English
English
简体中文
Register
Make IoT Easy
Solutions
Industry
Empower brands to leverage smart hotel scenarios
Connect lights to create value on a large scale
Streamline maintenance and delight your residents
Provide a seamless scenario experience from home environment to community environment
Build a secure and reliable private IoT platform easily with a rich hardware ecosystem
Various perfected and cost-effective solutions quickly build your smart products
Developers
Connect with like-minded developers and experts
Explore what the world’s leading businesses have achieved with the Tuya Developer Platform
Quickly obtain and experience excellent developer case products
Services & Support
Partners
Stand out as Tuya's IoT service provider and dedicate to helping more and more developers build smart products, effortlessly
Solve smart products interconnect label solutions
Bring the business values of the Internet of Things to customers
Promote the development of artificial intelligence industry
Security and Compliance
Strictly comply with security standards and industry requirements
Join us to create and maintain a healthy IoT ecosystem
Support
FAQs on smart product development
7x24 one-to-one customer services
Technical guidance, fault repair, and problem solving
Company
Global IoT Development Platform Service Provider
Discover the story of Tuya
Press releases and announcements
Submit a request to speak with our IoT experts
Security and Compliance
A trusted partner for quality assurance of your products.
OVERVIEW
Security and Compliance
Tuya complies with domestic and international information security standards and privacy and compliance requirements, integrates compliance requirements and standards into our internal control framework, and implements requirements and standards by design in our cloud platform, products, and services. Tuya works with independent third-party security services as well as auditing and consulting organizations to validate and secure the compliance and security of the Tuya IoT PaaS. Currently, Tuya has been certified/validated by multiple organizations worldwide.
Security
Tuya Security
Tuya IoT PaaS secures infrastructure management and operations as well as physical devices by selecting and zworking closely with the world's leading cloud hosting providers such as Amazon Web Services, Microsoft Azure, and Alibaba Cloud. Tuya IoT PaaS security covers data and cloud services. Tuya promises to leverage the expertise of its security team and globally recognized security service vendors in attack protection technologies to provide full operational services for the Tuya IoT PaaS, effectively protecting Tuya IoT PaaS's secure operations and safeguarding customer privacy and data security.
Data Security
When it comes to the security management of customers' business data in the cloud computing environment, we ensure stringent data security methods for data collection and identification, classification and grading, permissions and encryption, and more.
Cloud Service Security
The security management of business-related application systems in a cloud computing environment is unique. For example, special attention must be paid to the design, development, publication, configuration, and use of application and service interfaces.
Access Control Management
Manage access to resources and data, including user management, access management, and authentication.
Data Center
Tuya Global Data Center
As of January 2022, Tuya has implemented six data centers in USA East, USA West, Europe, India, and mainland China.
Data Center
The Deployment of the Data Centers
Customers may alter the location of data center with legal and compliant basis.
Tencent Cloud
The geo-location of the data center:Shanghai, China
Applies to the following regions or countries:Mainland China
AWS
The geo-location of the data center:Oregon, USA
Applies to the following regions or countries: United States, Puerto Rico, Dominica, Dominica, Dominica, Guatemala, Peru, Mexico, Argentina, Brazil, Chile, Colombia, Venezuela, Bolivia, Ecuador, Paraguay, Suriname, Uruguay, Curacao, Malaysia, Indonesia, Philippines, New Zealand, Thailand, Japan, South Korea, Vietnam, Hong Kong, Macao, Taiwan, Myanmar [Burma]
The geo-location of the data center:Frankfurt, Germany
