官网客服。
Historical Versions: DPA terms apply to currently available products and services.  If an earlier version of DPA terms is needed, Customers can contact the official website customer service.

2 用语释义
Definition of Terms

除上下文另有所指外，本协议中下列词汇具有以下涵义：
Unless the context otherwise requires, the following terms in this Agreement have the meanings ascribed to them herein below:  
客户数据：指客户通过使用在线服务向火山引擎提供或以客户的名义提供的所有数据，包括所有文本、声音、视频或图像文件以及软件，也包括客户因使用火山引擎产品或服务而衍生的客户可自主控制和管理的数据（如配置数据、运维数据等）
Customer Data: refers to all data provided by Customer to Volcano Engine or on behalf of Customer through the use of online services, including all text, sound, video or image files and software, and also including data derived from Customer's use of Volcano Engine products or services that can be controlled and managed by Customer independently (such as configuration data, operation and maintenance data, etc.)
个人信息：是指以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息，不包括匿名化处理后的信息。具体服务提供时涉及的个人信息，包括但不限于个人身份信息（姓名）、地址、联系电话、网络身份识别信息（包括账号名、邮箱地址）、个人常用设备信息、地点信息等。
Personal Information: refers to various information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information.  Personal Information involved in the provision of specific services includes but is not limited to personal identity information (name), address, contact number, network identification information (including account name, email address), personal commonly used device information, location information, etc.
个人信息的处理：包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等。
Processing of Personal Information: includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of Personal Information.
个人信息主体：是指个人信息所标识的自然人。
Personal Information Subject: refers to the natural person identified by Personal Information.
适用法律：包括但不限于中国网络安全法、个人信息保护法体系下各项法律法规及国家强制标准；
Applicable Laws: includes but is not limited to various laws, regulations, and national mandatory standards under the system of China’s Cybersecurity Law, the Personal Information Protection Law;
个人信息安全影响评估：针对个人信息处理活动，检验其合法合规程度，判断其对个人信息主体合法权益造成损害的各种风险，以及评估用于保护个人信息主体的各项措施有效性的过程。
Personal Information Security Impact Assessment: For Personal Information Processing activities, the process to test the degree of legality and compliance, determine the various risks of harm to the lawful rights and interests of Personal Data Subjects, and assess the effectiveness of various measures used to protect Personal Data Subjects.
个人信息安全事件：是指非授权登录系统，非授权访问、读取、复制、修改、删除个人信息、发生系统漏洞、计算机病毒、网络攻击、网络入侵等造成个人信息泄露、丢失或者被窃取、篡改等事件。
Personal Information Security Incidents: refers to incidents such as unauthorized login to the system, unauthorized access, reading, copying, modification, or deletion of Personal Information, or the occurrence of system vulnerabilities, computer viruses, network attacks, network intrusions, etc., resulting in the leakage, loss, theft, or tampering of Personal Information.
个人信息跨境传输：指个人信息处理者因业务等需要，确需向中华人民共和国境外提供个人信息。
Cross-border Transfer of Personal Information: refers to the need for Personal Information processors to provide Personal Information outside the territory of the People's Republic of China due to business and other needs.
中国：指中华人民共和国大陆地区，不包括香港、澳门特别行政区和台湾地区。
China: refers to the mainland of the People's Republic of China, excluding Hong Kong, Macao Special Administrative Region and Taiwan.
委托方：是指（单独、共同或与他人协同）在数据处理活动中自主决定处理目的、处理方式的组织或个人。
Entrusting Party: refers to an organization or individual (individually, jointly or in collaboration with others) that independently determines the purpose and method of processing in data processing activities.
受托方：是指代表委托方处理数据的任何组织或个人（委托方的雇员除外），本协议指火山引擎。
Entrusted Party: refers to any organization or individual (other than an employee of the Entrusting Party) that processes data on behalf of the Entrusting Party; and refers to Volcano Engine in this Agreement.
数据保护要求：是指《中华人民共和国个人信息保护法》、《中华人民共和国网络安全法》有关数据保护的条款以及与个人信息处理与隐私相关的其他所有适用法律法规，包括适用的任何国家或地方监管机构颁布的指导意见、建议、通告和行业守则。
Data Protection Requirements: refers to the data protection provisions of the Personal Information Protection Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China and all other Applicable Laws and regulations related to Personal Information Processing and privacy, including any applicable guidance, recommendations, notices and industry codes issued by national or local regulatory authorities.
获准转委托方：是指受托方火山引擎所使用的负责处理客户数据和个人信息的其他处理方。
Approved Subcontractor: refers to other processors used by the Entrusted Party, Volcano Engine, to process Customer Data and Personal Information.
本协议中其他相关术语，除非另有说明，否则其定义与主服务协议中的定义相同，如未进行定义则采用法律法规、行政规章、国家标准（包含推荐性标准或其届时已经公布的征求意见稿）等文件中的解释。
Unless otherwise stated, other relevant terms in this Agreement have the same definitions as in the Master Service Agreement. If no definition is given, the interpretations in laws and regulations, administrative rules, national standards (including recommended standards or the draft for comments that have been published at that time) and other documents shall apply.

