tencent cloud

Compliance Center
OverviewCompliance ProgramBest PracticesDocuments Download
More
OverviewCompliance ProgramBest PracticesDocuments Download
Best Practices
Tencent Cloud has established a security and compliance framework based on a shared responsibility model, working with customers to ensure the security of cloud-based operations and data.
Compliance Program
Documents DownloadContact Us
more
Compliance Program
Documents DownloadContact Us
Tencent Cloud's Shared Responsibility Model and Security Compliance Certifications
Tencent Cloud's Risk Management
Tencent Cloud's Log Management
Tencent Cloud's Access Management
Tencent Cloud's Data Encryption
Tencent Cloud's Network Security
Tencent Cloud's Supplier Management
Physical Security of Tencent Cloud Data Centers
Tencent Cloud's Incident Response
Tencent Cloud's Vulnerability Management
Tencent Cloud's Shared Responsibility Model and Security Compliance Certifications
Shared Responsibility Model for Cloud Security

Tencent Cloud is committed to working with customers to build a better and more comprehensive security system for cloud-based businesses and data, and has established a cloud security responsibility-sharing model based on different cloud service categories.

  • Infrastructure as a Service (IaaS):

Tencent Cloud's responsibility: Responsible for the security of the underlying physical and infrastructure of the entire cloud computing environment, and ensuring the security and compliance of the cloud platform and the cloud products provided.

Customer's responsibility: Responsible for ensuring the security of self-built cloud applications and business data, including the correct development and use of cloud products (including security products), proper protection and authorization of cloud accounts, continuous monitoring and operation, and protecting business and data security.

  • Platform as a Service (PaaS):

Tencent Cloud's responsibility: Responsible for the security of the underlying physical and infrastructure of the entire cloud computing environment, and ensuring the security and compliance of the cloud platform and the cloud products provided.

Customer's responsibility: Responsible for ensuring the security of self-built cloud applications and business data, including the correct development and use of cloud products (including security products), proper protection and authorization of cloud accounts, and protecting business and data security.

  • Software as a Service (SaaS):

Tencent Cloud's responsibility: Responsible for the security of the underlying physical and infrastructure of the entire cloud computing environment, and ensuring the security and compliance of the cloud platform and the cloud products provided.

Customer Responsibilities: Responsible for ensuring the security of self-built cloud applications and business data, including the correct development and use of cloud products (including security products), proper protection and authorization of cloud accounts, and safeguarding business and data security.

Verifying Security Controls through Compliance Certifications

Compliance is the foundation of Tencent Cloud's development. Tencent Cloud identifies and adopts advanced international and industry security standards, adheres to the compliance requirements of different countries/regions and industries, continuously improves its internal management system, enhances its security control level, and strives to create cloud services that customers can trust. At the same time, Tencent Cloud actively participates in the formulation and promotion of industry security standards, adheres to the principle of compliance as a service, and builds and operates a secure and reliable cloud ecosystem.

To date, Tencent Cloud has obtained multiple security and privacy compliance certifications or qualifications through independent third-party audits or assessments, including: ISO 27001 Information Security Management System Certification, CSA STAR Cloud Security Certification (SOC 1/SOC 2/SOC 3 reports), and security certifications or audit reports for other regions and industries.

For more information on Tencent Cloud's security compliance, please see the Tencent Cloud Compliance page. For any related compliance certificates or reports, please apply for and download them through the Tencent Cloud Compliance Documentation Center.

Tencent Cloud's Risk Management
Risk Management Processes and Methodologies

Tencent Cloud has established a structured and systematic mature risk management system, combining the international standard ISO/IEC 27005 Information Security Risk Management Guidelines with its own business practices.

Starting with information assets, Tencent Cloud comprehensively identifies and analyzes potential risk scenarios and uses a risk quantification assessment model to classify and manage risks. Tencent Cloud has set clear risk acceptance benchmarks, requiring action to be taken for any risk at a medium or higher level, ensuring that risks are reduced to an acceptable range and build a solid security defense line for Tencent Cloud.

This dynamic monitoring and continuous cyclical risk management mechanism ensures that Tencent Cloud can proactively and forward-lookingly identify and control security risks, maintaining them at an acceptable level and guaranteeing the secure and stable operation of its cloud platform and services.

Risk Identification, Assessment, and Governance Model

Tencent Cloud has established an information security risk management procedure to identify, track, and manage risks throughout the entire process.

  • Risk Identification: Tencent Cloud identifies risk scenarios through multiple channels, including its own threat intelligence center, internal monitoring systems, industry security reports, and internal and external audits.

  • Risk Assessment: A comprehensive assessment is conducted based on asset value, the likelihood of the risk scenario, and the impact of the risk on platform operations, customer business, and security compliance.

  • Risk Handling: Based on the results of risk analysis, identified risks are prioritized, and targeted response strategies and mitigation measures are provided.

  • Risk Governance: Risk management is a dynamic process. Tencent Cloud uses mechanisms such as regular assessments, event-triggered assessments, and continuous monitoring to promptly report and handle risks and dynamically adjust risk management plans.
Tencent Cloud's Log Management
Centralized Log Collection and Analysis

To ensure that operations within the production environment can be recorded and traced, Tencent Cloud has implemented a log management policy requiring all system components, including servers, network devices, databases, and applications, to enable logging. Tencent Cloud's production environment has fully deployed bastion hosts, which centrally manage administrator account permissions for Tencent Cloud backend system components. Internal operations personnel must obtain authorization to access the bastion host, and all backend operations are recorded in detail and centrally stored by the log platform.

Tencent Cloud's security operations platform uses predefined auditing and monitoring rules to automatically and intelligently analyze collected log data, promptly detecting system and activity anomalies, preventing security risks, achieving comprehensive visualization and real-time insight into risk data, and improving the security response speed and efficiency of the cloud platform.

Safeguarding the Security of Log Data

Tencent Cloud has established internal log collection and management standards and mechanisms to control the recording, extraction, analysis, and auditing of login logs, operation logs, event logs, etc. Once any abnormal behavior is detected, an alarm ticket is automatically generated to order action.

  • Access Control: Tencent Cloud's log management platform implements strict access control, restricting access to logs to authorized personnel approved according to the access type, ensuring that log data in the repository is protected from unauthorized access, modification, and deletion.

  • Secure Operations and Maintenance: Tencent Cloud's production environment has fully deployed bastion hosts. All operations and maintenance in the production environment must be performed through the bastion host. Login logs and operation logs are uniformly collected and stored on Tencent Cloud's log management platform, and reviewed by Tencent Cloud's operations and maintenance security tools and internal audit team to prevent operational risks.

  • Secure Storage: Tencent Cloud ensures that log data is stored in a protected and controlled environment, implementing strict security measures to prevent unauthorized access, tampering, or loss.

  • Log Retention: Tencent Cloud determines the log retention period based on regulatory requirements, legal obligations, and business needs.