Applies to the following regions or countries: Bahamas, Barbados, Anguilla, Antigua and Barbuda, British Virgin Islands, U.S. Virgin Islands, Cayman Islands, Bermuda, Grenada, Turks and Caicos Islands, Montserrat, Northern Mariana Islands, Guam, American Samoa, Saint Lucia, Dominica, Saint Vincent and the Grenadines, Trinidad and Tobago, Saint Kitts and Nevis, Jamaica, Egypt, Morocco, Algeria, Tunisia, Libya, Gambia, Senegal, Mauritania, Mali, Guinea, Ivory Coast, Burkina Faso, Niger, Togo, Benin, Mauritius, Liberia, Sierra Leone, Ghana, Nigeria, Chad, Central African Republic, Cameroon, Cape Verde, Equatorial Guinea, Gabon, Republic of the Congo, Democratic Republic of the Congo, Angola, Seychelles, Rwanda, Ethiopia, Somalia, Djibouti, Kenya, Tanzania, Uganda, Burundi, Mozambique, Zambia, Madagascar, Réunion, Zimbabwe, Namibia, Malawi, Lesotho, Botswana, Swaziland, Comoros, South Africa, Eritrea, Aruba, Faroe Islands, Greenland, Greece, Netherlands, Belgium, France, Spain, Gibraltar, Portugal, Luxembourg, Ireland, Iceland, Albania, Malta, Cyprus, Finland, Bulgaria, Hungary, Lithuania, Latvia, Estonia, Moldova, Armenia, Belarus, Andorra, Monaco, San Marino, Vatican, Ukraine, Serbia, Montenegro, Croatia, Slovenia, Bosnia and Herzegovina, Macedonia, Italy, Romania, Switzerland, Czech Republic, Slovakia, Liechtenstein, Austria, Jersey, Denmark, Sweden, Norway, Poland, Germany, Belize, El Salvador, Honduras, Nicaragua, Costa Rica, Panama, Saint Pierre and Miquelon, Haiti, Guadeloupe, Guyana, Martinique, Australia, Singapore, Brunei, Tonga, Fiji, Palau, Wallis and Futuna, Samoa, New Caledonia, Tuvalu, French Polynesia, Micronesia, Marshall Islands, Cambodia, Laos, Bangladesh, Turkey, India, Pakistan, Sri Lanka, Maldives, Lebanon, Jordan, Kuwait, Saudi Arabia, Yemen, Oman, United Arab Emirates, Israel, Bahrain, Qatar, Bhutan, Mongolia, Nepal, Tajikistan, Turkmenistan, Azerbaijan, Georgia, Kyrgyzstan, Uzbekistan
The geo-location of the data center:Mumbai, India
Applies to the following regions or countries:India
Azure
The geo-location of the data center:Amsterdam, Netherlands
Google Cloud
The geo-location of the data center:Virginia, USA
Compliance
Laws and Regulations
GDPR
The General Data Protection Regulation (GDPR) is intended to protect the fundamental privacy rights of EU data subjects and the security of personal data. It calls for more rigorous protection standards and requirements and sets a high cost for breach. Tuya has completed GDPR validation and optimized internal data security protection and compliance requirements.
CCPA
Tuya has officially completed its CCPA compliance audit. Tuya IoT PaaS exhibits a high level of program maturity with regard to privacy and data protection. Tuya demonstrates a commitment to compliance efforts and is reported favorably in response to the needed programs and preparations currently in place.
PIPEDA / QuébecBill 64
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the whole lifecycle of personal information in the course of commercial activities in all Canadian provinces (a few supplemented by substantially similar provincial privacy laws, like QuébecBill 64). The assessment report serves as a strong proof of secure governance of customer and user privacy.
Compliance
Audit and Certifications
ISO/IEC 27001:2022
ISO 27001 is the internationally recognized specification for an information security management system (ISMS). Its best-practice approach helps organizations manage the security of their information assets.
ISO/IEC 27017:2015
ISO 27017 provides specific guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls. ISO 27017 also includes guidance on information security controls for cloud service providers.
ISO/IEC 27701:2019
ISO/IEC 27701 is an international management system standard, it provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world.
CSA STAR Cloud Security
STAR certification incorporates the requirements of ISO 27001, and a maturity rating to indicate how well an organization is complying with the additional cloud specific requirements and also to drive optimization efforts by assessing the organizations capabilities and complexities as well.
ioXt 2020 Manufacturer Certified
The ioXt Alliance is the Global Standard for IoT Security. Backed by the biggest names in technology and device manufacturing, including Google, Amazon, T-Mobile, Comcast and more, the ioXt Alliance is the only industry-led, global IoT device security and certification program in the world. Devices with the ioXt SmartCert gives consumers and retailers greater confidence in a highly connected world. Tuya has certified 9 modules and 2 APPs, namely the Tuya Smart APP, Smart Life APP, WBR3N, CB2L, CB2S, CB3L, CB3S, CBLC5, CBLC9, CBU, and CBU-IPEX.