3 数据及个人信息保护条款
Data and Personal Information Protection Terms

3.1 适用范围
Scope of Application
3.1.1 DPA 条款适用于除本协议及附件中所述产品和服务以外的所有火山引擎产品和服务。
DPA terms apply to all Volcano Engine products and services other than those described in this Agreement and the attachments.
3.1.2 DPA 条款不适用于火山引擎产品或服务条款中明确标识为排除的任何产品或范围，这些产品及服务适用产品特定条款中的隐私和安全条款约束。
DPA terms do not apply to any products or areas expressly identified as excluded in the Volcano Engine product or service terms, and these products and services are subject to the privacy and security terms in the product-specific terms.
3.1.3 为清楚起见，DPA 条款仅适用于在火山引擎和火山引擎的获准转委托方控制的环境中处理数据。这包括由产品和服务发送给火山引擎的数据，但不包括保留在客户环境或客户选择的任何第三方操作环境中的数据。
For clarity, DPA terms only apply to processing of data in an environment controlled by Volcano Engine and Volcano Engine's Approved Subcontractor.  This includes data sent to Volcano Engine through the products and services, but does not include data retained in the Customer's environment or any third-party operating environment selected by Customer.
3.1.4 对于产品或功能的预览体验版或产品demo，火山引擎仅做以下承诺：
For preview versions or product demos of products or functions, Volcano Engine only makes the following commitments:
与产品和服务通常采用的隐私和安全措施相比，预览体验版或产品demo采用的此类措施可能会减少或有所不同。除非另有规定，否则客户不应使用预览体验版或产品demo来处理商业秘密、个人信息或其他对客户有权益影响的数据。
A preview version or product demo may have fewer or different privacy and security measures than those typically employed by products and services.  Unless otherwise specified, Customers should not use preview versions or product demos to process trade secrets, Personal Information, or other data that affects Customers' interests.

3.2 数据处理的性质及目的
Nature and Purpose of Data Processing
3.2.1 火山引擎将仅按照以下说明使用和以其他方式处理客户数据和个人信息，并在： (a) 根据客户记录的指令向客户提供产品和服务，以及 (b) 进行以向客户提供产品和服务为目的的经营活动时，遵守下述条款限制。在双方之间，客户拥有对客户数据所有权利和权益。除了本协议中客户授予火山引擎的权利之外，火山引擎未获得有关客户数据的任何权利。本段不影响火山引擎向客户许可的软件或服务中包含的火山引擎的权利。
Volcano Engine will only use and otherwise process Customer Data and Personal Information as described below, and will comply with the following terms and restrictions when: (a) providing products and services to Customer in accordance with Customer’s recorded instructions, and (b) conducting business activities for the purpose of providing products and services to Customers.  As between the parties, Customer has all rights and interests in and to Customer Data.  Volcano Engine does not acquire any rights to Customer Data other than the rights granted by Customer to Volcano Engine in this Agreement.  This paragraph does not affect Volcano Engine's rights contained in the software or services licensed by Volcano Engine to Customer.
3.2.2 就本 DPA 而言，提供产品包括：
For the purposes of this DPA, products provided include:
i. 交付客户及其用户所许可、配置和使用的功能，包括提供个性化用户体验；
Deliver the functions licensed, configured and used by Customers and their users, including providing a personalized user experience;
ii. 故障排除（预防、检测和修复问题）；以及
Troubleshoot (prevent, detect and fix problems); and
iii. 保持产品的更新与良好运行，提高用户生产力、可靠性、效力、质量和安全性。
Keep products updated and functioning well, and improve user productivity, reliability, effectiveness, quality and safety.
3.2.3 就本 DPA 而言，提供服务包括：
For the purposes of this DPA, services provided include:
i. 提供专业服务，包括提供技术支持、专业计划、建议、指导、数据迁移、部署和解决方案、软件开发服务；
Provide professional services, including providing technical support, professional planning, advice, guidance, data migration, deployment and solutions, and software development services;
ii. 故障排除（预防、检测、调查、缓解和修复问题，包括安全事件，以及在交付专业服务期间在专业服务或相关产品中发现的问题）；以及
Troubleshoot (prevent, detect, investigate, mitigate and remediate problems, including Security Incidents and problems discovered in the professional services or related products during the delivery of the professional services); and
iii. 根据提供专业服务时发现的问题对专业服务和基础产品的交付、效力、质量和安全性进行改进，包括修复软件缺陷或保持产品和服务的更新与良好运行。
Improve the delivery, effectiveness, quality, and security of professional services and underlying products based on issues discovered while providing professional services, including fixing software defects or keeping products and services updated and functioning well.
3.2.4 在各种情形下，提供产品和专业服务均需履行数据保护要求规定的安全义务。
In each case, the provision of products and professional services is subject to security obligations imposed by Data Protection Requirements.
3.2.5 提供产品和服务时，火山引擎不会出于以下目的使用或以其他方式处理客户数据或个人信息：(a) 用户商业概况分析；(b) 广告或类似商业目的，或者 (c) 旨在创建新功能、服务或产品的市场调研或任何其他目的，除非此类使用或处理符合客户的指令和产品及服务要求或获取用户单独同意授权。
When providing products and services, Volcano Engine will not use or otherwise process Customer Data or Personal Information for the following purposes: (a) user business profiling; (b) advertising or similar commercial purposes, or (c) market research intended to create new functions, services or products or any other purpose, unless such use or processing complies with Customer's instructions and product and service requirements or is authorized by the user's separate consent.

