Security & Compliance Center

We are committed to providing reliable, secure, and compliant cloud computing products and services.

Contact Security & Compliance Center

Security Compliance

More Information on Regulatory Compliance in the Financial Sector

Privacy Protection

Alibaba Cloud's privacy policy is entirely transparent, and we are committed to the protection of personal information, and guarantee that personal information is only used for the purposes agreed to by our customers.

General Data Protection Regulation (GDPR)

Alibaba Cloud is GDPR ready by the effective date of May 25, 2018.
Learn More>

ISO 27018

Code of Practice for Protecting Personal Data in the Cloud

ISO 27701

Extension to ISO/IEC 27001/27002 for Privacy Information Management

ISO 29151

Code of Practice for Personally Identifiable Information Protection

BS 10012

Personal Information Management System

EU Cloud COC

Founding Member of EU Cloud Code of Conduct

PDPA

Personal Data Protection Act in Singapore

DPTM

Data Protection Trustmark in Singapore

PDPO

The Personal Data (Privacy) Ordinance in Hong Kong

Security Solutions & Best Practices

Shared Security Responsibilities Model

Alibaba Cloud and its customers are jointly responsible for the security of customers' applications built on Alibaba Cloud. With security responsibilities shared between Alibaba Cloud and its customers, Alibaba Cloud provides a secure infrastructure to decrease the enterprise security burden of customers. As such, customers can configure and use cloud products in a secure manner, thus relieving much of the underlying security burdens while allowing customers to focus more on their core business needs.

Learn more at Alibaba Cloud Security Whitepaper - The International Version>
Alibaba Cloud has newly published 2020 Alibaba Cloud Security Whitepaper - The China Gateway Version which introduces the public cloud security system of Alibaba Cloud, specifically for Alibaba Cloud’s security capabilities and offerings in Mainland China.

Learn more at Alibaba Cloud Security Whitepaper - The China Gateway Version>

NEW

Whitepaper

Alibaba Cloud Security Whitepaper - International Edition V2.0 (2020)

This whitepaper introduces the public cloud security system of Alibaba Cloud, specifically for Alibaba Cloud’s security capabilities and offerings for regions outside of Mainland China.

NEW

Whitepaper

Alibaba Cloud Security Whitepaper - The China Gateway Version (2020)

The China Gateway Version - introduces the public cloud security system of Alibaba Cloud, specifically for Alibaba Cloud’s security capabilities and offerings in Mainland China.

HOT

Solutions

Alibaba Cloud Security Solutions and Benefits

Alibaba cloud help you to thwart attacks large or small and defend against online or offline threats.

Whitepaper

The CyberSphere I: an Alibaba Cloud Security Report

This report tells how cloud security offers the best way to protect your business from cyber threats.

Whitepaper

Securing the Data Center in a Cloud First World

This whitepaper looks at steps to protect your data center infrastructure.

Whitepaper

2018 Cryptocurrency Mining Hijacker Report

Cryptocurrency value might depreciated, but mining is still popular.

Whitepaper

The CyberSphere II: an Alibaba Cloud Security Report

The report provides the latest trends in Chinese cyberattacks discovered by our security team.

Whitepaper

Manage and Protect Your Critical Data in the Cloud

This whitepaper describes the benefits of using Sensitive Data Discovery and Protection (SDDP) system to manage and protect critical data.

