Response to the Administrative Subpoena from the Department of Commerce dated May 23, 2024
对 2024 年 5 月 23 日美国商务部发出的行政传票的回复
1) Records sufficient to show the corporate structure of Yealink, including:
1) 证明 Yealink 公司结构的记录,包括:
a. Records sufficient to show Yealink (USA) Network Technology Co., Ltd.’s relationship to all direct or indirect corporate parents, subsidiaries, and affiliates.
a. 证明 Yealink(美国)网络技术有限公司与其所有直接或间接的母公司、子公司和关联公司的关系的记录。
b. Records sufficient to show the ownership of Yealink (USA) Network Technology Co., Ltd.’s direct or indirect parent(s), and any parent(s) thereof in the entire chain of ownership.
b. 证明 Yealink(美国)网络技术有限公司的直接或间接母公司及其在整个所有权链中的任何母公司的所有权的记录。
Response:
回复:
a. Yealink (USA) Network Technology Co., Ltd. is wholly owned by Xiamen Yealink Network Technology Co., Ltd. and has no subsidiaries. Affiliates of Yealink (USA) Network Technology Ltd. are: Yealink (Eruope) Network Technology B.V., Aixcom Technology Pte. Ltd., Xiamen Yealink Communication Technology Co., Ltd., Xiamen Yealink Software Co., Ltd., and Xiamen Yisheng Hearing Technologies Ltd.
a. Yealink(美国)网络技术有限公司由厦门亿联网络技术有限公司全资拥有,没有子公司。Yealink(美国)网络技术有限公司的关联公司包括:Yealink(欧洲)网络技术有限公司 B.V.、Aixcom 技术私人有限公司、厦门亿联通信技术有限公司、厦门亿联软件技术有限公司和厦门亿生听力技术有限公司。
b. Please refer to our response to Question 2).
b. 请参阅我们对问题 2 的回答)。
2) Records sufficient to identify each individual or entity holding or controlling (either directly or indirectly through another entity) an equity stake of 5% or more (whether voting or non-voting) in Yealink (USA) Network Technology Co., Ltd. Or any corporate parents of Yealink (USA) Network Technology Co., Ltd. This response should include information regarding the ultimate beneficial owners of Yealink (USA) Network Technology Co., Ltd. And any other entities or individuals owning more than a 5% equity stake in the chain of ownership and highlight any foreign government entities.
2)记录足以识别每个持有或控制(直接或通过另一实体间接持有)Yealink(美国)网络技术有限公司 5%或以上股权(无论投票权或非投票权)的个人或实体。此回复应包括关于 Yealink(美国)网络技术有限公司最终受益所有人的信息,以及任何在所有权链中拥有超过 5%股权的其他实体或个人,并突出任何外国政府实体。
Response:
回复:
Information on the individuals or entities in the chain of ownership of Yealink (USA) Network Technology Ltd. that own more than 5% of the equity stake is as follows:
关于厦门亿联网络技术有限公司(Yealink (USA) Network Technology Ltd.)股权链中拥有超过 5%股权的个人或实体信息如下:
Chen Zhisong holds 17.41% of the equity stakes of Xiamen Yealink Network Technology Co., Ltd.
陈志松持有厦门亿联网络技术有限公司 17.41%的股权。
Wu Zhongyi holds 16.65% of the equity stakes of Xiamen Yealink Network Technology Co., Ltd.
吴中一持有厦门亿联网络技术有限公司 16.65%的股权。
Lu Rongfu holds 10.47% of the equity stakes of Xiamen Yealink Network Technology Co., Ltd.
鲁荣富持有厦门亿联网络技术有限公司 10.47%的股权。
Zhou Jiwei holds 7.87% of the equity stakes of Xiamen Yealink Network Technology Co., Ltd.
周继伟持有厦门亿联网络技术有限公司 7.87%的股权。
Xiamen Yiwanglian Information Technology Service Co., Ltd. holds 5.14% of the equity stakes of Xiamen Yealink Network Technology Co., Ltd.
厦门亿旺联信息技术服务有限公司持有厦门亿联网络技术有限公司 5.14%的股权。
There are no foreign government entities holdings in Yealink (USA) Network Technology Co., Ltd.
