SXC Cosmetics: Information Security & Data Protection Policy

Effective Date: October 2023

Version: 1.0

Scope: This policy applies to all internal systems, employees, and third-party integrations (including TikTok Shop API) managed by SXC Cosmetics.

1. Objective

The purpose of this policy is to ensure the confidentiality, integrity, and availability of business and customer data, specifically relating to US user data accessed via the TikTok Shop Partner Center.

2. Data Classification & Encryption

• Sensitive Data: All customer personally identifiable information (PII), including names, addresses, and order details, is classified as "Confidential."

• Encryption at Rest: All confidential data stored on our internal servers or cloud databases is encrypted using industry-standard AES-256 encryption.

• Encryption in Transit: All data transmitted between TikTok Shop APIs and our internal systems is protected using TLS 1.2 or higher.

3. Access Control (Least Privilege)

• Access to the TikTok Shop Developer credentials and data is restricted to authorized personnel only.

• Multi-Factor Authentication (MFA): MFA is mandatory for all administrative accounts and systems accessing TikTok Shop data.

• Password Policy: Minimum 12 characters, including symbols and numbers, updated annually.

4. Network Security & Endpoints

• All company devices must have active, updated anti-virus/anti-malware software installed.

• Internal networks are protected by firewalls with logging enabled to monitor and prevent unauthorized threats.

• Employees are required to use a secure VPN when accessing internal management tools remotely.

5. Vulnerability & Threat Management

• SXC Cosmetics performs quarterly internal reviews of system logs and software updates.

• Security patches for operating systems and applications are applied within 30 days of release to mitigate known vulnerabilities.

6. Data Retention & Deletion

• Customer data is retained only as long as necessary for order fulfillment and tax compliance (typically 7 years for financial records).

• Upon termination of the TikTok Shop Partner agreement or a valid user request, all associated PII will be permanently deleted from our systems within 30 days.

7. Incident Response

• In the event of a suspected data breach, the lead developer will be notified immediately.

• SXC Cosmetics commits to notifying TikTok Shop and affected customers within 72 hours of confirming a security breach involving personal data.