ETSI EN 303645
ETSI EN 303645 is a European Standard on cyber security initiatives in consumer IoT security. This technical standard mainly regulates the cyber security of consumer IoT products and services, and commercial IoT products in the scope. It aims to establish a security baseline of defense for consumer IoT products and protect user privacy. It helps IoT products comply with security guidelines by design, and support global IoT product network security and European GDPR compliance. The related IoT law currently being promoted in the UK is also based on the the EN 303645 standard.
ISO 9001
ISO 9001 is defined as the international standard that specifies requirements for a quality management system (QMS), ensuring that the specific requirements of customers and regulatory agencies are met.
AICPA SOC 2 Type II & SOC 3
System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives. Tuya passed SOC 2 audit and obtained SOC 2 and SOC 3 reports. The purpose of these reports is to help you and your auditors understand the Tuya controls established to support operations and compliance.
TRUSTe
Being certified by Enterprise Privacy Certificate (EPC) demonstrates that Tuya has fully implemented its privacy policy and privacy controls. EPC enhances Tuya's capabilities in privacy and corporate data management.
Compliance
Hardware Certifications
CE
Conformity of Europe (CE) is a mandatory conformity mark for products placed on the market in the European Economic Area (EEA). Products with the CE marking can be sold throughout the EEA without being subject to restrictions.
FCC
FCC certification is a type of product certification for electrical products with radiofrequency that are manufactured or sold in the United States. Products certified by the FCC are tested by an accredited laboratory and pass all the FCC testing standards.
IC
Industry Canada (IC) is a Canadian federal government department and responsible for the certification of radio-communication equipment entering the Canadian market. IC formulates test standards for analog and digital terminal equipment and stipulates that imported electronic products must pass the relevant EMC certification.
SRRC
The State Radio Regulation of China (SRRC) is a compulsory certification that is required by the State Radio Regulatory Commission of the People's Republic of China. Since June 1, 1999, the Ministry of Industry and Information Technology (MIIT) of China has mandated that all radio component products must obtain the Radio Type Approval Certification before they can be legally sold and used in China.
RoHS
Restriction of Hazardous Substances (RoHS) restricts the use of specific hazardous materials found in electrical and electronic products. RoHS is a mandatory standard enacted by EU legislation. The RoHS Directive has been implemented since July 1, 2006. It standardizes the material and process conversion of electronic and electrical products to make the products more conducive to human health and environmentally friendly.
REACH
REACH is the European chemicals legislation and stands for Registration, Evaluation, Authorization and Restriction of Chemicals. The main objectives of REACH are to determine the hazards of chemicals and to carry out risk assessments. All products manufactured in the EU or imported into the EU market must pass the registration, inspection, and approval of the level of harmful chemical substances. Otherwise, they cannot be sold in the EU market.
Tuya Bounty Program
Tuya works together with security researchers to build a healthy IoT ecosystem. When researchers identify potential vulnerabilities in the Tuya IoT PaaS and its products and services, we encourage them to report them to us through our bug bounty program.
Feedback Now
Resources
Learn more about Tuya's security mechanism in the Tuya Information Security White Paper.
White Paper on Information Security & Compliance
Tuya GDPR White Paper
Tuya LGPD White Paper
FAQs
FAQs
How are Tuya's data centers deployed?
As of January 2022, Tuya has implemented six data centers in USA East, USA West, Europe, India, and mainland China. In terms of cloud service providers, Tuya deploys Amazon Web Service (AWS) in Germany, USA West, and India; Microsoft Azure in USA East and the Netherlands, and Tencent Cloud and Alibaba Cloud in mainland China. Customers from USA and Europe can choose to use Microsoft Azure or AWS to store their data at their discretion. Tuya strictly adheres to regional laws and regulations about data security and privacy, we have multiple data servers operated in different countries/regions. According to user’s choice, data will be stored to the corresponding data center, further ensuring the high reliability and availability. Customers can test a product's server IP and find which data center it flows to.
How does Tuya classify customer data?