3.3 对已处理数据的披露
Disclosure of Processed Data
3.3.1 火山引擎将不会披露或允许任何人访问已处理的数据，除非：(a) 客户授权或指示；(b) 本 DPA 规定；或者 (c) 法律要求。就本协议而言，“已处理数据”指：(a) 客户数据；(b) 个人信息；以及 (c) 火山引擎根据客户协议处理的与产品和服务相关的、属于客户机密信息的任何其他数据。所有已处理数据的处理都应遵守火山引擎在客户协议中的保密义务。
Volcano Engine will not disclose or allow anyone to access Processed Data except: (a) as authorized or instructed by Customer; (b) as provided in this DPA; or (c) as required by law. For the purposes of this Agreement, "Processed Data" means: (a) Customer Data; (b) Personal Information; and (c) any other data that is processed by Volcano Engine in accordance with the Customer Agreement in connection with products and services and that is confidential information of Customer.  The processing of all Processed Data shall be subject to Volcano Engine's confidentiality obligations in the Customer Agreement.
3.3.2 除非法律要求，否则火山引擎不会向执法部门披露或允许其访问已处理数据。如果执法部门要求火山引擎提供已处理数据，火山引擎将建议执法部门直接与客户联系，由客户向其提供相关数据。如果执法部门强制要求火山引擎向其披露或允许其访问已处理数据，火山引擎将立即通知客户并提供执法部门强制要求的内容副本，除非法律禁止提供。
Unless required by law, Volcano Engine will not disclose or allow access to Processed Data to law enforcement authorities.  If law enforcement authorities request Volcano Engine to provide Processed Data, Volcano Engine will advise the law enforcement authorities to contact Customer directly and Customer will provide the relevant data.  If law enforcement authorities require Volcano Engine to disclose to it or allow it to access Processed Data, Volcano Engine will promptly notify Customer and provide a copy of the content requested by law enforcement authorities unless prohibited by law.
3.3.3 收到任何其他第三方对已处理数据的请求后，火山引擎应立即通知客户，除非法律禁止这样做。火山引擎会拒绝相关请求，但法律另有要求的除外。如果请求有效，火山引擎会尝试安排第三方直接从客户处请求数据。
Upon receipt of a request from any other third party for the Processed Data, Volcano Engine shall immediately notify Customer, unless prohibited by law.  Volcano Engine will deny requests unless otherwise required by law.  If the request is valid, Volcano Engine will attempt to arrange for the third party to request data directly from Customer.
3.3.4 火山引擎仅会在以下情形下应法律要求披露已处理数据或提供对此类数据的访问权限：相关法律和实践尊重客户基本权利，且其必要性和适当性不超出《数据安全法》《个人信息保护法》等法律法规要求。
Volcano Engine will only disclose the Processed Data or provide access to such data in response to legal requirements under the following circumstances: the relevant laws and practices respect the basic rights of Customers, and the necessity and appropriateness of such data shall not exceed the requirements of laws and regulations such as the Data Security Law and the Personal Information Protection Law.
3.3.5 火山引擎不会向任何第三方提供以下内容：(a) 对已处理数据的直接、间接、全部或自由访问权限；(b) 用于保护已处理数据安全的平台加密密钥或破解此类加密的能力。
Volcano Engine will not provide any third party with: (a) direct, indirect, full or free access to the Processed Data; (b) the platform encryption keys used to secure the Processed Data or the ability to break such encryption.
3.3.6 为满足上述条款承诺，火山引擎可能会向第三方提供客户的基本联系信息。
In order to meet the above commitments, Volcano Engine may provide Customers' basic contact information to third parties.

3.4 个人信息保护
Personal Information Protection
3.4.1 个人信息范围。所有由火山引擎处理的与提供产品和服务相关的个人信息都将以以下形式获得：客户提供的数据或火山引擎基于客户数据及提供服务及功能的场景生成、衍生或收集的数据，包括由于客户使用基于服务的功能而发送给火山引擎的数据或火山引擎提供的产品及服务中获取的数据。个人信息包括假名化或去标识化但不匿名的任何个人信息。匿名化信息不属于个人信息，其中匿名化是指个人信息经过处理无法识别特定自然人且不能复原的过程。
Scope of Personal Information.  All Personal Information processed by Volcano Engine related to the provision of products and services will be obtained in the following form: data provided by Customers or data generated, derived or collected by Volcano Engine based on Customer Data and the scenarios in which services and functions are provided, including data sent to Volcano Engine due to Customer's use of service-based functions or data obtained from products and services provided by Volcano Engine.  Personal Information includes any Personal Information that is pseudonymized or de-identified but not anonymized.  Anonymized information is not Personal Information, where anonymization refers to the process in which Personal Information cannot identify a specific natural person after processing and cannot be recovered.
3.4.2 客户和火山引擎同意，客户是个人信息的处理者和委托方，根据客户指示和目的火山引擎作为接受客户委托的受托方，但以下情况除外：(a) 由客户作为个人信息受托处理者，此时火山引擎是客户的获准转委托方；或 (b) 特定产品或服务的条款或本 DPA 中另有规定的情况。
Customer and Volcano Engine agree that Customer is the processor and Entrusting Party of Personal Information, and Volcano Engine acts as the Entrusted Party to accept Customer's entrustment according to Customer's instructions and purposes, except for the following circumstances: (a) when Customer is the entrusted processor of Personal Information, Volcano Engine shall be the Approved Subcontractor of Customer; or (b) as otherwise provided in the terms of a particular product or service or in this DPA.