亿联(美国)网络技术有限公司没有外国政府实体持股。
3) Records sufficient to show which individual or entities identified directly control(s) the intellectual property rights or maintain other such rights, such as licensing agreements, related to ICTA offered by Yealink in the United States or to U.S persons.
3) 足够的记录以显示哪些个人或实体直接控制知识产权或维持其他此类权利,例如与 Yealink 在美国提供的 ICTA 或美国个人相关的许可协议。
Response:
回复:
Yealink realizes independent research and development of technology, only a small number of intellectual property rights, i.e., patents, which need to obtain external license, now Yealink submits the following table on the status of the aforementioned patents licensing documents. It should be noted that none of the agreements signed between Yealink and the patent licensees involve data sharing or data exchange.
Yealink 意识到独立进行技术研发,只有少数知识产权,即专利,需要获得外部许可,现在 Yealink 提交了以下表格,说明了上述专利许可文件的状态。需要注意的是,Yealink 与专利许可方签订的任何协议都不涉及数据共享或数据交换。
No. | Licensed subjects | Country of Origin | Whether standard or not | Applicable product types | Product Model |
1 | Rtx | Denmark | No | DECT IP Multi-Cell System | W80B |
2 | Estech | US | No | Handset | Handset |
3 | Avayla | US | No | Videoconferencing Terminal | VC800 |
4 | Opus | Ireland; US; Germany; England | Yes | Handset, DECT IP base station | SIP-T30\T31G\T31P\T31W\T33G\T34W\T43U\T44W\T46U\T53\T54W\T57W\T58W; W70B |
5 | Hevc | US | Yes | Videoconferencing Terminal | VC200\VC500\VC800\VC880\M400\M600\M800\VC210-VCS (Excluding overseas VC210-TEAMS) |
6 | Mpeg | US | Yes | Videoconferencing Terminal | VC200\VC500\VC800\VC880\M400\M600\M800\VC210-VCS (Excluding overseas VC210-TEAMS) |
7 | HDMI | US | unconfirmed | Products with HDMI interfaces, most of which are video conferencing terminals, VP59 is for the handset | DeskVision A24\ETV65. ETV86 (ATC) \MCore Pro (Self-test) \MCore Self-test\MCore-Ops (self-test) \MeetingBar A10(ATC) \MeetingBar A10-C (self-test) \MeetingBoard 65. MeetingBoard 86\MeetingEye 400 (Self-test) \MeetingEye 500 Pro\MeetingEye 500 (ATC) \MeetingEye 600 Self-test\MeetingEye 800-self-test\MShare E2 self-test sink\pVT950 self -test\pVT980 self-testRoomCast (PJ501) Self-test\T49G Self-test\UVC90, DM100, Mshare, Mshare-raw S\VC110 Self-test\VC200 Self-test\VC210 Self-test\VC400 ATC\VC500 Self-test\VC800 Self-test\VC880\Sink+Source\CC22 Self-test\Vp59 self -test |
4) Records sufficient to show all Yealink’s facilities, including headquarters, research, development, manufacturing, test, distribution, or maintain other such rights, such as licensing agreements, related to ICTS offered by Yealink in the United States or to U.S persons.
4)记录足以显示所有 Yealink 设施,包括总部、研究、开发、制造、测试、分销或维护其他此类权利,例如许可协议,与 Yealink 在美国提供的 ICTS 或针对美国人的 ICTS 相关的记录。
a. The address of each Customer Experience Center in the United States.
a. 美国每个客户体验中心的地址。
b. Records sufficient to show the full name of each Yealink Personnel member who is not a U.S. citizen working in the Customer Experience Center, including country(ies) of citizenship of the personnel.
b. 证明每个非美国公民的 Yealink 员工在客户体验中心的完整姓名的记录,包括员工的国籍。
Response:
回复:
a. All of Yealink's facilities, including headquarters, research, development, production, testing, and distribution, are located in the PRC, with only one Customer Experience Center in the United States, which located at [Suite 160, 5445 Legacy Drive, Plano, TX 75024], which is set on a leased site by Yealink. The role of the Center is to meet the needs of U.S. customers to experience products offline, employees and customers present do not access or manage any data from it. Yealink's sales in U.S. are generally achieved by its distributors and resellers in United States. Yealink takes the initiative to look for partners and then jointly for customers, rather than waiting for customers to come to the Center to seek cooperation, so the Customer Experience Center does not have a sales function, and only in a few cases when American customers take the initiative to put forward the demand for offline experience of Yealink's products, the Customer Experience Center will provide customers with offline experience of relevant products.
