HAVI GROUP

1. Purpose

The purpose of this Information Security Policy is to protect the confidentiality, integrity, and availability of information assets that support our platform which helps TikTok users manage their product orders. This policy establishes our commitment to safeguard customer data, operational systems, and business continuity.

2. Scope

This policy applies to all employees, contractors, partners, and third parties who access or manage systems, data, or services related to TikTok order management. It includes all hardware, software, network resources, and cloud services used in the business.

3. Information Security Objectives

• Protect user and order data from unauthorized access or disclosure.
• Ensure the integrity and accuracy of order information and processing systems.
• Guarantee availability of the platform to authorized users.
• Comply with applicable laws and data protection regulations (e.g., GDPR, CCPA).

4. Roles and Responsibilities

• CEO / Owner – Accountable for the effectiveness of information security.
• IT / Security Team – Responsible for enforcing security policies, maintaining infrastructure, and monitoring threats.
• All Staff – Required to follow all policies, attend training, and report incidents.

5. Acceptable Use Policy

All users must:

• Use company systems and data only for authorized business purposes.
• Not share login credentials or access unauthorized data.
• Avoid installing unapproved apps or browser extensions on company-managed systems.

6. Access Control

• Access to systems and data is granted based on the principle of least privilege.
• Multi-factor authentication (MFA) must be enabled for all administrator accounts.
• TikTok user data (such as order history, product preferences) is restricted to authorized personnel only.

7. Data Classification and Protection

Data is classified as:

• Confidential: User personal data, TikTok access tokens, payment info
• Internal Use: Internal business emails, system logs
• Public: Marketing content, help center articles

Appropriate encryption and secure storage practices must be used for confidential data.

8. Incident Response

All security incidents must be reported immediately to the designated security contact. Incidents include:

• Unauthorized access
• System outages due to cyberattacks
• TikTok API abuse or data leaks

An incident response plan will be followed for containment, investigation, and recovery.

9. Business Continuity

The platform must be regularly backed up, with tested recovery procedures. Downtime in TikTok integration or order management tools must be addressed within agreed service levels.

10. Physical Security

Company devices should be kept secure. When accessing business tools remotely:

• Use a secure Wi-Fi connection.
• Avoid using public/shared computers.

11. Vendor Management

All third-party vendors (e.g., TikTok API, cloud storage, payment processors) must comply with our security and privacy requirements. Security reviews should be conducted before onboarding new vendors.

12. Security Awareness Training

All staff must complete annual information security training, including:

• Phishing awareness
• Password hygiene
• Social engineering risks related to social media platforms

13. Policy Review

This policy is reviewed annually or when significant changes occur in business processes or technology.

14. Enforcement

Violations of this policy may result in disciplinary action, up to and including termination or legal action.

15. Contact

For questions or to report a security concern, contact:
Security Contact: Bich An
Email: nguyenthibichan04@gmail.com