  • Log Backup: Tencent Cloud will perform appropriate backup configurations based on business needs to ensure that log data is backed up consistently and securely.
Tencent Cloud's Access Management
General Access Management

Customer data is classified as highest-security data within Tencent Cloud. Unless required for service provision or troubleshooting and with explicit customer authorization, Tencent Cloud employees will never proactively access any customer data. To mitigate the risk of unauthorized access to information assets, Tencent Cloud has implemented strict access management policies, including:

  • Default Least Privilege and Know Your Need: Tencent Cloud employees are assigned only the minimum permissions required for their job role upon joining the company, and permissions are assigned based on their roles and responsibilities, ensuring that employees can only access resources necessary for their job duties.

  • Segregation of Duties: Constraints are imposed during the user role assignment phase, prohibiting users from holding mutually exclusive roles or permissions simultaneously, and mandating that critical operations be performed by different personnel. For example, the same user cannot simultaneously hold both create and approve permissions, forming a mutual constraint mechanism.

  • Multi-Factor Authentication: Tencent Cloud uses a zero-trust security management system to authenticate employees. Users must complete two-factor authentication before accessing internal resources.

  • Automated Account Management: A centralized access control system manages access requests, approvals, and automatically configures or deletes access permissions. This system is synchronized with the human resources system, adjusting access permissions when employees leave or change positions.

  • Logical Isolation: For multi-tenant isolation, Tencent Cloud provides security mechanisms such as virtualization control layer resource access control policies, isolation policies between private networks within the cloud platform, web console permission allocation and authentication, and interface session IDs and access keys. This ensures that each user can only access the cloud computing resources they have purchased, effectively achieving access isolation between multiple tenants.

  • Access Auditing and Monitoring: Rules in the access monitoring system are regularly reviewed and updated to promptly identify potential account and access permission abuse risks.

  • Security Training and Awareness: Tencent Cloud regularly provides employees with guidance on office security through security awareness materials and training courses. This includes guidelines for the secure use of personal devices, phishing email/social engineering prevention, data protection, etc., ensuring employees master dynamic protection skills under a zero-trust architecture.
Access Management for Production Systems

Tencent Cloud has clearly defined management requirements and related authorization mechanisms for special access permissions. Bastion hosts have been fully deployed in Tencent Cloud's production environment, providing centralized control over administrator account permissions for Tencent Cloud backend system components. Internal operations and maintenance personnel must obtain authorization to access the bastion host; access is limited to specific Tencent Cloud internal operations and maintenance personnel, and two-factor authentication is required to log in. Operational records are centrally stored on a log platform, and the logs are regularly audited by Tencent Cloud's internal audit team.

Tencent Cloud has established detailed operational security "red lines" and, leveraging years of experience in abnormal behavior monitoring, has built a comprehensive rule base and developed reliable automated operational security audit tools to identify abnormal behavior and automatically trigger real-time alerts.

Tencent Cloud's Data Encryption
Data Encryption in Transit

Tencent Cloud provides multiple data transmission protection mechanisms to ensure the confidentiality, integrity, and authenticity of sensitive information from sender to receiver, including:

  • Encrypted data transmission in the Tencent Cloud management console: All communications within the Tencent Cloud console are encrypted using HTTPS, a security standard compliant protocol, to prevent tampering or theft during data transmission.

  • Tencent Cloud API security capabilities: The cloud API interfaces provided by Tencent Cloud products also feature HTTPS encryption, signature verification, and status monitoring, providing port-level communication security for customer businesses.

  • Enable SSL encryption for private data transmissionSSL (Secure Sockets Layer) authentication is the authentication process between the client and the cloud database server, verifying both the user and the server. Enabling SSL encryption involves obtaining a CA certificate, which is then uploaded to the server. When the client accesses the database, the SSL protocol is activated, establishing a secure SSL channel between the client and the database server. This ensures encrypted data transmission, preventing interception, tampering, or eavesdropping during transmission and guaranteeing the security of information exchanged between the two parties.

  • Secure end-to-end encryption: Tencent Cloud's network products support end-to-end encryption during data transmission. Tencent Cloud VPN supports both IPSec and SSL protocols for virtual network connections, using IKE (Key Exchange Protocol) and IPsec to encrypt transmitted data, establishing a secure and reliable data tunnel over the internet to ensure data security during transmission.
Data Encryption at Rest

To ensure the confidentiality of customer data stored in the cloud, Tencent Cloud provides secure encryption solutions:

  • Envelope Encryption Mechanism: The specific encryption design varies slightly depending on the business model and customer needs of different cloud products. Typically, cloud products use envelope encryption, which encrypts and decrypts data by calling the Key Management System (KMS) interface. Envelope encryption is a high-performance encryption and decryption solution for handling massive amounts of data. It primarily uses a Data Key (DEK) for encryption and decryption on the customer's local machine. The DEK is protected by a Root Key (CMK), generated by the GenerateDataKey interface. When generating the DEK using GenerateDataKey, the corresponding CMK's KeyId must be specified.

  • Key Management System: The Key Management System (KMS) is a security management service that helps users easily create and manage keys, meeting the key management needs of multiple applications and businesses, and assisting users in fulfilling compliance requirements.

KMS seamlessly integrates with Tencent Cloud products such as Object Storage (COS), Cloud Disk (CBS), and Database (TencentDB/CDB). Users only need to select the key managed by KMS, without needing to worry about the encryption details, to achieve transparent cloud data encryption and decryption.

The Key Management System (KMS) uses a Hardware Security Module (HSM) certified by the State Cryptography Administration or FIPS-140-2 to generate and protect keys, meeting compliance review standards and supporting full lifecycle management of encryption keys, including generation, storage, rotation, archiving, and destruction.

To reduce the risk of key cracking or misuse, KMS supports key rotation and employs secure and reliable methods to delete expired, invalid, or leaked keys. Deleted keys cannot be recovered, and encrypted data under those keys cannot be decrypted.

Tencent Cloud's Network Security
Security Design for Network

Tencent Cloud has formulated and implemented multi-level network security governance and strategies to improve the robustness of the underlying network of its cloud platform, including:

  • Network Isolation: Tencent Cloud has established a mature network security architecture. Firewalls are erected at network boundaries to protect the internal network from unauthorized access. The internal network follows strict isolation policies, separating different network areas such as office networks, isolation zones, and operational networks, and clearly defining access controls and boundary protection between these areas. Access to the production environment requires login via a jump server, and unauthorized Tencent Cloud employees are prohibited from logging into the jump server.

  • Virtual Private Cloud (VPC): Tencent Cloud also provides customers with a Virtual Private Cloud (VPC). Customers can achieve complete logical network isolation by configuring network environments, routing tables, and security policies. Tencent Cloud uses virtualization technology to help you build a completely isolated private network environment, with 100% logical isolation between different private networks, meeting your business's security isolation needs.

  • Tencent Cloud's private network supports multi-dimensional network security management. You can use network ACLs and security groups to implement resource access control at the port and instance levels; it also supports least privilege accounts through CAM, helping you comprehensively improve network security.