Still have questions? For requests of reports or information related to compliance and privacy, please contact the Security & Compliance Center >

FAQs

Shared Security Responsibility

1. What's Alibaba Cloud’s responsibility for the security of the cloud environment?

Alibaba Cloud must ensure a securely managed and operated infrastructure, including but not limited to data centers deployed across regions and zones, and Alibaba backbone networks, as well as physical devices, including computing, storage, and network devices, and the underlying distributed cloud OS, named Apsara, along with all the various cloud services and products running on top of the Apsara OS. At the same time, Alibaba Cloud is also responsible for identity and access control management as well as the monitoring and operation systems on the platform side, so to provide customers with a highly available and highly secure cloud service platform. Consider Alibaba Cloud's computing service, Elastic Compute Service (ECS), as an example. The underlying physical, hardware, and virtualization security capabilities of ECS services are provided directly by Alibaba Cloud. Once customers use services on Alibaba Cloud, they have gained access to the security capabilities and guarantees on the cloud platform. For information about Alibaba Cloud’s cloud platform and product security, refer to the Alibaba Cloud Security Whitepaper.

2. What's the Customer's responsibility for Security in the Cloud?

Customers shall manage their security configurations for products on the cloud, and have the responsibility to ensure the basic security and data security of their businesses on the cloud to meet their own data security requirements. They are responsible for configuring and using various cloud products in a secure manner and for building their own cloud applications and businesses in a secure and controllable way based on the security capabilities of these cloud products. They are also responsible for fully utilizing the security features of Alibaba Cloud products and security services, as well as third-party security products provided by the security ecosystem to protect their business systems. For example, customers can use Alibaba Cloud's encryption capabilities or services to encrypt sensitive data, use KMS (Key Management Service) to manage the encryption keys, enable multi-factor authentication to protect Alibaba Cloud account authentication credentials, or use ActionTrail to record management console operations and OpenAPI call logs.


It should be noted that if the customer uses basic services on Alibaba Cloud, such as Elastic Compute Service (ECS), the relevant service instance is completely controlled by the customer, and the customer should manage the instance and perform security configuration, upgrade patches, and configure security group firewalls for network access control. However, if the customer uses non-basic services, such as a platform or cloud-native service, on Alibaba Cloud, then the customer's security responsibility will move up accordingly, so the customer no longer needs to focus on how to maintain the instance, upgrade operating system patches or harden the configuration. Customers only need to manage accounts and authorizations for these services and use the security functions provided by these services. For example, the MaxCompute service provides customers with access control capabilities in different dimensions. Customers only need to appropriately configure security functions in similar products according to business needs.

Data Ownership

1. Who owns member content (customer data)? What are the cloud provider's rights over customer's member content?

Member content (customer data) refers to the content that customers submit to or upload into the Alibaba Cloud Services under a customer's Account, the content run on the Alibaba Cloud Services.


Customers retain control, maintenance and ownership of member content. Customers also determine where their content will be located, and also control the format, structure and security of their content, including whether it is masked, made anonymous or encrypted. They also determine whether they will select Alibaba Cloud services that can process, store, and host their member content and manage other access controls, such as identity access management as well as permissions and security credentials. Customers control the entire lifecycle of their content on Alibaba Cloud, and manage their content in accordance with their own specific needs, including content classification, access control, as well as retention and deletion.


Alibaba Cloud dose not access or use member content without the customer’s consent. Alibaba Cloud never uses customer member content or derive information from it for marketing, advertising or any other unauthorized purpose of the customer.

2. What are the customers' controls over their member content (customer data)?

As a customer, you control your member content.

- You control the lifecycle of your member content on Alibaba Cloud, including the creation, usage, storage period and destruction of data.

- You determine where your member content will be stored, including the type of storage and geographic region of that storage.

- You choose the secured state of your member content. We offer customers strong encryption for your member content in transit and at rest, and we provide you with the option to manage your own encryption keys.

- You manage access to your member content, and access to Alibaba Cloud services and resources through users, groups, permissions, and credentials that you control.

Access to Member Content

1. Will Alibaba Cloud access customer data?

Member content (customer data) refers to the content that customers submit to or upload into the Alibaba Cloud Services under a customer's Account, specifically the content run on Alibaba Cloud Services. Alibaba Cloud dose not access or use member content without a customer's consent. For example, in the case that customers use an Elastic Compute Service (ECS) or Alibaba Cloud Relational Database Service (RDS) provided by Alibaba Cloud, the related service instances are completely controlled by the customer, and the customer's data is completely managed by the customer. Alibaba Cloud will not access any of the customer’s data.


