Alipay Information Security Standards

(Applicable to Alipay Overseas Commercial Cooperative Partners. “Partners” including but not limited to ISO, ISV, Acquirers and other partners. )

1.   The account that opens Alipay service can only be used by Partners themselves and Partners shall not transfer, lease, lend, leak and disclose such account to any third party in any way. The Partners shall duly keep and protect the information that may be enabled them to be identified, such as information of the account and passwords. The Partners promise to notify Alipay immediately once any unauthorized use of information (such as passwords or accounts) or any other security issues occur.

2.   The Partners shall develop, operate, support and maintain the application independently and agrees to accept all related risks and outcomes. Alipay is not responsible for any content or information published on Alipay platform which is incorrect or wrong, whether the incorrect or wrong content or information mentioned above is caused by clients or by any devises or programs connected to or used by the application.

3.   The application developed by Partners through Alipay shall not include any links (except for the website of the Partner) that may induce or mislead clients to log in, register or use any other websites other than Alipay.

4.    The Partners shall not:

1)    falsify any aspects of or partly delete any logo, trademark, copyright or other statements which may infringe on the intellectual property of merchants.

2)    distribute, sell, re-sell, leas, license, re-license or otherwise provide the information of Alipay or any clients to any third party (including storing the information of Alipay or clients by any means for third parties to visit).

3)    include any malicious program or virus incorporated in Partners’ applications which disturb in any ways or intent to disturb the normal operations of Alipay or applications of any other Partners or any parts of the application or relevant functions.

4)    directly or indirectly include any links to any of the following content in Partners’ applications: (A) any product or service prohibited by laws, regulations, ordinances or rules; or (B) any products or services which is not authorized to be connected or incorporated.

5)    use any data (including but not limited to any information of clients or transactions with clients, data generated during the use of Partners’ products by clients, interface materials and rates in relation to the interface of the platform and its affiliates) in connection with the platform and its affiliates which is obtained through Alipay API, public channels and cooperative operations hereunder for any other purpose not provided in the master agreement and This Standards.

6)    use the information of Alipay’s clients, which is obtained in violation of applicable laws or norms for clients’ data, for the purpose of trading or getting any improper interests.

7)    obtain or use operational or clients’ data by utilizing App ID or relevant rights of other Partners.

8)    request, collect, ask for or otherwise obtain the access right in connections with accounts, username, passwords or other identity credentials from any clients.

9)    provide any proxy authentication credential to any clients for their automatically logging in Alipay, Applications or API.

10)    provide tracking functions, including but not limited to the function of identifying other clients’ any acts of checking or operating on the page of record documents of Partners’ applications.

5.    The API calls shall be based on authentic business needs. It can only be used for business processing and shall not be used for any other purpose.

6.    The following rules shall be followed by the Partners if their applications involving any collection, storage or use of clients’ data:

1)    Without prior explicit authorization of clients, the Partners or their applications shall not collect any data of the clients and the Partners can only collect the clients’ data which is necessary for the operation and realization of the functions and, at the same time, shall inform clients the purpose, scope and usage of relevant data collection.

2)    After collecting clients’ data, the Partners shall take protection measures, which are reasonable, safe and effective, to protect the data from stealing or leakage.

3)    The data of clients collected in applications by Partners can only be used in the application or used in accordance with the requirements of applicable laws and regulations or any agreements between clients and Partners.

4)    The Partners shall publicize the privacy protection policies to their clients in an obvious position of the application.

5)    The Partners shall provide their clients with channels of rectifying or deleting the data and ensure that the client is able to complete the deletion of their data by such way independently.

6)    The Partners shall notify clients and Alipay within 72 hours and shall not conceal the event once any steal or leakage of clients’ data occurs. Besides, the Partners shall promptly take corresponding measures to protect the interest of clients and prevent any further damages.

7)    The Partners shall ensure segregation of accounts, data, and permissions among different merchants.

8)    In order to prevent any privacy information from being abused and any sensitive data from being leaked, the Partners shall make the information to be presented without any sensitive information (e.g. ID number, cell-phone number) when showing users’ information to merchants.

9)    The application of Partners shall not provide any functions which may allow bulk download or print of users’ sensitive data.

10)    The application shall take technological measures to prevent any sensitive information which is presented in the form of plain-text from being crawled.

Updated on August 27, 2018