  • Network Configuration Security: Tencent Cloud has established network security baseline standards for the security configuration of network devices. These standards include enabling security settings on network devices, only opening necessary network service functions and protocols, prohibiting any form of wireless network access to the production network, and ensuring that the security policies of virtual network configurations are consistent with those of the physical network. Tencent Cloud uses configuration scanning tools to automatically scan the configuration items of network devices. If any anomalies are found, an alarm will be triggered immediately and a work order will be automatically created for tracking and processing.

  • Network Communication Security: Tencent Cloud requires that all web services exposed to the external network be configured with HTTPS transmission and use a secure transmission protocol to improve the data security of external network transmissions. When customers, their third-party partners, downstream subcontractors, and Tencent Cloud communicate, customers need to take encryption measures or use encrypted channels based on their own security needs and actual management capabilities to ensure the confidentiality and integrity of the transmission process.
Continuous Network Intrusion Protection

Tencent Cloud provides a mature network security architecture, employing multiple protection mechanisms including firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, network logical isolation, and web application security to promptly detect, filter, and block malicious network traffic, protecting Tencent Cloud's network security.

Through multi-point monitoring and multi-layered defense mechanisms, Tencent Cloud analyzes traffic in a timely manner, detects network attacks or threats in real time and issues alerts, assisting Tencent Cloud services in resisting network attacks from the internet (such as DDoS attacks) and providing a secure, stable, and healthy network operating environment for its businesses.

Tencent Cloud's Supplier Management
Supplier Onboarding

Tencent Cloud has established a rigorous supplier evaluation and onboarding process.

  • Supplier Due Diligence and Onboarding Review: When adding a new supplier, Tencent Cloud's relevant procurement and demand departments will conduct a comprehensive evaluation of potential suppliers' product delivery qualifications and capabilities, technical level, quality assurance capabilities, industry performance, and risk management and governance processes. They will also analyze the availability of potential suppliers and their suitability for the needs, ultimately selecting a suitable supplier.

  • Contract Security Requirements: Based on the review results, Tencent Cloud will sign relevant support contracts with the selected suppliers. These contracts include the scope of IT infrastructure or IT services provided by the supplier, the technical requirements and indicators to be met, quality standards and acceptance criteria, delivery content, technical support and after-sales service agreements, and the rights and obligations of both parties. The contracts between Tencent Cloud and suppliers will also clearly define responsibilities and obligations regarding security, privacy protection, confidentiality, and compliance.
Continuous Supplier Monitoring

Tencent Cloud has established supplier management processes and requirements to ensure that all service providers are fully evaluated and that their services meet security, quality, and compliance requirements through clear service agreements.

  • Third-Party Personnel Management: Tencent Cloud supervises and manages the activities of third-party personnel to ensure that their activities comply with relevant company rules and regulations, such as information security management, business continuity management, and data security and confidentiality requirements. Access permissions for third-party personnel are granted as needed, based on their roles and job responsibilities, after they sign confidentiality agreements, undergo security awareness training, and pass testing.

  • Continuous Supplier Monitoring: Tencent Cloud also continuously monitors the service levels of suppliers to ensure the safe and stable operation of their activities. Tencent Cloud will periodically evaluate supplier performance according to the security and operational standards stipulated in the contract and assess and accept the delivery before the end of the cooperation. For any issues discovered during the cooperation process, Tencent Cloud will require the supplier to take appropriate remedial measures to ensure that the supplier's delivery meets the established security and quality requirements.
Physical Security of Tencent Cloud Data Centers
High Availability Design

To ensure the continuous and stable operation of customer systems and data availability, Tencent Cloud, from the perspective of a cloud service provider, safeguards the business continuity of its cloud platform and services in three aspects: high availability of infrastructure, disaster recovery of network and computing units, and daily business continuity management.

  • High Availability of Infrastructure: Tencent Cloud operates over 50 availability zones across 26 geographic regions globally, with more than 10 underlying internet service providers. Customers can flexibly deploy their services in different regions according to their business development needs to ensure disaster recovery requirements. Furthermore, the infrastructure construction and environmental design of Tencent Cloud data centers, including power supply systems, air conditioning systems, fire detection and protection systems, and power systems, all have disaster recovery redundancy to ensure the high availability of the customer's underlying infrastructure.

  • Disaster Recovery of Network and Computing Units: Tencent Cloud's network adopts an N*N redundancy construction method, combined with path priority at the routing level and traffic engineering scheduling based on route reachability, to ensure that network service is not interrupted due to single point of failure.

  • Routine Business Continuity Management

Tencent Cloud places great emphasis on the business continuity management of its cloud platform. It ensures business operations meet availability requirements by establishing and implementing internal processes, and supports customers in integrating their business continuity plans. Tencent Cloud has established and implemented a business continuity management system and has obtained third-party certification for ISO22301 business continuity management system.

Physical Perimeter Security
  • Security Zone Division: Tencent Cloud divides security zones into critical security zones and general security zones. Critical security zones have security perimeters and include video surveillance devices. Strict access control policies should be implemented in critical security zones (including data centers, critical information processing facilities, security monitoring centers, network connection rooms, and technical equipment) to prevent unauthorized access to cloud infrastructure.

  • Employee Access Control: Tencent Cloud data centers have established a complete data center access control matrix based on personnel roles and access permissions. Access control systems are installed in each area of ​​the data center, and only authorized personnel have access to the corresponding areas. Access permissions for non-permanent authorized personnel are only valid for the day and must be accompanied by on-site personnel or data center operations and maintenance personnel throughout the visit. Data center monitoring covers all important areas and entrances/exits, and important areas are equipped with 24/7 blind-spot-free video surveillance and warning systems to prohibit unauthorized access.

  • External Visitor Access Control: External visitors must submit a written application specifying the purpose, time, and area of ​​their visit. After approval by the data center manager, they must be accompanied by designated personnel throughout the visit. External personnel must undergo identity verification before entering the data center, are prohibited from bringing prohibited items, and are only permitted to operate within authorized areas; access must be revoked promptly after the visit.

  • Security Monitoring: Tencent Cloud has established and strictly enforces security management systems, and implements regional security protection through video surveillance systems, access control systems, and manual inspections, while properly protecting access and monitoring log information for regular review.
Asset and Device Management
  • Asset Management: In terms of information asset management, Tencent Cloud has established information asset management standards and full lifecycle management processes to classify and protect assets such as electronic data, hardware and its virtual devices, infrastructure, application systems, and software. Tencent Cloud manages hardware devices and software components through an asset management system, including asset registration and binding, asset inventory and information updates, asset decommissioning and replacement, etc.

  • Storage Media Security: When media used to provide Tencent Cloud services fails and needs to be replaced, or reaches the end of its service life and needs to be decommissioned, Tencent Cloud will promptly and thoroughly destroy it according to strict procedures.
Environmental Controls
  • Site Selection: Tencent Cloud selects, constructs, or leases sites in accordance with relevant international standards and local security requirements. When choosing the physical location for building data centers or selecting data center providers, environmental threats are fully considered, ensuring locations are far from areas with a high probability of environmental risks. Data center server rooms and office spaces should be located in buildings with earthquake, wind, and rain resistance capabilities.