3.4.3 当火山引擎作为个人信息的受托处理方或获准转委托方时，只能依照客户指示和目的处理数据，同时客户承诺其处理的个人信息来源合法合规，收集、使用、加工等处理行为已经获得相关个人信息主体合法授权，符合国家关于个人信息保护、数据安全相关法律法规，未侵犯任何第三人合法权益，同时客户承诺有权对个人信息进行转委托处理。
When Volcano Engine acts as the entrusted processor or Approved Subcontractor of Personal Information, it can only process data in accordance with Customer's instructions and purposes.  At the same time, Customer promises that the source of the Personal Information it processes is legal and compliant, and the collection, use, processing and other processing behaviors have been legally authorized by the relevant Personal Information Subjects, comply with the relevant national laws and regulations on Personal Information protection and data security, and do not infringe on the legitimate rights and interests of any third party, and Customer promises that Customer has the right to sub-entrust the Processing of Personal Information.
3.4.4 客户同意，其客户协议（包括 DPA 条款和任何适用的更新）连同产品文档以及客户使用和配置产品中相关功能的活动或专业服务文档以及客户对专业服务的使用，系客户就个人信息的处理向火山引擎作出的完整的指示。客户可以在https://www.Volcano Engine.com/或包含本 DPA 的其他协议中找到有关产品的使用和配置的信息。
Customer agrees that its Customer Agreement (including the DPA terms and any applicable updates), together with the product documentation and Customer's activities in using and configuring relevant functions in the product or professional services documentation and Customer's use of the professional services, is Customer's complete instruction to Volcano Engine regarding the Processing of Personal Information.  Customer may find information regarding the use and configuration of the product in https://www.Volcano Engine.com/ or other agreement that includes this DPA.
3.4.5 委托方权利义务
Rights and Obligations of the Entrusting Party
3.4.5.1 委托方有权：
The Entrusting Party has the right to:
i. 得知或者发现受托方未遵守本协议、主服务协议及适用法律的规定处理个人信息，或受托方未能有效履行个人信息安全保护责任的，有权要求受托方停止相关行为，并采取或要求受托方采取有效补救措施控制或消除个人信息面临的安全风险，由此产生的费用由受托方承担；
If the Entrusting Party learns or discovers that the Entrusted Party fails to comply with the provisions of this Agreement, the Master Service Agreement and Applicable Laws in processing Personal Information, or that the Entrusted Party fails to effectively perform its Personal Information security protection responsibilities, the Entrusting Party has the right to require the Entrusted Party to stop relevant actions and take or require the Entrusted Party takes effective remedial measures to control or eliminate the security risks faced by Personal Information, and the costs incurred shall be borne by the Entrusted Party;
ii. 除法律法规对于特定信息留存期限另有规定外，当客户注销火山引擎账户或永久停止使用火山引擎服务后，火山引擎应根据法律法规规定对账户相关内容及信息以包括但不限于删除、匿名化等方式进行处理。
Unless laws and regulations otherwise stipulate the retention period for specific information, when Customer cancels the Volcano Engine account or permanently stops using the Volcano Engine service, Volcano Engine shall process the relevant content and information of the account in accordance with the provisions of laws and regulations, including but not limited to deletion and anonymization.
3.4.5.2 委托方承诺：
The Entrusting Party commits:
i. 获得个人信息主体授权：委托方保证其获取的个人信息均具有符合法律要求的合法性基础，以便在本协议期限和目的范围内合法地将本协议约定的个人信息提供给受托方以开展约定的个人信息处理活动；
Obtain authorization from the Personal Information Subject: The Entrusting Party guarantees that the Personal Information it obtains has a lawful basis that complies with legal requirements, so that the Personal Information agreed in this Agreement can be legally provided to the Entrusted Party within the scope of the term and purpose of this Agreement to carry out the agreed Personal Information Processing activities;
ii. 委托方应当遵守本协议、主服务协议及适用法律对于个人信息处理的相关规定；作为委托方，应当按照《个人信息保护法》等相关法律要求履行个人信息处理者的相关义务；
The Entrusting Party shall abide by the relevant provisions of this Agreement, the Master Service Agreement and Applicable Laws on the Processing of Personal Information; as the Entrusting Party, it shall perform the relevant obligations of a Personal Information processor in accordance with the requirements of the Personal Information Protection Law and other relevant laws;
iii. 委托方应当在受托方处理委托方提供的个人信息之前，进行个人信息保护影响评估，确保委托处理事宜及本协议目的合法合规，不侵犯任何第三方的合法权益。
The Entrusting Party shall conduct a Personal Information protection impact assessment before the Entrusted Party processes the Personal Information provided by the Entrusting Party to ensure that the entrusted processing matters and the purpose of this Agreement are legal and compliant and do not infringe on the legitimate rights and interests of any third party.