a. 鸿翼所有设施,包括总部、研发、生产、测试和分销,均位于中国,仅在美国设有 1 个客户体验中心,位于[德克萨斯州普莱诺市 5445 遗产大道 160 号,TX 75024],该中心由鸿翼租赁场地设立。中心的作用是满足美国客户线下体验产品的需求,员工和客户不访问或管理其任何数据。鸿翼在美国的销售通常由其分销商和经销商完成。鸿翼主动寻找合作伙伴,然后共同寻找客户,而不是等待客户到中心寻求合作,因此客户体验中心没有销售功能,仅在少数情况下,当美国客户主动提出对鸿翼产品线下体验的需求时,客户体验中心才会为客户提供相关产品的线下体验。
b. The staff of Yealink's Customer Experience Center in the U.S. consists mainly of Chinese employees, who are dispatched from Yealink's headquarter in the PRC and travel to the U.S. on business trips on a rotational basis for short periods of time, with only one employee, Shawn (Lv Xing, who holds a green card in the U.S.), permanently stationed in the center. The functions of the staff in the Customer Experience Center are explained as follows: For the reasons mentioned above (Yealink will actively look for partners and then jointly for customers, rather than waiting for customers to come to the Center to seek cooperation), there are no resident staff in the Customer Experience Center in the strict sense, and the staff in the Center are in fact the marketing and sales staff of Yealink.
b. 美国 Yealink 客户体验中心的员工主要由中国员工组成,这些员工从中国 PRC 总部派遣,定期以短期商务旅行的形式前往美国,中心仅有一名员工 Shawn(Lv Xing,持有美国绿卡)长期驻扎。客户体验中心员工的职能如下所述:由于上述原因(Yealink 将积极寻找合作伙伴,然后与客户共同寻找,而不是等待客户来到中心寻求合作),在客户体验中心严格意义上没有常驻员工,中心员工实际上是 Yealink 的市场和销售团队。
Now Yealink provides the following table on the information of Chinese employees who went to the U.S. for business trips in the first half of 2024, which can be used for illustration purposes.
现在,Yealink 提供了以下表格,列出了 2024 年上半年前往美国进行商务旅行的中国员工信息,供参考。
Name | Positions | Citizenship | Time at CEC | Overall Travel Time |
Amber(ZHU YING) | Product Manager | China | 2.26-3.1 | 2.18-3.15 |
Regend(SOH CHEE TIONG) | Product Manager | China | 3.4-3.8 6.5-6.7 | 2.19-3.15 |
Jarvis(ZOU PENGWEI) | Product Manager | China | 3.11-3.15 | 3.4-3.29 |
Travis(ZHANG YONGZHEN) | Product Manager | China | 3.25-3.29 | 3.2-3.31 |
5.20-5.24 5.28-5.29 | 5.4-6.16 | |||
Jason(LI JIAHAO) | Product Manager | China | 4.9-4.12 | 4.8-4.28 |
Frank(XU ZHIHUA) | Sales Engineer | China | 4.29-5.3 | 4.14-5.12 |
Charry(HUANG CHUANYI) | Sales Engineer | China | 5.6-5.10 | 4.13-5.12 |
5) Records sufficient to show whether Yealink or any Yealink Personnel are subject to any laws or regulations of a Foreign Adversary regarding the sharing of information, data, or communications, or that require cybersecurity testing and/or security reviews. Provide information about the scope of the Foreign Adversary’s jurisdiction, the titles or job responsibilities of any Yealink Personnel subject to a Foreign-Adversary’s jurisdiction and any requests from the government or members of the government of the Foreign Adversary for information in Yealink’s possession or control.
5) 证明 Yealink 或任何 Yealink 员工是否受到外国对手关于信息、数据或通信共享的法律或法规的约束,或需要进行网络安全测试和/或安全审查的记录。提供关于外国对手管辖范围的信息,受外国对手管辖的任何 Yealink 员工的职位或工作职责,以及外国对手政府或政府成员对 Yealink 所拥有或控制的任何信息的请求。
Response:
回复:
The Yealink devices offered to U.S. customers are different from the ones offered in a Foreign Adversary such as the PRC.
