信息安全政策

This Information Security Policy defines the security principles and controls implemented by AliExpress Analytics to protect data processed through our internal e-commerce management system. The system is used exclusively for managing and analysing company-owned seller accounts via Customer API access.

本信息安全政策旨在说明 AliExpress Analytics 为保护通过内部电商管理系统处理的数据所采取的安全原则与控制措施。本系统仅通过 Customer API 管理与分析公司自有卖家账户数据。

This policy applies to:

• Company-owned seller account data
• API access tokens
• Internal operational data
• Cloud-hosted infrastructure

The system does not onboard external sellers and does not provide services to third parties.

本政策适用于：

• 公司自有卖家账户数据
• API 授权令牌
• 内部运营数据
• 云托管基础设施

本系统不接入外部卖家，不向第三方提供服务。

Security oversight is managed by company leadership and technical administrators. Security responsibilities include:

• Access control management
• Token protection
• Infrastructure configuration review
• Log monitoring
• Incident response coordination

安全管理由公司管理层与技术负责人共同负责，包括：

• 访问控制管理
• Token 安全管理
• 基础设施配置审核
• 日志监控
• 安全事件响应

The system is deployed on secure cloud infrastructure:

• Frontend hosting: Vercel
• Database & backend: Supabase (US-East region)
• Data stored in United States

Infrastructure protections include:

• Managed cloud security controls
• Network-level firewall protections
• Secure configuration management
• Regular dependency updates

系统部署于安全云基础设施：

• 前端托管：Vercel
• 数据库与后端：Supabase（美国东部）
• 数据存储于美国境内

安全措施包括：

• 云服务商安全控制
• 网络层防火墙
• 安全配置管理
• 定期依赖更新

Access to production systems is restricted to authorised personnel only. Controls include:

• Role-based access control (RBAC)
• Strong password policies
• Multi-factor authentication (where supported)
• Principle of least privilege

生产环境访问仅限授权人员。控制措施包括：

• 基于角色的访问控制（RBAC）
• 强密码策略
• 多因素认证（支持情况下）
• 最小权限原则

We implement technical safeguards including:

• TLS/HTTPS encryption for data in transit
• Encrypted storage at database and backup level
• Secure OAuth token storage (not exposed client-side)
• Server-side API access only
• No storage of unnecessary personal data

我们实施以下技术保护措施：

• 传输过程采用 TLS/HTTPS 加密
• 数据库与备份加密存储
• OAuth Token 安全存储（不在前端暴露）
• API 仅限服务器端调用
• 不存储非必要个人数据

System activity is logged and monitored to detect anomalies and unauthorised access attempts. Access logs are reviewed periodically.

系统活动进行日志记录与异常监控。访问日志定期审查，以发现异常或未授权行为。

• Operational data retained while seller account is active
• Data deleted within 30 days after account closure
• API tokens revoked and deleted immediately upon authorisation withdrawal

• 运营数据在账户存续期间保留
• 账户关闭后 30 天内删除相关数据
• 授权撤销后立即删除 API Token

In the event of a confirmed security incident:

• Immediate internal investigation
• Containment and mitigation actions
• Documentation of impact
• Notification to relevant platform within 72 hours

如发生确认的安全事件：

• 立即启动内部调查
• 采取控制与缓解措施
• 记录影响范围
• 在 72 小时内通知相关平台

Security controls are reviewed periodically and updated as necessary to address evolving risks and technical developments.

安全控制措施定期评估与更新，以应对不断变化的风险与技术环境。

The system is used solely for internal business operations. No platform data is sold, shared, or commercialised.

本系统仅用于内部业务运营，不出售、不共享、不商业化任何平台数据。