3.4.6 受托方权利义务
Rights and Obligations of the Entrusted Party
3.4.6.1 若受托方有正当理由认为委托方关于个人信息处理活动的书面指示不满足个人信息安全需要或违反任何适用法律的规定，受托方应当及时通知委托方，并有权要求委托方停止相关行为，并采取或要求委托方采取有效补救措施控制或消除个人信息面临的安全风险，由此产生的费用由委托方承担，若委托方在合理期限内未解决本条所述风险和问题，则视为对本协议的实质性违约，受托方有权单方解除本协议及主服务协议。
If the Entrusted Party has legitimate reasons to believe that the Entrusting Party's written instructions on Personal Information Processing activities do not meet the Personal Information security needs or violate the provisions of any Applicable Laws, the Entrusted Party shall promptly notify the Entrusting Party and have the right to require the Entrusting Party to stop relevant activities and take or require the Entrusting Party to take effective remedial measures to control or eliminate the security risks faced by Personal Information.  The costs incurred shall be borne by the Entrusting Party.  If the Entrusting Party fails to resolve the risks and problems mentioned in this section within a reasonable period, it will be deemed to be a material breach of this Agreement, and the Entrusted Party shall have the right to unilaterally terminate this Agreement and the Master Service Agreement.
3.4.6.2 受托方承诺：
The Entrusted Party commits:
i. 受托方应当遵守本协议、主服务协议及适用法律对于个人信息理的相关规定；作为受托处理方，应当按照《个人信息保护法》等相关法律要求履行受托者的相关义务；
The Entrusted Party shall abide by the relevant provisions of this Agreement, the Master Service Agreement and Applicable Laws on the Processing of Personal Information; as an entrusted processor, it shall perform the Entrusted Party's relevant obligations in accordance with the requirements of the Personal Information Protection Law and other relevant laws;
ii. 受托方应采取必要措施保障委托方提供的个人信息安全，并协助委托方履行法定义务；
The Entrusted Party shall take necessary measures to ensure the security of the Personal Information provided by the Entrusting Party and assist the Entrusting Party in fulfilling its legal obligations;
iii. 受托方应在本协议约定的范围内使用和处理个人信息；
The Entrusted Party shall use and process Personal Information within the scope agreed in this Agreement;
iv. 委托方可在实施本委托处理活动前对委托处理数据的行为进行个人信息安全影响评估， 在不损害受托方、受托方关联方在内的所有第三方的合法利益的前提下，受托方应根据委托方合理要求提供必要的协助；
The Entrusting Party may conduct a Personal Information Security Impact Assessment on the entrusted processing of data before implementing this entrusted processing activity.  On the premise of not harming the legitimate interests of all third parties, including the Entrusted Party and its affiliates, the Entrusted Party shall provide necessary assistance as reasonably requested by the Entrusting Party;
v. 受托方承认并保证其将代表委托方进行个人信息处理活动，并会采取适当的措施以保证在其授权下访问个人信息的员工仅在委托方指示的范围内处理个人信息；
The Entrusted Party acknowledges and warrants that it will carry out Personal Information Processing activities on behalf of the Entrusting Party and will take appropriate measures to ensure that employees who access Personal Information under its authorization only process Personal Information within the scope of the Entrusting Party's instructions;
vi. 受托方应当要求其所有参与个人信息处理活动的工作人员、任何第三方服务商，对受托处理的个人信息严格保密、接受过适当的培训并严格遵守本协议的规定；
The Entrusted Party shall require all its staff and any third-party service providers involved in Personal Information Processing activities to keep the Personal Information entrusted to it strictly confidential, receive appropriate training, and strictly abide by the provisions of this Agreement;
vii. 受托方不得超出本协议目的处理委托方提供的个人信息，本协议不生效、无效、被撤销或者终止的，受托方应当将委托方提供的个人信息进行删除或做匿名化处理。
The Entrusted Party shall not process the Personal Information provided by the Entrusting Party beyond the purpose of this Agreement.  If this Agreement is not effective, invalid, revoked or terminated, the Entrusted Party shall delete or anonymize the Personal Information provided by the Entrusting Party.
3.4.7 个人信息主体权利请求。本协议双方将按照适用法律的规定及双方个人信息保护政策等规定及时响应并处理个人信息主体的法定权利请求，双方应给予对方必要的协助：（a）如受托方收到个人信息主体的权利请求，除非适用法律有禁止性规定，应当将该权利请求在合理期限内转交给委托方；（b）如果适用法律相关规定要求委托方作为主体响应个人信息主体的权利请求， 受托方应当与委托方展开充分的合作以保障个人信息主体的权利，委托方应给予受托方必要协助。
Personal Information Subject Rights Request.  Both parties to this Agreement will promptly respond to and handle the legal rights requests of the Personal Information Subject in accordance with the provisions of Applicable Laws and the Personal Information protection policies of both parties, and each party shall provide the other party with necessary assistance: (a) if the Entrusted Party receives the rights request of the Personal Information Subject, unless prohibited by Applicable Laws, it shall transfer the rights request to the Entrusting Party within a reasonable period of time; (b) if the relevant provisions of Applicable Laws require the Entrusting Party to respond to the Personal Information Subject's rights request as the principal, the Entrusted Party shall carry out full cooperation with the Entrusting Party to protect the rights of the Personal Information Subject, and the Entrusting Party shall provide necessary assistance to the Entrusted Party.