  • Environmental Control: Tencent Cloud has established a comprehensive data center physical environment security management system based on relevant international standards and regulatory requirements for data centers. All Tencent Cloud data centers globally are equipped with complete smoke alarm and fire protection systems. The power and air conditioning systems in each data center adopt highly stable, fully redundant systems, ensuring that any single point of failure will not affect the continuity of power and cooling supply. Anti-static floors are installed throughout the center, and server racks, cable trays, etc., are grounded to protect equipment from damage caused by static electricity.
Continuous Assessment and Improvement
  • Continuous inspection and monitoringThe on-site personnel at the data center strictly follow the inspection checklist and inspection plan to inspect each data center and equipment every day. Once a security violation is discovered, the emergency procedures for data center management will be activated immediately.

  • Third-party compliance audit In addition to the physical protection measures mentioned above, Tencent Cloud will hire a third-party auditing firm every year to conduct a rigorous audit of its data centers, evaluating compliance with dimensions such as data center environment, infrastructure protection, and access control. Any problems found will be promptly followed up and rectified, and continuous improvement will be used to ensure the physical and environmental security of Tencent Cloud data centers.
Tencent Cloud's Incident Response
Emergency Response Mechanism
  • Event Classification and Grading: Information security events include multiple categories such as service interruption, personal information protection, data loss, intrusion and security risks, and data breach. The classification of an event is based on a comprehensive assessment of multiple dimensions, including the duration and scope of its impact.
Incident Response Process

Tencent Cloud has internally established information security incident management standards, and set up information security reporting, response, and handling mechanisms and related processes.

  • Incident Handling Process Tencent Cloud has internally established information security incident management standards, and set up information security reporting, response, and handling mechanisms and related processes.

1. Incident Identification and Risk Assessment: After a security alarm is triggered, the cloud security team first assesses the incident risk and classifies it. Relevant teams then activate emergency plans according to the classification to control the escalation of the situation.

2. Incident Emergency Response: The emergency response team will respond to and handle the incident according to the process. Through log review, the attack path, alarm cause, and scope of impact will be identified. Measures will be taken to eliminate the fault, restore the system/service, and, if necessary, activate the business continuity management plan.

3. Incident Review and Optimization: After the impact of the fault is eliminated, relevant departments will review the incident and conduct root cause analysis, formulate corrective measures, and optimize existing security strategies.

4. Incident Reporting: Tencent Cloud reports the incident response and handling process to relevant parties in accordance with laws, regulations, and relevant requirements.

  • Customer Support Services: Tencent Cloud provides 24/7 technical support to assist customers in their incident response procedures and meet compliance requirements. Specifically, it assists customers in identifying the root cause of problems, tracking incidents, and providing support and assistance for issues related to cloud product functions, infrastructure, underlying networks, and hosts through 24/7 work orders, hotlines, intelligent customer service, and self-service channels.
Tencent Cloud's Vulnerability Management
Comprehensive Vulnerability Assessment

Tencent Cloud has established a regular vulnerability scanning and penetration testing mechanism to comprehensively address internal and external vulnerabilities and risks.

  • Internal Vulnerability Management Mechanism: Tencent Cloud regularly generates scanning tasks through its vulnerability scanning system to scan assets in the cloud environment for vulnerabilities, and analyzes, classifies, and remediates discovered vulnerabilities. The Tencent Cloud security team regularly conducts large-scale full-chain penetration tests and flexibly conducts targeted penetration tests before new product launches or in cases of major changes. Penetration test results are notified to relevant departments through security work orders, allowing them to promptly patch vulnerabilities or implement other compensatory control measures to ensure that exploitable vulnerabilities discovered during penetration testing are properly addressed. In addition, Tencent Cloud regularly conducts red team/blue team exercises to simulate and defend against cyberattacks.

  • Collaborative Vulnerability Reward Program: For external vulnerabilities, Tencent Cloud has built a collaborative vulnerability reward program centered on TSRC (Tencent Security Emergency Response Center). This program covers cloud products and core business systems through an external white-hat crowdsourcing mechanism, inviting industry security experts to help Tencent Cloud identify system security vulnerabilities and risks. Combined with AI-driven threat intelligence analysis and multi-dimensional verification processes, it systematically identifies external vulnerabilities.
Risk Prioritization and Remediation

Tencent Cloud's security vulnerability management platform automatically generates security tickets for discovered security vulnerabilities or risks. The relevant product departments must promptly conduct vulnerability remediation assessments and quickly mitigate losses based on the type and risk level of the security ticket, and determine remediation measures and plans based on root cause analysis. Security tickets contain detailed vulnerability descriptions, vulnerability risk levels, processing time limits, and vulnerability remediation guidelines. Vulnerabilities of different risk levels must be processed strictly according to their respective time requirements.

If a cloud platform vulnerability discovered during the assessment may impact customers, Tencent Cloud will promptly synchronize information such as vulnerability overview, scope, and severity of impact to customers through official website announcements, internal messages, etc., and provide relevant remediation suggestions and specific operational guidelines.

Continuous Monitoring and Improvement
  • Proactive Threat Intelligence: Tencent Cloud's security team monitors for vulnerabilities and categorizes discovered vulnerabilities, pushing them daily to the internal website, "Tencent Security Threat Intelligence Center." When external/industry vulnerabilities are detected, the vulnerability intelligence is sent to colleagues responsible for the relevant business according to its category.

  • Penetration Testing and Security Drills: Tencent Cloud regularly conducts large-scale, end-to-end penetration tests. The Tencent Cloud security team also combines business security assessments to flexibly conduct targeted penetration tests before new product launches or during major changes. Test results are notified to relevant departments via security work orders, allowing them to promptly patch vulnerabilities or implement other compensatory control measures to ensure that exploitable vulnerabilities discovered during penetration testing are fixed. For practical drills, Tencent Cloud regularly conducts red team/blue team exercises to simulate diverse attack scenarios and test Tencent Cloud's dynamic defense capabilities.

  • Security Training and Awareness: Tencent Cloud conducts annual security awareness training for all employees and requires them to pass relevant assessments to ensure that all employees can effectively identify, report, and respond to security threats.
Threat Intelligence Information Sharing and Collaboration
  • Threat Intelligence Sharing: To support customers in threat detection and analysis, Tencent provides its Threat Intelligence Center (TIX). The Threat Intelligence Center has built a complete network of intelligence touchpoints, collecting and analyzing threat intelligence from various sources such as vulnerability communities, security organizations, security tool vendors, social media, and security blogs. It also leverages cloud-based algorithms to remove false positives, ensuring the accuracy of the intelligence.

  • Based on the empowerment and support of the Threat Intelligence Center, Tencent Cloud is committed to building a proactive defense security capability system encompassing "intelligence-attack-defense-management-planning." By integrating threat intelligence, artificial intelligence, big data, and other technologies, it improves the response capabilities and efficiency of security incidents and has established a 24/7 security operations center focusing on threat detection, investigation, and response, achieving a knowable, visible, and controllable security posture.