Alibaba Cloud can access customer data only after obtaining customer permission in order to provide customers with Alibaba Cloud products and services, and Alibaba Cloud can only access and use this data to the extent permitted by the customer. All such access and usage is logged and audited. For example, when a customer uses the Intelligent Speech Interaction (ISI) product, the ISI product can only access the audio data provided by the customer after being authorized by the customer in order to provide services such as voice recognition, speech synthesis, and natural language understanding.

2. How does multi-tenant cloud protect against unauthorized third party access to their customer data (member content)?

Member content (customer data) refers to the content that customers submit to or upload into Alibaba Cloud Services under a customer's Account, specifically the content run on the Alibaba Cloud Services.


Firstly, Alibaba Cloud will not access or use customer data unless expressly authorized by the customer. Customers manage access to their Member content as well as Alibaba Cloud services and resources.


Secondly, Alibaba Cloud provides an advanced set of access, encryption, and logging features to help you effectively prevent unauthorized access. For example, users can use their cloud account, that is, their main account, or a RAM user password under the cloud account to log in to the cloud service console and perform operations on their cloud resources. They can also call cloud service API credentials with an Alibaba Cloud AK (Access Key) to access resources on Alibaba Cloud through an API. A customer can also manage credentials for short-term access to resources through security token service (STS), or use multi-factor authentication (MFA) to add additional protection to the username and password. For services on the cloud, after identity authentication is completed, customers can use Alibaba Cloud's RAM (Resource Access Management) resource access control service for user identity management and resource access control.


Last, all data stored by customers on Alibaba Cloud is protected by strong tenant isolation security and control capabilities. Alibaba Cloud provides advanced data access controls to ensure strong multi-tenants isolation. For example, users can use security sandbox containers to strongly isolate items such as memory, network, or IO, thereby better isolating other multi-tenants on a single host; use a Virtual Private Cloud (VPC) to isolate the data link layer and build a secure network environment. They can also use instance-level virtualization firewall-security groups to divide the security domains of each ECS instance, or use cloud firewalls to analyze north-south and east-west access network traffic. Users can also support the visualization of network-wide traffic, such as Internet access and security group traffic, and analysis and blocking of active outreach behavior. Refer to Alibaba Cloud Security Whitepaper for more information about the security of specific data services.

Data Residency and Transfer

1. Where will the customer data reside?

Alibaba Cloud data centers (Regions and Zones) are built in clusters in various global regions. Customers can choose Alibaba Cloud region(s) or Zone(s) where their content will be located. (For a complete list of regions and zones, see https://www.alibabacloud.com/global-locations?spm=a2796.7919406.1389040.1.72d82d23x57l4m). Customers can maintain effective control over their content, regardless of what Region(s) or Zone(s) they use for their content. The customer should consider whether they should disclose to individuals (data subjects) the locations in which they store or process their personal data and obtain any required consents relating to such locations from the relevant individuals if necessary. As between the customer and Alibaba Cloud, the customer has a relationship with the individuals whose personal data the customer stores on Alibaba Cloud, and therefore the customer is able to communicate directly with them about such matters.

2. Will Alibaba Cloud move my data (member content) without my permission? (including across country borders transmission)

Alibaba Cloud only stores and processes each customer's content in the Alibaba Cloud Region(s), chosen by the customer. Other than these processes, Alibaba Cloud will not move customer content without the customer's consent. If a customer chooses to store content in more than one Region, or copy or move content between Regions, that is solely the customer's choice, and the customer will need to consider the legal requirements that apply to such operations, wherever content is moved and processed.