3.4.8 个人信息安全事件。如个人信息处理过程中发生个人信息安全事件的，双方应当：
Personal Information Security Incident.  If a Personal Information Security Incident occurs during the Processing of Personal Information, both parties shall:
i. 及时通知对方，告知对方：（a）该个人信息安全事件的性质，包括其涉及的个人信息的种类、规模；（b）该个人信息安全事件可能的后果；（c）已经采取的补救措施；
Notify the other party in a timely manner and inform the other party of: (a) the nature of the Personal Information Security Incident, including the type and scale of the Personal Information involved; (b) the possible consequences of the Personal Information Security Incident; (c) the remedial measures that have been taken;
ii. 协助对方调查该个人信息安全事件并提供所有相关的记录、文档、日志、报告及其他合理材料；
Assist the other party to investigate the Personal Information Security Incident and provide all relevant records, documents, logs, reports and other reasonable materials;
iii. 依照应急预案及时采取必要的措施进行处置；
Take necessary measures in a timely manner in accordance with the emergency plan;
iv. 如个人信息安全事件涉及个人信息泄露等问题，应遵守适用法律及时上报有关主管部门并履行法律法规要求的向个人信息主体的告知义务。
If Personal Information Security Incidents involve Personal Information leakage and other issues, they should comply with Applicable Laws and promptly report to the relevant competent authorities, and perform the obligation to inform Personal Information Subjects as required by laws and regulations.
v. 双方应向另一方指定一名员工作为联系人来负责安全及个人信息保护的所有问题，包括相关人员的集体培训、发生个人信息安全事件时应遵守的程序等。
Each party shall designate an employee as the contact person to the other party to be responsible for all issues related to security and Personal Information protection, including the collective training of relevant personnel, the procedures to be followed in the event of a Personal Information Security Incident, etc.

3.5 数据处理及安全措施
Data Processing and Security Measures
3.5.1 数据传输及位置
Data Transfer and Location
3.5.1.1 一般情况
General
除非主合同或者 DPA 条款中另有规定，否则客户应委托火山引擎将客户数据或个人信息传输到中国大陆并在这些地点存储和处理客户数据和个人数据以提供产品。除非客户指定，否则火山引擎不会将代表客户处理的客户数据和个人信息传输到中国大陆之外地理位置，或在该地理位置进行存储和处理。
Unless otherwise provided in the master agreement or DPA terms, Customer shall entrust Volcano Engine to transfer Customer Data or Personal Information to mainland China and store and process Customer Data and personal data in these locations to provide products.  Unless specified by Customer, Volcano Engine will not transfer Customer Data and Personal Information processed on behalf of Customer to, or store and process in, a geographical location outside of mainland China.
3.5.1.2 数据海外存储
Overseas Storage of Data
对于根据客户需要及特定的场景，可能存在火山引擎根据客户委托将客户数据或个人信息传输到中国大陆之外的地区并在这些地点存储和处理客户数据和个人数据以提供产品（例如，客户申请火山引擎为客户提供国际/港澳台短信服务时，客户允许火山引擎将手机号码等必要的客户数据或个人信息传输给火山引擎海外服务站点，由火山引擎海外服务站点作为通道向该等发送对象拨打电话或发送短信）。
For Customer needs and specific scenarios, there may be cases where Volcano Engine transfers Customer Data or Personal Information to areas outside mainland China based on Customer entrustment and stores and processes Customer Data and personal data in these locations to provide products (for example, when Customer applies for Volcano Engine to provide Customers with international/Hong Kong, Macao and Taiwan SMS services, Customer allows Volcano Engine to transmit necessary Customer Data or Personal Information such as mobile phone numbers to Volcano Engine overseas service sites, Volcano Engine's overseas service sites will be used as channels to make calls or send text messages to such recipients).
原则上客户应当对可能的数据出境情况承担数据安全、个人信息及隐私保护等承担合规责任，火山引擎作为受托方将配合客户履行数据出境可能存在的监管及法律责任。
In principle, Customers should bear compliance responsibilities for data security, Personal Information and privacy protection for possible data exports.  As the Entrusted Party, Volcano Engine will cooperate with Customers to fulfill possible regulatory and legal responsibilities for data exports.
如果火山引擎认定无法再履行自身义务，不能为客户提供与当地数据及个人信息及隐私原则所要求的保护级别同等的保护，则应将此情况通知客户。火山引擎不会控制或限制客户或其最终用户访问或迁移客户数据的地区。
If Volcano Engine determines that it can no longer fulfill its obligations and provide Customers with a level of protection equivalent to that required by the local data and Personal Information and privacy principles, it shall notify Customers of this situation.  Volcano Engine does not control or restrict the regions to which Customer or its end users may access or migrate Customer Data.
3.5.2 安全技术及权限
Security Technology and Permissions
火山引擎将实施并维持适当的技术和组织措施来保护客户数据和个人信息，防止传输、存储或以其他方式处理的数据遭到意外或非法破坏、丢失、更改、未经授权的披露或访问。
Volcano Engine will implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Information from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to data transmitted, stored or otherwise processed.