提供给美国客户的 Yealink 设备与提供给外国对手(如中国)的不同。
YEALINK (USA) NETWORK TECHNOLOGY CO., LTD. is not subject to the requirements of cybersecurity testing and/or security reviews of laws or regulations of PRC or any other Foreign Adversary as YEALINK (USA) NETWORK TECHNOLOGY CO., LTD. is a company incorporated in the United States, and therefore is subject to the laws and regulations of the United States. We are not aware of any extraterritorial jurisdiction of the PRC laws and regulations over YEALINK (USA) NETWORK TECHNOLOGY CO., LTD. according to its business and operation in the United States, and therefore YEALINK (USA) NETWORK TECHNOLOGY CO., LTD. and its employees and contractors are not subject to any laws or regulations of a Foreign Adversary regarding the sharing of information, data, or communications, or that require cybersecurity testing and/or security reviews. As to the vendors of YEALINK (USA) NETWORK TECHNOLOGY CO., LTD., we are not entitled to know the detailed information, including their applicable and specific jurisdiction. We have listed down the information of our top 30 suppliers and other suppliers in relation to chips and other key telecommunication spare parts with encryption functions (such as WiFi modes) for your information and review in our response to 16). Should you require any further information regarding our vendors, we will endeavor to reach out to our vendors for details.
Yealink(美国)网络技术有限公司不受中国或任何其他外国敌对方的网络安全测试和/或安全审查法律或法规要求的约束,因为 Yealink(美国)网络技术有限公司是一家在美国注册的公司,因此受美国法律和法规的约束。我们不清楚根据其在美国的业务和运营,中国法律和法规对 Yealink(美国)网络技术有限公司具有域外管辖权,因此 Yealink(美国)网络技术有限公司及其员工和承包商不受任何外国敌对方关于信息、数据或通信共享的法律或法规的约束,或要求进行网络安全测试和/或安全审查。至于 Yealink(美国)网络技术有限公司的供应商,我们没有权利了解他们的详细信息和适用的具体管辖权。 我们已列出我们前 30 家供应商以及其他供应商关于芯片和其他具有加密功能(如 WiFi 模式)的关键电信备件的信息,供您在 16)的回复中进行了解和审查。如果您需要关于我们供应商的更多信息,我们将努力联系我们的供应商获取详情。
Our response for Yealink’s other affiliates and their employees, contractors, vendors, or affiliated personnel in Europe and Indonesia is similar.
我们对 Yealink 的其他分支机构及其员工、承包商、供应商或附属人员的回复在欧洲和印度尼西亚是类似的。
Yealink Network Technology Co., Ltd. and the products it sells in PRC are indeed subject to certain cybersecurity testing and/or security review requirements according to the applicable laws and regulations of PRC. For example, the products sold by Yealink Network Technology Co., Ltd., as a computer information system defined under the Regulations of the People's Republic of PRC on Protecting the Safety of Computer Information Systems (2011 Revision), is subject to the security grading protection scheme and therefore needs to get certified in accordance with the criteria for security grading and specific measures for security grading protection formulated by the Ministry of Public Security and other relevant departments. Moreover, if Yealink Network Technology Co., Ltd. is involved in the cross-border transfer of personal information or important data from PRC to overseas recipients, it may be subject to the requirements of security assessment, standard contract execution, or personal information protection certification under certain circumstances. Our response for the other affiliates of Yealink Network Technology Co., Ltd. in PRC are the same. To the extent that we understand, the employees and contractors of Yealink Network Technology Co., Ltd. are not subject to any laws or regulations of a Foreign Adversary regarding the compulsory sharing of information, data, or communications, nor are they required to pass cybersecurity testing and/or security reviews, and that Yealink’s business in U.S. shall not be regulated in accordance with the laws and regulations of the PRC, especially the laws and regulation in relation to state security of the PRC.
