Docs
U.S. Data Access Compliance Requirements
This guide provides an overview of third party due diligence requirements for TikTok's developer platform (including Mini Dramas and Mini Games) onboarding, including the circumstances through which the third parties can receive access to different types of TikTok U.S. User data.
Note that in this context, third parties covers a broad range of service providers and may include vendors, developers, content providers, and more.
Overview of Requirements
Due to its national security compliance requirements, TikTok USDS Joint Venture ("TikTok USDS JV") cannot share specific U.S. User data ("Sensitive Data") with third parties with Countries of Concern affiliations.
How to determine if a third party meets the Country of Concern restrictions?
TikTok USDS JV defines "Country of Concern" as any country designated as a Country of Concern by the Attorney General of the United States pursuant to 28 CFR Part 202 Subpart F -- Determination of Countries of Concern. The table below provides the current list of designated countries, but this is subject to change.
Countries of Concern | ||
China* | Iran | Russia |
Cuba | North Korea | Venezuela |
*China refers to the People's Republic of China, Macau, and Hong Kong. The Republic of China (Taiwan) is not a Country of Concern.
The third party Countries of Concern restrictions apply to:
- Ownership or Registration:
- Entities headquartered or registered in Countries of Concern
- Entities with 20% or more aggregated ownership from individuals or entities from Countries of Concern (including indirect ownership through intermediaries such as trusts or pass-through ownership structures)
- Data Access/Process/Storage Locations: Sensitive Data is not permitted to be accessed, processed, modified, transmitted to, and/or stored in a Country of Concern. Restrictions apply to:
- Primary or alternate workforce physically located in a Country of Concern
- Service providers or subprocessors located in Countries of Concern. Subprocessor examples include (but are not limited to): cloud storage providers, AI service providers, consultants or external workforce providers, business outsourcing providers, etc)
What data is not permitted for third parties from Countries of Concern to receive?
Third parties from Countries of Concern may not receive Sensitive Data from any source, including the JV or an authorized third party.
Sensitive Data is defined as any data collected from a U.S. User through a TikTok USDS JV Application, other than "Excepted Data" or "Public Data". It is broader than the traditional definition of personally identifiable information or personal data (collectively "Personal Data").
The following list of examples is for illustrative purposes only. For specific use cases or questions, please work with the relevant point of contact from TikTok's developer platform team, who will coordinate with the appropriate TikTok USDS JV team.
Sensitive Data Any data collected from a U.S. User through a JV Application, other than "Excepted Data" or "Public Data". It is broader than the traditional definition of Personally Identifiable Information ("PII") | Excepted Data |
User Data, including:
| Engineering and Business Metrics (Aggregated Data about 1,000+ U.S. Users). Examples include:
|
User Content, including non-public user generated content | Public Data that is generally accessible to other users on the platform |
Behavioral Data generated during the time in which a U.S. User is engaging with USDS JV applications. Data within this category includes:
| E-Commerce Data is select U.S. User buyer information necessary for the purchase and sale of goods and services, including:
|
Device & Network Data, including:
| -- |
What is the due diligence and onboarding process for new third parties?
- New third parties are required to complete a due diligence questionnaire (included in the Appendix of this document)
- The questionnaire helps the JV assess the level of risk of the engagement. Risk is based on a variety of factors.
- For example, third parties are required to describe whether their proposed engagement includes access, processing, storage, or collection of Sensitive Data. This information helps the JV assess if there are Countries of Concern restrictions
- If Sensitive Data is in scope, country affiliations must be identified for the third party, including headquarters, support staff locations, server and data processing locations, and ownership
- Third parties are also required to complete periodic re-assessments, depending on the level of risk identified during onboarding
- The relevant business POC (either from the global TikTok team or TikTok USDS JV) will help coordinate this step
If a third party has been approved to onboard and is not affiliated with Countries of Concern, what additional data can they receive?
- If a third party does not meet the Country of Concern restrictions mentioned above, then the third party may receive Sensitive Data (examples include, but are not limited to: device info, IP address; user PII (name, phone, email, etc); individual user behavior (clicks, page views, etc); individual user ad interactions (ad open, ad close, etc))
- Third parties approved to access Sensitive Data will be required to sign a TikTok USDS JV Data Security Agreement ensuring among other terms: a) that all Sensitive Data is stored and remains exclusively on servers located outside any Country of Concern; and b) the third party, including any of its personnel, do not transfer or otherwise provide access to Sensitive Data to any other TikTok or ByteDance entities or any other Covered Person (including, for clarity, subprocessors that are Covered Persons), unless approved in writing by TikTok USDS JV
How will Sensitive Data be shared with approved third parties?
- An API will be set up using a TikTok USDS JV secure gateway. This process will be provided once a third party is approved and contracted for data sharing
Are there any approved third parties suggested to work with developers in Countries of Concern ?
- Skystone is a suggested and approved agency provider responsible for hosting the games that require access to Sensitive Data. Skystone can operate the games in the US on behalf of developers from Countries of Concern.
- Engaging other agencies will be subject to enhanced due diligence review and approval will be at the sole discretion of the TTUS JV teams. Approval is not guaranteed and review time may be extended.
Appendix
The U.S. launch approval request is reviewed by the USDS TPRM team to assess U.S. data security and compliance for mini apps intending to be launched in the U.S. It covers data storage and processing locations, hardware and core infrastructure, 4th-party vendors, and a final attestation regarding Countries of Concern.
U.S. launch approval request
Listed below is an example of questions you may be asked:
Question No. | Question |
1 | Please provide the company's principal place of business (HQ). Note: Please provide the location in State/City/Province, Country format (e.g., Delaware, USA; London, UK).
|
2 | Please provide the company's place of legal organization. Note: Please provide the location in State/City/Province, Country format (e.g., Delaware, USA; London, UK).
|
3 | Do any individuals or entities holding a 20% or greater ownership stake, or any key executives (e.g., CEO, C-Suite, Board of Directors), currently reside in or hold an affiliation with any of the following countries? (Select All that Apply)
|
4 | Do any internal engineering teams or 4th-parties (e.g., subcontractors, subprocessors, or Affiliates) developing, compiling, or contributing executable code for this service/solution operate from, reside in, or maintain headquarters in any of the following countries? (Select All that Apply)
|
5 | Final Attestation: As a core requirement for partnering with TikTok USDS JV, vendors must adhere to strict geographic restrictions regarding Countries of Concern (Reference 28 CFR Part 202, Subpart F). Please select the statements below that you can formally confirm: (Select all that apply)
|