默认情况下，在客户和火山引擎之间的公共网络上或火山引擎数据中心之间传输的客户数据（包括其中涉及的任何个人数据）是经过加密的。火山引擎采用最低访问权限机制来控制对客户数据（包括其中涉及的任何个人信息）的访问。对于服务活动所需的客户数据访问，采用了基于权限的访问控制，以确保只有在目的合理符合客户产品及服务需要并得到监督批准的情况下方可访问。
By default, Customer Data, including any personal data involved therein, is encrypted in transit over the public network between Customer and Volcano Engine or between Volcano Engine data centers.  Volcano Engine employs a least-access mechanism to control access to Customer Data, including any Personal Information involved therein.  For access to Customer Data required for service activities, permission-based access control is adopted to ensure that access is only made for purposes reasonably consistent with the needs of Customer's products and services and with supervisory approval.
3.5.3 客户责任
Customer Responsibilities
客户需自行负责独立确定产品和专业服务的技术和组织措施是否符合客户的要求，包括其在适用的数据保护要求下的任何安全义务。客户承认并同意，（考虑到技术现状、实施成本以及数据处理活动的性质、范围、情境和目的及对个人的风险）火山引擎实施和维持的安全实践和政策能够提供与数据相关的风险相适应的安全级别。客户负责针对客户提供或控制的组件实施和维持隐私保护及安全措施。
Customer is solely responsible for independently determining whether the technical and organizational measures of the products and professional services comply with Customer’s requirements, including any of its security obligations under applicable Data Protection Requirements.  Customer acknowledges and agrees that (taking into account the state of the art, costs of implementation, and the nature, scope, context and purpose of the data processing activities and risks to individuals) the security practices and policies implemented and maintained by Volcano Engine provide a level of security appropriate to the risks associated with the data.  Customer is responsible for implementing and maintaining privacy and security measures on components provided or controlled by Customer.
3.5.4 安全事件通知
Security Incident Notification
如果火山引擎意识到存在导致意外或非法地破坏、丢失、更改、在未经授权情况下披露或访问火山引擎处理的客户数据或个人信息的违反安全性规定的活动（以下均简称“安全事件”），火山引擎应立即： (a) 向客户通知安全事件；(b) 调查安全事件并向客户提供有关安全事件的详细信息；并 (c) 采取合理措施减缓影响并最大限度地减少安全事件导致的损坏，且不得出现不当延误。
If Volcano Engine becomes aware of a security violation activity that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Information processed by Volcano Engine (each a "Security Incident" ), Volcano Engine shall immediately: (a) notify Customer of the Security Incident; (b) investigate the Security Incident and provide Customers with detailed information about the Security Incident; and (c) take reasonable steps to mitigate the impact and minimize the damage caused by the Security Incident without undue delay.
安全事件通知将通过火山引擎选择的任何方式（包括电子邮件）发送给客户。客户须自行负责确保客户就每项适用的产品和专业服务向火山引擎提供准确的联系信息。客户须自行负责遵守并履行与任何安全事件相关的任何第三方通知义务。
Security Incident notifications will be sent to Customers via any method chosen by Volcano Engine, including email.  Customer is solely responsible for ensuring that Customer provides Volcano Engine with accurate contact information for each applicable product and professional service.  Customer is solely responsible for complying with and fulfilling any third-party notification obligations related to any Security Incident.
如有任何可能的账户或身份验证误用或任何与产品和服务有关的安全事件，客户必须立刻通知火山引擎。
Customer must immediately notify Volcano Engine of any possible account or authentication misuse or any Security Incident related to products and services.
3.5.5 数据保留及删除
Data Retention and Deletion
受托方对数据的保存和处理期限不得超过为实现约定数据处理目的所需的必要期限（即主服务协议的有效期），除非根据适用法律规定对个人信息保留期限有特殊规定。当客户注销火山引擎账户或永久停止使用火山引擎服务后，火山引擎根据法律法规要求对账户相关内容及信息以包括但不限于删除、匿名化等方式进行处理。
The retention and processing period of the data by the Entrusted Party shall not exceed the period necessary to achieve the agreed data processing purposes (i.e., the validity period of the Master Service Agreement), unless there are special provisions for the retention period of Personal Information in accordance with Applicable Laws.  When Customer cancels the Volcano Engine account or permanently stops using the Volcano Engine service, Volcano Engine will process the relevant content and information of the account in accordance with the requirements of laws and regulations, including but not limited to deletion and anonymization.
若火山引擎负有相关法律义务，应在本协议所规定的期限之外保留个人信息，火山引擎将在相关法律要求的保留期限结束后按照本协议规定尽快删除或匿名化处理相关个人信息。
If Volcano Engine has relevant legal obligations and should retain Personal Information beyond the period specified in this Agreement, Volcano Engine will delete or anonymize the relevant Personal Information as soon as possible after the retention period required by relevant laws and in accordance with the provisions of this Agreement.
数据处理期限届满或者数据留存相关法律义务到期之后，除非为满足以下目的：客户账单和账户管理、报酬（例如计算员工佣金和合作伙伴奖励），火山引擎将不再响应客户的数据及个人信息处理及请求。
After the expiration of the data processing period or the expiration of legal obligations related to data retention, Volcano Engine will no longer respond to the processing and requests of Customer Data and Personal Information, except for the following purposes: Customer billing and account management, remuneration (e.g., calculation of employee commissions and partner incentives).