亿联网络技术有限公司及其在中华人民共和国境内销售的产品确实根据中华人民共和国的相关法律法规,需要接受某些网络安全测试和/或安全审查要求。例如,亿联网络技术有限公司销售的产品,根据《中华人民共和国计算机信息网络安全保护条例》(2011 年修订)所定义的计算机信息系统,需要接受安全等级保护方案,因此需要根据公安部和其他相关部门制定的安全等级和具体的安全等级保护措施进行认证。此外,如果亿联网络技术有限公司涉及从中华人民共和国向海外接收者跨境转移个人信息或重要数据,在某些情况下可能需要接受安全评估、标准合同执行或个人信息保护认证的要求。我们对亿联网络技术有限公司在中华人民共和国的其他分支机构的回应是相同的。 根据我们的理解,Yealink 网络技术有限公司的员工和承包商不受任何外国敌对者的法律或法规约束,不得强制共享信息、数据或通信,也不需要通过网络安全测试和/或安全审查,并且 Yealink 在美国的业务不应受中国法律和法规的监管,特别是中国国家安全方面的法律和法规。
6) Records sufficient to show the number of Yealink Personnel, if any, who are located in, or nationals of, a Foreign Adversary and who have:
6)足够的记录以显示任何位于外国敌对者境内或为外国敌对者国籍的 Yealink 人员的数量,如果有的话,他们:
a. Permissions that include administrative access to Yealink ICTS offered to U.S. customers, access to U.S. customers’ personally identifiable information and financial information, or access to cyber, physical, or electronic security information or systems.
a. 拥有包括对 Yealink ICTS 提供给美国客户的行政访问权限、访问美国客户的个人信息和财务信息,或访问网络、物理或电子安全信息或系统的权限。
b. Duties that include designing, developing, manufacturing, or supplying ICTS offered by Yealink in the United States or to U.S. persons.
b. 负责设计、开发、制造或提供 Yealink 在美国或向美国人士提供的 ICTS。
Response:
回复:
The administrative access of Yealink devices is controlled by the administrator of the customer and not a Yealink Personnel, and therefore we have no information about whether the customer’s administrator is located in, or nationals of, a Foreign Adversary.
Yealink 设备的行政管理权由客户管理员控制,而非 Yealink 员工,因此我们无法提供有关客户管理员是否位于或为外国敌对方的国民的信息。
A Yealink device does not collect any personal identifiable information and financial information of U.S. customers, except that the administrator or user of the Yealink device may input their email address for logging in the Yealink device, where the personal identifiable information that can be accessed by Yealink is quite limited and generally a Yealink Personnel will not have the permission to access to such information, either from the U.S. or a Foreign Adversary. 【待确认获取账户信息的人员情况,如中国有相关人员可以查到账户信息,这些人员的具体数量】
Yealink 设备不会收集美国客户的任何可识别个人信息和财务信息,除非管理员或 Yealink 设备用户在登录 Yealink 设备时输入他们的电子邮件地址,此时 Yealink 可以访问的个人信息非常有限,并且通常 Yealink 员工没有权限访问此类信息,无论是来自美国还是外国敌对方。【待确认获取账户信息的人员情况,如中国有相关人员可以查到账户信息,这些人员的具体数量】
A Yealink Personnel does not have access to cyber, physical, or electronic security information or systems in general, except when a customer chooses to use Yealink’s Yealink Management Cloud Service (YMCS). Please find our detailed description of the YMCS in our response to 7).
Yealink 员工通常无法访问网络、物理或电子安全信息或系统,除非客户选择使用 Yealink 的 Yealink 管理云服务(YMCS)。请参阅我们关于 7)的回复中关于 YMCS 的详细描述。
All ICTS offered by Yealink in the United States or to U.S. persons is designed, developed, manufactured, or supplied by Yealink Personnel located in the PRC. 【待补充中国员工数量】
所有在美国或提供给美国人的 Yealink ICTS 均由位于中国的 Yealink 员工设计、开发、制造或提供。【待补充中国员工数量】
7) Records sufficient to show how Yealink stores, manages, processes, gathers, secures, accesses, and analyzes data generated or owned by, or associated with, U.S. customers, including:
7) 有关 Yealink 如何存储、管理、处理、收集、保护、访问和分析由美国客户生成或拥有,或与之相关的数据的记录,包括:
Response
回复:
A typical Yealink device composes of three core components. The first and basic component is the hardware that is designed, developed, and manufactured by Yealink. The second and medium component is the Operating System (the “OS”) that is a built-in system coordinates the various hardware component of a Yealink device to interact with the customer, and Yealink devices’ OS is self-developed by Yealink using Linux or Android. The third and upper component is applications, which supports the various and specific functions and services offered by a Yealink device.