  • Transparent Reporting and Customer Communication: If cloud platform vulnerabilities discovered during the assessment may impact customers, Tencent Cloud will promptly synchronize information such as vulnerability overviews, impact scope, and severity to customers through official website announcements, in-app messages, etc., and provide relevant remediation suggestions and specific operational guidelines.
Tencent Cloud's Shared Responsibility Model and Security Compliance Certifications
Shared Responsibility Model for Cloud Security

Tencent Cloud is committed to working with customers to build a better and more comprehensive security system for cloud-based businesses and data, and has established a cloud security responsibility-sharing model based on different cloud service categories.

  • Infrastructure as a Service (IaaS):

Tencent Cloud's responsibility: Responsible for the security of the underlying physical and infrastructure of the entire cloud computing environment, and ensuring the security and compliance of the cloud platform and the cloud products provided.

Customer's responsibility: Responsible for ensuring the security of self-built cloud applications and business data, including the correct development and use of cloud products (including security products), proper protection and authorization of cloud accounts, continuous monitoring and operation, and protecting business and data security.

  • Platform as a Service (PaaS):

Tencent Cloud's responsibility: Responsible for the security of the underlying physical and infrastructure of the entire cloud computing environment, and ensuring the security and compliance of the cloud platform and the cloud products provided.

Customer's responsibility: Responsible for ensuring the security of self-built cloud applications and business data, including the correct development and use of cloud products (including security products), proper protection and authorization of cloud accounts, and protecting business and data security.

  • Software as a Service (SaaS):

Tencent Cloud's responsibility: Responsible for the security of the underlying physical and infrastructure of the entire cloud computing environment, and ensuring the security and compliance of the cloud platform and the cloud products provided.

Customer Responsibilities: Responsible for ensuring the security of self-built cloud applications and business data, including the correct development and use of cloud products (including security products), proper protection and authorization of cloud accounts, and safeguarding business and data security.

Verifying Security Controls through Compliance Certifications

Compliance is the foundation of Tencent Cloud's development. Tencent Cloud identifies and adopts advanced international and industry security standards, adheres to the compliance requirements of different countries/regions and industries, continuously improves its internal management system, enhances its security control level, and strives to create cloud services that customers can trust. At the same time, Tencent Cloud actively participates in the formulation and promotion of industry security standards, adheres to the principle of compliance as a service, and builds and operates a secure and reliable cloud ecosystem.

To date, Tencent Cloud has obtained multiple security and privacy compliance certifications or qualifications through independent third-party audits or assessments, including: ISO 27001 Information Security Management System Certification, CSA STAR Cloud Security Certification (SOC 1/SOC 2/SOC 3 reports), and security certifications or audit reports for other regions and industries.

For more information on Tencent Cloud's security compliance, please see the Tencent Cloud Compliance page. For any related compliance certificates or reports, please apply for and download them through the Tencent Cloud Compliance Documentation Center.

Tencent Cloud's Risk Management
Risk Management Processes and Methodologies

Tencent Cloud has established a structured and systematic mature risk management system, combining the international standard ISO/IEC 27005 Information Security Risk Management Guidelines with its own business practices.

Starting with information assets, Tencent Cloud comprehensively identifies and analyzes potential risk scenarios and uses a risk quantification assessment model to classify and manage risks. Tencent Cloud has set clear risk acceptance benchmarks, requiring action to be taken for any risk at a medium or higher level, ensuring that risks are reduced to an acceptable range and build a solid security defense line for Tencent Cloud.

This dynamic monitoring and continuous cyclical risk management mechanism ensures that Tencent Cloud can proactively and forward-lookingly identify and control security risks, maintaining them at an acceptable level and guaranteeing the secure and stable operation of its cloud platform and services.

Risk Identification, Assessment, and Governance Model

Tencent Cloud has established an information security risk management procedure to identify, track, and manage risks throughout the entire process.

  • Risk Identification: Tencent Cloud identifies risk scenarios through multiple channels, including its own threat intelligence center, internal monitoring systems, industry security reports, and internal and external audits.

  • Risk Assessment: A comprehensive assessment is conducted based on asset value, the likelihood of the risk scenario, and the impact of the risk on platform operations, customer business, and security compliance.

  • Risk Handling: Based on the results of risk analysis, identified risks are prioritized, and targeted response strategies and mitigation measures are provided.

  • Risk Governance: Risk management is a dynamic process. Tencent Cloud uses mechanisms such as regular assessments, event-triggered assessments, and continuous monitoring to promptly report and handle risks and dynamically adjust risk management plans.
Tencent Cloud's Log Management
Centralized Log Collection and Analysis

To ensure that operations within the production environment can be recorded and traced, Tencent Cloud has implemented a log management policy requiring all system components, including servers, network devices, databases, and applications, to enable logging. Tencent Cloud's production environment has fully deployed bastion hosts, which centrally manage administrator account permissions for Tencent Cloud backend system components. Internal operations personnel must obtain authorization to access the bastion host, and all backend operations are recorded in detail and centrally stored by the log platform.

Tencent Cloud's security operations platform uses predefined auditing and monitoring rules to automatically and intelligently analyze collected log data, promptly detecting system and activity anomalies, preventing security risks, achieving comprehensive visualization and real-time insight into risk data, and improving the security response speed and efficiency of the cloud platform.

Safeguarding the Security of Log Data

Tencent Cloud has established internal log collection and management standards and mechanisms to control the recording, extraction, analysis, and auditing of login logs, operation logs, event logs, etc. Once any abnormal behavior is detected, an alarm ticket is automatically generated to order action.

  • Access Control: Tencent Cloud's log management platform implements strict access control, restricting access to logs to authorized personnel approved according to the access type, ensuring that log data in the repository is protected from unauthorized access, modification, and deletion.

  • Secure Operations and Maintenance: Tencent Cloud's production environment has fully deployed bastion hosts. All operations and maintenance in the production environment must be performed through the bastion host. Login logs and operation logs are uniformly collected and stored on Tencent Cloud's log management platform, and reviewed by Tencent Cloud's operations and maintenance security tools and internal audit team to prevent operational risks.

  • Secure Storage: Tencent Cloud ensures that log data is stored in a protected and controlled environment, implementing strict security measures to prevent unauthorized access, tampering, or loss.

  • Log Retention: Tencent Cloud determines the log retention period based on regulatory requirements, legal obligations, and business needs.

  • Log Backup: Tencent Cloud will perform appropriate backup configurations based on business needs to ensure that log data is backed up consistently and securely.
Tencent Cloud's Access Management
General Access Management

Customer data is classified as highest-security data within Tencent Cloud. Unless required for service provision or troubleshooting and with explicit customer authorization, Tencent Cloud employees will never proactively access any customer data. To mitigate the risk of unauthorized access to information assets, Tencent Cloud has implemented strict access management policies, including:

  • Default Least Privilege and Know Your Need: Tencent Cloud employees are assigned only the minimum permissions required for their job role upon joining the company, and permissions are assigned based on their roles and responsibilities, ensuring that employees can only access resources necessary for their job duties.