If a customer needs to use Alibaba Cloud Services provided in other regions, Alibaba Cloud will take measures as are necessary to ensure the cross-border transfer is in compliance with applicable Data Protection Legislation. For example, Alibaba Cloud provides a GDPR Addendum that includes the Standard Contractual Clauses that are approved by European Commission Decision 2010/87/EU (or any subsequent decisions) or as referred to in Article 46 GDPR to Alibaba Cloud customers transferring content containing personal data (as defined in the GDPR) from the EU to a country outside of the European Economic Area.

Data Isolation and Separation

1. Does Alibaba cloud as a provider adequately isolate customer data (member content)?

All data stored by customers on Alibaba Cloud has strong tenant isolation security and control capabilities. Alibaba Cloud provides advanced data access controls. For example, users can use security sandbox containers to strongly isolate items such as memory, network, or IO, thereby better isolating other multi-tenants on a single host, and use a virtual private cloud (VPC) to isolate the data link layer and build a secure network environment. They can use instance-level virtualization firewall-security groups to divide the security domains of each ECS instance, or use cloud firewalls to analyze north-south and east-west access network traffic. Users can also support the visualization of network-wide traffic, such as Internet access or security group traffic, and the analysis and blocking of active outreach behavior. Refer to Alibaba Cloud Security Whitepaper for more information about the security of specific data services.

2. What are the shortcomings of physical separation requirements and Why logical separation is more effective than physical separation?

Requirements of physical separation cloud offerings are primarily driven by concerns about third-party or other unauthorized access to applications, content or data. However, for systems that are accessible over a network or the Internet, physical separation of those systems does not provide added security or control over access. Simply put, all access controls for connected systems are managed via logical access controls, permission management, network traffic routing and encryption. Alibaba Cloud addresses any physical separation concerns through the logical security capabilities we provide to all of our customers and the security controls we have in place to protect customer data. Disadvantages also include a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features compared with the geo-diversity of commercial data center regions.


Customers can leverage several different security approaches to meet the security outcomes equivalent to physical separation. For example, they can use a Virtual Private Cloud (VPC) to create the equivalent of completely separate network domains for each tenant or use encryption solutions to encrypt data at-rest and in-transit. Refer to Alibaba Cloud Security Whitepaper for more information about the security of specific data services.

EU General Data Protection Regulation (EU GDPR)

1. When does Alibaba Cloud act as a Data Controller?

When Alibaba Cloud collects personal data and determines the purposes and means of processing that personal data, it acts as a data controller. For example, Alibaba Cloud collects business contact information, such as a name, phone number, email address, or billing address, to create and store account information, such as a login account and account ID, as a data controller for account registration, administration, service access, as well as customer contact and support.

2. When does Alibaba Cloud act as a Data Processor?

When customers use Alibaba Cloud products or services to process personal data in their content, Alibaba Cloud acts as a data processor. Customers can use the controls available in Alibaba Cloud services, including security configuration controls, to process personal data. Under these circumstances, the customer may act as a data controller or a data processor, and Alibaba Cloud acts as a data processor or sub-processor. The GDPR Addendum to Alibaba Cloud International Website Membership Agreement incorporates the commitments of Alibaba Cloud as a data processor. If you have more questions about GDPR, you can refer to this page: https://www.alibabacloud.com/trust-center/gdpr

3. What personal information does Alibaba Cloud collect when using Alibaba Cloud products and services? When is this information collected and for what purpose?

When a customer registers for an Alibaba Cloud account, they provide business contact information. This contact information may include personal information, such as a name, phone number, email address, and billing address, to create and store account information, such as a login account and account ID, for account registration, administration, services access, customer contact and technical support. For more information, see Alibaba Cloud International Website Privacy Policy.


When a customer uses Alibaba Cloud products or services to process their customer data (member content), this customer data may contain an individual’s personal information. Alibaba Cloud can access customer data only after obtaining customer permission in order to provide customers with Alibaba Cloud products and services, and Alibaba Cloud can only access and use this data to the extent permitted by the customer.