一个典型的 Yealink 设备由三个核心组件组成。第一个和基本组件是硬件,由 Yealink 设计、开发和制造。第二个和中等组件是操作系统(简称“OS”),这是一个内置系统,协调 Yealink 设备的各种硬件组件与客户交互,Yealink 设备的操作系统由 Yealink 使用 Linux 或 Android 自行开发。第三个和高级组件是应用程序,它支持 Yealink 设备提供的各种特定功能和服务。
Yealink devices offered to U.S. customers is resold by Yealink’s distributors and resellers in U.S. and before such Yealink devices are offered to and used by a U.S. customer, a distributor or reseller will connect the device to a specific telecommunication operator such as Verizon via the Redirection and Provisioning Service (RPS) which can help the customer redirecting the MAC of the Yealink device to the service operator’s designated IP address to establish the network and communication channel. The only information such RPS processes is matching the MAC number and the IP address of the service operator (such as Verizon). As to how such information is processed and protected by Yealink, please refer to the YMCS Privacy Policy, which is also applicable to RPS.
美国客户使用的 Yealink 设备由 Yealink 的美国分销商和经销商进行转售。在 Yealink 设备提供给美国客户使用之前,分销商或经销商将通过重定向和配置服务(RPS)将该设备连接到特定的电信运营商,例如 Verizon。RPS 可以帮助客户将 Yealink 设备的 MAC 地址重定向到服务运营商指定的 IP 地址,以建立网络和通信通道。此类 RPS 处理的信息仅限于匹配服务运营商(如 Verizon)的 MAC 号码和 IP 地址。关于 Yealink 如何处理和保护此类信息,请参阅 YMCS 隐私政策,该政策也适用于 RPS。
As to the processing of data generated or owned by, or associated with, U.S. customers, the hardware of a Yealink device is a pure physical device and does not have the capability of storing or processing any data. Data is actually stored, processed, and transferred on the application level.
关于处理由美国客户生成或拥有的数据,或与之关联的数据,Yealink 设备的硬件是一个纯物理设备,没有存储或处理任何数据的能力。数据实际上是在应用层面进行存储、处理和传输的。
On the above basis, Yealink offers two major categories of devices to U.S. enterprise customers. The first category is named as the SIP device, where a session initialization protocol (the “SIP”) is incorporated on the OS for interactive communication (voice calls, video calls, etc.) on the Internet. The OS of a SIP device is self-developed by Yealink using Linux. The communication on an SIP device is secured by Secure Sockets Layer (SSL) or Transport Layer Security (TLS), a security protocol that provides security and data integrity for network communication, which is widely used for web pages, email, Internet fax, instant messaging and voice over IP telephony (VoIP). SSL encrypts all requests and responses, and all links with YMCS (which will be introduced in detail below) are encrypted by TLS 1.2, so as to ensure the security of data transmission. A CA certificate issued by a competent certificate authority will be included in each individual Yealink device for authentication and encrypted transmission, and the information decrypted using a CA certificate will only be processed locally on the Yealink device and will not be transferred to Yealink in any possible ways.