3.5.6 保密条款
Confidentiality
3.5.6.1 除为实现本协议目的所必须外或遵循国家法律法规规定或获得客户授权或个人信息主体的同意外，火山引擎不会以任何形式向任何特定或不特定的第三方公开或披露，也不会以明示或默示的方式许可或授权任何特定或不特定的第三方使用。
Except as necessary to achieve the purpose of this Agreement or in accordance with national laws and regulations or with the authorization of Customer or the consent of the Personal Information Subject, Volcano Engine will not make it public or disclose it to any specific or unspecified third party in any form, nor will it license or authorize any specific or unspecified third party to use it in an express or implied manner.
3.5.6.2 协议约定的个人信息只能在本协议目的所需的范围内使用，不得以公开、转委托等任何形式披露， 但以下情形除外：（i）向需要知悉上述信息或委托方提供的个人信息以执行本协议目的的受托方的代理、代表、高管、和员工及获准第三方披露的；（ii) 本协议任何一方被法院要求或基于相关法定义务披露该等信息或委托方提供的个人信息，但仅限于遵守该法院命令或法定义务所需的最低限度予以披露。
The Personal Information agreed in the agreement can only be used within the scope necessary for the purpose of this Agreement, and shall not be disclosed in any form such as disclosure or sub-entrustment, except for the following circumstances: (i) disclosure to the agents, representatives, officers, and employees of the Entrusted Party and authorized third parties who need to know the above information or the Personal Information provided by the Entrusting Party to perform the purpose of this Agreement; (ii) any party to this Agreement is required to disclose such information or Personal Information provided by the Entrusting Party pursuant to a court or pursuant to a relevant legal obligation, but only to the minimum extent necessary to comply with such court order or legal obligation.

3.6 效力及其他
Validity and Miscellaneous
3.6.1 适用及修订
Application and Amendment
尽管有本协议关于数据及个人信息保护要求的定义，如该等要求被后续的立法、法规或措施所修订、重新颁布或取代，本协议双方基于其合理认为，需要对本协议进行修订的，则应同意对本协议进行该等修订进行协商，并签订能够反映该等修改的变更或补充协议；
Notwithstanding the definitions of data and Personal Information protection requirements in this Agreement, if such requirements are amended, re-promulgated or superseded by subsequent legislation, regulations or measures, and the parties to this Agreement reasonably believe that it is necessary to revise this Agreement, they shall agree to negotiate such amendments to this Agreement and enter into a change or supplementary agreement that can reflect such modifications;
3.6.2 终止及后果
Termination and Consequences
3.6.2.1 若委托方违反其在本协议项下或与受托方之间签署的任何其他协议项下的任何义务的，受托方有权随时通过书面通知立即终止本协议。
If the Entrusting Party breaches any of its obligations under this Agreement or any other agreement signed with the Entrusted Party, the Entrusted Party has the right to immediately terminate this Agreement at any time by written notice.
3.6.2.2 在委托方与受托方之间签署的与委托方要求受托方处理委托方提供的数据相关的最后一份协议期限届满或终止之日，本协议自动终止，无需送达任何通知，主服务协议及本协议终止后，双方应当继续履行各自的法定义务。
This Agreement shall be automatically terminated without any notice on the date of expiration or termination of the last agreement signed between the Entrusting Party and the Entrusted Party in relation to the Entrusting Party’s request for the Entrusted Party to process the data provided by the Entrusting Party, and the parties shall continue to perform their respective statutory obligations after the termination of the Master Service Agreement and this Agreement.
3.6.3 其他事宜
Miscellaneous
3.6.3.1 无论主服务协议及其部分条款的效力如何，当火山引擎进行本协议规定的数据处理活动时，双方应依照本协议履行相应的权利及义务；
Regardless of the validity of the Master Service Agreement and some of its provisions, when Volcano Engine carries out data processing activities stipulated in this Agreement, both parties shall perform the corresponding rights and obligations in accordance with this Agreement;
3.6.3.2 任何由本协议引起或与之相关的争议，包括任何有关本协议的存续、有效性或终止的问题，双方约定由被告所在地有管辖权的法院管辖。除有争议的条款外，在争议的解决期间，不影响本协议其它条款的继续履行；
Any dispute arising out of or in connection with this Agreement, including any issues regarding the existence, validity or termination of this Agreement, shall be subject to the jurisdiction of the court with jurisdiction where the defendant is located.  Except for the disputed terms, the continued performance of other terms of this Agreement will not be affected during the resolution of the dispute;
3.6.3.3 本协议未规定事宜可以参照主服务协议进行解释，如在数据处理及保护方面本协议与主服务协议不一致，则应当以本协议为准。
Matters not stipulated in this Agreement may be interpreted with reference to the Master Service Agreement.  If this Agreement is inconsistent with the Master Service Agreement in terms of data processing and protection, this Agreement shall prevail.

4 附件
Attachment

火山引擎的安全措施参见火山引擎官网公示及不时更新的《火山引擎云安全白皮书》（链接地址参见：https://www.Volcano Engine.com/docs/6624/101081）。
For the security measures of Volcano Engine , please refer to the announcement on the official website of Volcano Engine and the Volcano Engine Cloud Security White Paper updated from time to time (see the link address: https://www.Volcano Engine.com/docs/6624/101081).