  • Segregation of Duties: Constraints are imposed during the user role assignment phase, prohibiting users from holding mutually exclusive roles or permissions simultaneously, and mandating that critical operations be performed by different personnel. For example, the same user cannot simultaneously hold both create and approve permissions, forming a mutual constraint mechanism.

  • Multi-Factor Authentication: Tencent Cloud uses a zero-trust security management system to authenticate employees. Users must complete two-factor authentication before accessing internal resources.

  • Automated Account Management: A centralized access control system manages access requests, approvals, and automatically configures or deletes access permissions. This system is synchronized with the human resources system, adjusting access permissions when employees leave or change positions.

  • Logical Isolation: For multi-tenant isolation, Tencent Cloud provides security mechanisms such as virtualization control layer resource access control policies, isolation policies between private networks within the cloud platform, web console permission allocation and authentication, and interface session IDs and access keys. This ensures that each user can only access the cloud computing resources they have purchased, effectively achieving access isolation between multiple tenants.

  • Access Auditing and Monitoring: Rules in the access monitoring system are regularly reviewed and updated to promptly identify potential account and access permission abuse risks.

  • Security Training and Awareness: Tencent Cloud regularly provides employees with guidance on office security through security awareness materials and training courses. This includes guidelines for the secure use of personal devices, phishing email/social engineering prevention, data protection, etc., ensuring employees master dynamic protection skills under a zero-trust architecture.
Access Management for Production Systems

Tencent Cloud has clearly defined management requirements and related authorization mechanisms for special access permissions. Bastion hosts have been fully deployed in Tencent Cloud's production environment, providing centralized control over administrator account permissions for Tencent Cloud backend system components. Internal operations and maintenance personnel must obtain authorization to access the bastion host; access is limited to specific Tencent Cloud internal operations and maintenance personnel, and two-factor authentication is required to log in. Operational records are centrally stored on a log platform, and the logs are regularly audited by Tencent Cloud's internal audit team.

Tencent Cloud has established detailed operational security "red lines" and, leveraging years of experience in abnormal behavior monitoring, has built a comprehensive rule base and developed reliable automated operational security audit tools to identify abnormal behavior and automatically trigger real-time alerts.

Tencent Cloud's Data Encryption
Data Encryption in Transit

Tencent Cloud provides multiple data transmission protection mechanisms to ensure the confidentiality, integrity, and authenticity of sensitive information from sender to receiver, including:

  • Encrypted data transmission in the Tencent Cloud management console: All communications within the Tencent Cloud console are encrypted using HTTPS, a security standard compliant protocol, to prevent tampering or theft during data transmission.

  • Tencent Cloud API security capabilities: The cloud API interfaces provided by Tencent Cloud products also feature HTTPS encryption, signature verification, and status monitoring, providing port-level communication security for customer businesses.

  • Enable SSL encryption for private data transmissionSSL (Secure Sockets Layer) authentication is the authentication process between the client and the cloud database server, verifying both the user and the server. Enabling SSL encryption involves obtaining a CA certificate, which is then uploaded to the server. When the client accesses the database, the SSL protocol is activated, establishing a secure SSL channel between the client and the database server. This ensures encrypted data transmission, preventing interception, tampering, or eavesdropping during transmission and guaranteeing the security of information exchanged between the two parties.

  • Secure end-to-end encryption: Tencent Cloud's network products support end-to-end encryption during data transmission. Tencent Cloud VPN supports both IPSec and SSL protocols for virtual network connections, using IKE (Key Exchange Protocol) and IPsec to encrypt transmitted data, establishing a secure and reliable data tunnel over the internet to ensure data security during transmission.
Data Encryption at Rest

To ensure the confidentiality of customer data stored in the cloud, Tencent Cloud provides secure encryption solutions:

  • Envelope Encryption Mechanism: The specific encryption design varies slightly depending on the business model and customer needs of different cloud products. Typically, cloud products use envelope encryption, which encrypts and decrypts data by calling the Key Management System (KMS) interface. Envelope encryption is a high-performance encryption and decryption solution for handling massive amounts of data. It primarily uses a Data Key (DEK) for encryption and decryption on the customer's local machine. The DEK is protected by a Root Key (CMK), generated by the GenerateDataKey interface. When generating the DEK using GenerateDataKey, the corresponding CMK's KeyId must be specified.

  • Key Management System: The Key Management System (KMS) is a security management service that helps users easily create and manage keys, meeting the key management needs of multiple applications and businesses, and assisting users in fulfilling compliance requirements.

KMS seamlessly integrates with Tencent Cloud products such as Object Storage (COS), Cloud Disk (CBS), and Database (TencentDB/CDB). Users only need to select the key managed by KMS, without needing to worry about the encryption details, to achieve transparent cloud data encryption and decryption.

The Key Management System (KMS) uses a Hardware Security Module (HSM) certified by the State Cryptography Administration or FIPS-140-2 to generate and protect keys, meeting compliance review standards and supporting full lifecycle management of encryption keys, including generation, storage, rotation, archiving, and destruction.

To reduce the risk of key cracking or misuse, KMS supports key rotation and employs secure and reliable methods to delete expired, invalid, or leaked keys. Deleted keys cannot be recovered, and encrypted data under those keys cannot be decrypted.

Tencent Cloud's Network Security
Security Design for Network

Tencent Cloud has formulated and implemented multi-level network security governance and strategies to improve the robustness of the underlying network of its cloud platform, including:

  • Network Isolation: Tencent Cloud has established a mature network security architecture. Firewalls are erected at network boundaries to protect the internal network from unauthorized access. The internal network follows strict isolation policies, separating different network areas such as office networks, isolation zones, and operational networks, and clearly defining access controls and boundary protection between these areas. Access to the production environment requires login via a jump server, and unauthorized Tencent Cloud employees are prohibited from logging into the jump server.

  • Virtual Private Cloud (VPC): Tencent Cloud also provides customers with a Virtual Private Cloud (VPC). Customers can achieve complete logical network isolation by configuring network environments, routing tables, and security policies. Tencent Cloud uses virtualization technology to help you build a completely isolated private network environment, with 100% logical isolation between different private networks, meeting your business's security isolation needs.

  • Tencent Cloud's private network supports multi-dimensional network security management. You can use network ACLs and security groups to implement resource access control at the port and instance levels; it also supports least privilege accounts through CAM, helping you comprehensively improve network security.

  • Network Configuration Security: Tencent Cloud has established network security baseline standards for the security configuration of network devices. These standards include enabling security settings on network devices, only opening necessary network service functions and protocols, prohibiting any form of wireless network access to the production network, and ensuring that the security policies of virtual network configurations are consistent with those of the physical network. Tencent Cloud uses configuration scanning tools to automatically scan the configuration items of network devices. If any anomalies are found, an alarm will be triggered immediately and a work order will be automatically created for tracking and processing.