Tuya provides data storage and processing services to its customers through cloud service providers. When a customer or end-user transfers data to Tuya, Tuya bears the responsibility to securely store and process these data. By explaining abstractly, Tuya creates an independent account for each customer. Accounts are logically isolated from each other, and the access control mechanism permits customers to only access/manage data under their possession as well as access to public underlying data. Tuya divides customer data into two categories: Tuya IoT Platform data and customer detail data customer data in detail. Tuya IoT Platform data: After registering an account on the Tuya IoT Platform, customers can view the data created or managed under their account. For example, the user name, phone number, and email address, etc. in the account repository; device details, user feedback, product services provided to end-users under device statistics. Under such circumstances, customers can only access their personal data and service data statistics under the contracted service, which are managed independently through their Tuya IoT Platform accounts. Display of any raw personal data related to a customer or detail data related to products or services in the public area of the Tuya IoT Platform is strictly banned. Customer detail data in detail: All personal data (for example, phone numbers, email addresses, IP addresses, etc.), audio streaming files like recordings, video, or images generated by a customer or end-user who voluntarily transfers such data to Tuya for the purpose of using products or services, and any calculations derived from such content by the customer or end-user in connection with the use of products or services provided by Tuya. Tuya stores all itemized data generated from such product and service interactions in the database of cloud service providers, either alone or in combination with other data, data that identifies an individual or various data that reflect the activities of a particular individual. At this point, Tuya shall secure customer data under this section using technical and organizational security measures. For details of data collection and use, please see the Tuya Terms of Use and the Tuya Privacy Policy.
Data ownership and control
Data Owner: The individual user is the owner of the personal data, which is owned by the individual user. Data Controller: In the case of products or services provided by Tuya to its corporate customers, a legally binding contract is utilized by Tuya's corporate customers. The customer determines the purpose of collection, the scope of collection, and the manner of processing personal data, and in this case, the customer's dominance determines its status as a data controller. Data Processors: Tuya provides personal data processing services to our customers on an ongoing basis in accordance with their data processing instructions, ensuring and improving the ongoing provision of our agreed services. As a service provider and data processor, Tuya is the customer's data processor and has a strict data processing agreement with the customer, including the scope of data processing, processing methods, etc. Tuya has strict internal permission and access control policy and technical assurance structure to ensure that data can only be accessed or processed with the customer's authorization. To ensure data compliance, Tuya has globally deployed multiple independent data nodes that perform localized data storage and processing, as well as strict data encryption protection.
What technical and organizational measures does Tuya have in place to safeguard customer data security and privacy?
When Tuya's products and services collect personal data, they are guided by the following basic principles: clarity of purpose, choice of consent, data minimization, transparency, and security. Data security storage: Tuya IoT PaaS isolates corporate data to ensure the security of customer data. At the same time, Tuya IoT PaaS provides different data storage services for different business scenarios. Sensitive data of customers or end-users are stored with AES-256 encryption, some sensitive data are desensitized as necessary, and the keys are managed and distributed through the key management center for unified security. Data security processing: Tuya divides data into personal data, platform information data, and internal corporate data. Security requirements and countermeasures are implemented depending on data types. Strict data access control and approval mechanisms are adopted. Data filtering is used to enforce strict verification of data type, length, and format for all service entrances to ensure data integrity and non-contamination. For data destruction, Tuya adopts the underlying deletion mechanism of cloud services to permanently delete the data.
How does Tuya continue to keep up with the latest developments in data security and privacy compliance laws and regulations?
In terms of data security construction, Tuya has a sizeable team of professional information security experts and a comprehensive information security system, including the implementation of strict software development security and the construction of an advanced security attack and defense system. In addition, Tuya completes annual penetration tests by third-party professional security agencies and implements a high-value vulnerability bounty program to test the security capabilities of its products and services. In terms of privacy compliance, Tuya has established a compliance committee, a security and privacy compliance team, and a legal team to track and respond to the latest global legal requirements. At the same time, Tuya has entered into strategic partnerships with a team of professional external law firms and third-party privacy compliance and security consultants to optimize and upgrade privacy compliance and security solutions on a long-term and ongoing basis.
Got any questions? I'm happy to help!