  • Network Communication Security: Tencent Cloud requires that all web services exposed to the external network be configured with HTTPS transmission and use a secure transmission protocol to improve the data security of external network transmissions. When customers, their third-party partners, downstream subcontractors, and Tencent Cloud communicate, customers need to take encryption measures or use encrypted channels based on their own security needs and actual management capabilities to ensure the confidentiality and integrity of the transmission process.
Continuous Network Intrusion Protection

Tencent Cloud provides a mature network security architecture, employing multiple protection mechanisms including firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, network logical isolation, and web application security to promptly detect, filter, and block malicious network traffic, protecting Tencent Cloud's network security.

Through multi-point monitoring and multi-layered defense mechanisms, Tencent Cloud analyzes traffic in a timely manner, detects network attacks or threats in real time and issues alerts, assisting Tencent Cloud services in resisting network attacks from the internet (such as DDoS attacks) and providing a secure, stable, and healthy network operating environment for its businesses.

Tencent Cloud's Supplier Management
Supplier Onboarding

Tencent Cloud has established a rigorous supplier evaluation and onboarding process.

  • Supplier Due Diligence and Onboarding Review: When adding a new supplier, Tencent Cloud's relevant procurement and demand departments will conduct a comprehensive evaluation of potential suppliers' product delivery qualifications and capabilities, technical level, quality assurance capabilities, industry performance, and risk management and governance processes. They will also analyze the availability of potential suppliers and their suitability for the needs, ultimately selecting a suitable supplier.

  • Contract Security Requirements: Based on the review results, Tencent Cloud will sign relevant support contracts with the selected suppliers. These contracts include the scope of IT infrastructure or IT services provided by the supplier, the technical requirements and indicators to be met, quality standards and acceptance criteria, delivery content, technical support and after-sales service agreements, and the rights and obligations of both parties. The contracts between Tencent Cloud and suppliers will also clearly define responsibilities and obligations regarding security, privacy protection, confidentiality, and compliance.
Continuous Supplier Monitoring

Tencent Cloud has established supplier management processes and requirements to ensure that all service providers are fully evaluated and that their services meet security, quality, and compliance requirements through clear service agreements.

  • Third-Party Personnel Management: Tencent Cloud supervises and manages the activities of third-party personnel to ensure that their activities comply with relevant company rules and regulations, such as information security management, business continuity management, and data security and confidentiality requirements. Access permissions for third-party personnel are granted as needed, based on their roles and job responsibilities, after they sign confidentiality agreements, undergo security awareness training, and pass testing.

  • Continuous Supplier Monitoring: Tencent Cloud also continuously monitors the service levels of suppliers to ensure the safe and stable operation of their activities. Tencent Cloud will periodically evaluate supplier performance according to the security and operational standards stipulated in the contract and assess and accept the delivery before the end of the cooperation. For any issues discovered during the cooperation process, Tencent Cloud will require the supplier to take appropriate remedial measures to ensure that the supplier's delivery meets the established security and quality requirements.
Physical Security of Tencent Cloud Data Centers
High Availability Design

To ensure the continuous and stable operation of customer systems and data availability, Tencent Cloud, from the perspective of a cloud service provider, safeguards the business continuity of its cloud platform and services in three aspects: high availability of infrastructure, disaster recovery of network and computing units, and daily business continuity management.

  • High Availability of Infrastructure: Tencent Cloud operates over 50 availability zones across 26 geographic regions globally, with more than 10 underlying internet service providers. Customers can flexibly deploy their services in different regions according to their business development needs to ensure disaster recovery requirements. Furthermore, the infrastructure construction and environmental design of Tencent Cloud data centers, including power supply systems, air conditioning systems, fire detection and protection systems, and power systems, all have disaster recovery redundancy to ensure the high availability of the customer's underlying infrastructure.

  • Disaster Recovery of Network and Computing Units: Tencent Cloud's network adopts an N*N redundancy construction method, combined with path priority at the routing level and traffic engineering scheduling based on route reachability, to ensure that network service is not interrupted due to single point of failure.

  • Routine Business Continuity Management

Tencent Cloud places great emphasis on the business continuity management of its cloud platform. It ensures business operations meet availability requirements by establishing and implementing internal processes, and supports customers in integrating their business continuity plans. Tencent Cloud has established and implemented a business continuity management system and has obtained third-party certification for ISO22301 business continuity management system.

Physical Perimeter Security
  • Security Zone Division: Tencent Cloud divides security zones into critical security zones and general security zones. Critical security zones have security perimeters and include video surveillance devices. Strict access control policies should be implemented in critical security zones (including data centers, critical information processing facilities, security monitoring centers, network connection rooms, and technical equipment) to prevent unauthorized access to cloud infrastructure.

  • Employee Access Control: Tencent Cloud data centers have established a complete data center access control matrix based on personnel roles and access permissions. Access control systems are installed in each area of ​​the data center, and only authorized personnel have access to the corresponding areas. Access permissions for non-permanent authorized personnel are only valid for the day and must be accompanied by on-site personnel or data center operations and maintenance personnel throughout the visit. Data center monitoring covers all important areas and entrances/exits, and important areas are equipped with 24/7 blind-spot-free video surveillance and warning systems to prohibit unauthorized access.

  • External Visitor Access Control: External visitors must submit a written application specifying the purpose, time, and area of ​​their visit. After approval by the data center manager, they must be accompanied by designated personnel throughout the visit. External personnel must undergo identity verification before entering the data center, are prohibited from bringing prohibited items, and are only permitted to operate within authorized areas; access must be revoked promptly after the visit.

  • Security Monitoring: Tencent Cloud has established and strictly enforces security management systems, and implements regional security protection through video surveillance systems, access control systems, and manual inspections, while properly protecting access and monitoring log information for regular review.
Asset and Device Management
  • Asset Management: In terms of information asset management, Tencent Cloud has established information asset management standards and full lifecycle management processes to classify and protect assets such as electronic data, hardware and its virtual devices, infrastructure, application systems, and software. Tencent Cloud manages hardware devices and software components through an asset management system, including asset registration and binding, asset inventory and information updates, asset decommissioning and replacement, etc.

  • Storage Media Security: When media used to provide Tencent Cloud services fails and needs to be replaced, or reaches the end of its service life and needs to be decommissioned, Tencent Cloud will promptly and thoroughly destroy it according to strict procedures.
Environmental Controls
  • Site Selection: Tencent Cloud selects, constructs, or leases sites in accordance with relevant international standards and local security requirements. When choosing the physical location for building data centers or selecting data center providers, environmental threats are fully considered, ensuring locations are far from areas with a high probability of environmental risks. Data center server rooms and office spaces should be located in buildings with earthquake, wind, and rain resistance capabilities.

  • Environmental Control: Tencent Cloud has established a comprehensive data center physical environment security management system based on relevant international standards and regulatory requirements for data centers. All Tencent Cloud data centers globally are equipped with complete smoke alarm and fire protection systems. The power and air conditioning systems in each data center adopt highly stable, fully redundant systems, ensuring that any single point of failure will not affect the continuity of power and cooling supply. Anti-static floors are installed throughout the center, and server racks, cable trays, etc., are grounded to protect equipment from damage caused by static electricity.
Continuous Assessment and Improvement
  • Continuous inspection and monitoringThe on-site personnel at the data center strictly follow the inspection checklist and inspection plan to inspect each data center and equipment every day. Once a security violation is discovered, the emergency procedures for data center management will be activated immediately.

  • Third-party compliance audit In addition to the physical protection measures mentioned above, Tencent Cloud will hire a third-party auditing firm every year to conduct a rigorous audit of its data centers, evaluating compliance with dimensions such as data center environment, infrastructure protection, and access control. Any problems found will be promptly followed up and rectified, and continuous improvement will be used to ensure the physical and environmental security of Tencent Cloud data centers.
Tencent Cloud's Incident Response
Emergency Response Mechanism
  • Event Classification and Grading: Information security events include multiple categories such as service interruption, personal information protection, data loss, intrusion and security risks, and data breach. The classification of an event is based on a comprehensive assessment of multiple dimensions, including the duration and scope of its impact.
Incident Response Process

Tencent Cloud has internally established information security incident management standards, and set up information security reporting, response, and handling mechanisms and related processes.

  • Incident Handling Process Tencent Cloud has internally established information security incident management standards, and set up information security reporting, response, and handling mechanisms and related processes.

1. Incident Identification and Risk Assessment: After a security alarm is triggered, the cloud security team first assesses the incident risk and classifies it. Relevant teams then activate emergency plans according to the classification to control the escalation of the situation.

2. Incident Emergency Response: The emergency response team will respond to and handle the incident according to the process. Through log review, the attack path, alarm cause, and scope of impact will be identified. Measures will be taken to eliminate the fault, restore the system/service, and, if necessary, activate the business continuity management plan.

3. Incident Review and Optimization: After the impact of the fault is eliminated, relevant departments will review the incident and conduct root cause analysis, formulate corrective measures, and optimize existing security strategies.

4. Incident Reporting: Tencent Cloud reports the incident response and handling process to relevant parties in accordance with laws, regulations, and relevant requirements.

  • Customer Support Services: Tencent Cloud provides 24/7 technical support to assist customers in their incident response procedures and meet compliance requirements. Specifically, it assists customers in identifying the root cause of problems, tracking incidents, and providing support and assistance for issues related to cloud product functions, infrastructure, underlying networks, and hosts through 24/7 work orders, hotlines, intelligent customer service, and self-service channels.
Tencent Cloud's Vulnerability Management
Comprehensive Vulnerability Assessment

Tencent Cloud has established a regular vulnerability scanning and penetration testing mechanism to comprehensively address internal and external vulnerabilities and risks.

  • Internal Vulnerability Management Mechanism: Tencent Cloud regularly generates scanning tasks through its vulnerability scanning system to scan assets in the cloud environment for vulnerabilities, and analyzes, classifies, and remediates discovered vulnerabilities. The Tencent Cloud security team regularly conducts large-scale full-chain penetration tests and flexibly conducts targeted penetration tests before new product launches or in cases of major changes. Penetration test results are notified to relevant departments through security work orders, allowing them to promptly patch vulnerabilities or implement other compensatory control measures to ensure that exploitable vulnerabilities discovered during penetration testing are properly addressed. In addition, Tencent Cloud regularly conducts red team/blue team exercises to simulate and defend against cyberattacks.

  • Collaborative Vulnerability Reward Program: For external vulnerabilities, Tencent Cloud has built a collaborative vulnerability reward program centered on TSRC (Tencent Security Emergency Response Center). This program covers cloud products and core business systems through an external white-hat crowdsourcing mechanism, inviting industry security experts to help Tencent Cloud identify system security vulnerabilities and risks. Combined with AI-driven threat intelligence analysis and multi-dimensional verification processes, it systematically identifies external vulnerabilities.
Risk Prioritization and Remediation

Tencent Cloud's security vulnerability management platform automatically generates security tickets for discovered security vulnerabilities or risks. The relevant product departments must promptly conduct vulnerability remediation assessments and quickly mitigate losses based on the type and risk level of the security ticket, and determine remediation measures and plans based on root cause analysis. Security tickets contain detailed vulnerability descriptions, vulnerability risk levels, processing time limits, and vulnerability remediation guidelines. Vulnerabilities of different risk levels must be processed strictly according to their respective time requirements.

If a cloud platform vulnerability discovered during the assessment may impact customers, Tencent Cloud will promptly synchronize information such as vulnerability overview, scope, and severity of impact to customers through official website announcements, internal messages, etc., and provide relevant remediation suggestions and specific operational guidelines.

Continuous Monitoring and Improvement
  • Proactive Threat Intelligence: Tencent Cloud's security team monitors for vulnerabilities and categorizes discovered vulnerabilities, pushing them daily to the internal website, "Tencent Security Threat Intelligence Center." When external/industry vulnerabilities are detected, the vulnerability intelligence is sent to colleagues responsible for the relevant business according to its category.

  • Penetration Testing and Security Drills: Tencent Cloud regularly conducts large-scale, end-to-end penetration tests. The Tencent Cloud security team also combines business security assessments to flexibly conduct targeted penetration tests before new product launches or during major changes. Test results are notified to relevant departments via security work orders, allowing them to promptly patch vulnerabilities or implement other compensatory control measures to ensure that exploitable vulnerabilities discovered during penetration testing are fixed. For practical drills, Tencent Cloud regularly conducts red team/blue team exercises to simulate diverse attack scenarios and test Tencent Cloud's dynamic defense capabilities.

  • Security Training and Awareness: Tencent Cloud conducts annual security awareness training for all employees and requires them to pass relevant assessments to ensure that all employees can effectively identify, report, and respond to security threats.
Threat Intelligence Information Sharing and Collaboration
  • Threat Intelligence Sharing: To support customers in threat detection and analysis, Tencent provides its Threat Intelligence Center (TIX). The Threat Intelligence Center has built a complete network of intelligence touchpoints, collecting and analyzing threat intelligence from various sources such as vulnerability communities, security organizations, security tool vendors, social media, and security blogs. It also leverages cloud-based algorithms to remove false positives, ensuring the accuracy of the intelligence.

  • Based on the empowerment and support of the Threat Intelligence Center, Tencent Cloud is committed to building a proactive defense security capability system encompassing "intelligence-attack-defense-management-planning." By integrating threat intelligence, artificial intelligence, big data, and other technologies, it improves the response capabilities and efficiency of security incidents and has established a 24/7 security operations center focusing on threat detection, investigation, and response, achieving a knowable, visible, and controllable security posture.

  • Transparent Reporting and Customer Communication: If cloud platform vulnerabilities discovered during the assessment may impact customers, Tencent Cloud will promptly synchronize information such as vulnerability overviews, impact scope, and severity to customers through official website announcements, in-app messages, etc., and provide relevant remediation suggestions and specific operational guidelines.