基于上述,Yealink 为美国企业客户提供两大类设备。第一类被称为 SIP 设备,其中在操作系统上集成了会话初始化协议(即“SIP”),用于在互联网上进行交互通信(语音通话、视频通话等)。SIP 设备的操作系统由 Yealink 使用 Linux 自行开发。SIP 设备上的通信通过安全套接字层(SSL)或传输层安全性(TLS)进行加密,这是一种提供网络安全和数据完整性的安全协议,广泛应用于网页、电子邮件、互联网传真、即时消息和 IP 电话(VoIP)。SSL 加密所有请求和响应,所有与 YMCS(以下将详细介绍)的链接都通过 TLS 1.2 加密,以确保数据传输的安全性。每个 Yealink 设备将包含由合格证书颁发机构签发的 CA 证书,用于身份验证和加密传输,使用 CA 证书解密的信息将仅在 Yealink 设备上本地处理,不会以任何可能的方式传输到 Yealink。
The second category is the Microsoft/Zoom Device (the “Microsoft/Zoom Device”), where a designated meeting application such as Microsoft Teams or Zoom is integrated on the OS and application level. Such bundled meeting application is treated as an add-on to the Yealink device. The OS of a Microsoft/Zoom Device is developed on the Android system which is bundled with the specific meeting application. The bundled meeting application cannot be altered unless the CA certificate is revised or updated according to the consensus of Yealink and the meeting application suppliers, and customer using such Microsoft/Zoom Device can use either the bundled meeting application or the SIP channel for communication. When a U.S. customer uses the SIP channel for communication, data is processed and protected as mentioned above. When a U.S. customer uses the bundled meeting application for communication, data is encrypted in accordance with the method set by the suppliers of the corresponding meeting applications and Yealink have no access to or control over the data of U.S. customers.
第二类是微软/Zoom 设备(以下简称“微软/Zoom 设备”),其中指定的会议应用如微软团队或 Zoom 已集成在操作系统和应用层面。此类捆绑式会议应用被视为 Yealink 设备的附加组件。微软/Zoom 设备的操作系统是在 Android 系统上开发的,该系统捆绑了特定的会议应用。捆绑式会议应用除非根据 Yealink 和会议应用供应商的共识修改或更新 CA 证书,否则不能更改。使用此类微软/Zoom 设备的客户可以使用捆绑式会议应用或 SIP 通道进行通信。当美国客户使用 SIP 通道进行通信时,数据处理和保护方式如上所述。当美国客户使用捆绑式会议应用进行通信时,数据将按照相应会议应用供应商设定的方法进行加密,Yealink 无法访问或控制美国客户的数据。
We will further elaborate the data flow on the application level. For starters, please find below a diagram of the data flows of a typical Yealink device offered to U.S. customers.
我们将进一步阐述应用层面的数据流。首先,请查看以下图表,展示了美国客户使用的典型 Yealink 设备的数据流。
Firstly, A Yealink device includes a default equipment upgrade service that will automatically detect and download available firmware of peripherals from the Yealink cloud-based platform. Such auto update feature is disabled by default. Data regarding equipment upgrade will be processed by two firmware servers, one is the dm.yealink.com server located on AWS in Virginia, and the other is the update.yealink.com server located on Azure in Paris. The firmware server used by Yealink devices switched from AWS server to Azure server for the purpose of GDPR compliance and all future Yealink terminals will use the Azure server.
首先,Yealink 设备包含默认的设备升级服务,该服务将自动从基于 Yealink 云平台的平台检测并下载外围设备的可用固件。此自动更新功能默认禁用。有关设备升级的数据将由两个固件服务器处理,一个是位于弗吉尼亚州 AWS 上的 dm.yealink.com 服务器,另一个是位于巴黎 Azure 上的 update.yealink.com 服务器。Yealink 设备使用的固件服务器已从 AWS 服务器切换到 Azure 服务器,以符合 GDPR 法规,所有未来的 Yealink 终端都将使用 Azure 服务器。
Secondly, a Yealink device provides YMCS, a cloud service application self-developed by Yealink for its customers’ centralized management of their Yealink devices within the enterprise and enables customers administrator to manage meeting devices of Yealink, such as SIP phones, meeting room devices, etc. allowing for deployment, configuration and ongoing maintenance. The YMCS is activated upon the proactive authorization and instruction of the customer’s administrator. When the YMCS is activated and used, certain account information, system management information, and resources management information, etc. will be processed for the centralized management of Yealink devices. Please find below a detailed table listing the specific types of data that will be collected and processed under the YMCS scenario (the “YMCS Data”). As to how YMCS Data is processed and protected by Yealink, please refer to the YMCS Privacy Policy. Please note that all the data listed below is on enterprise level and contains limited personal identifiable information that are related to the account information and user credentials of the contact of the customer only. When processing customer data for YMCS, Yealink is acting as the data processor, and YMCS customers are data controllers.
其次,Yealink 设备提供 YMCS,这是 Yealink 为其客户自行开发的云服务应用程序,用于在企业内部集中管理其 Yealink 设备,并使客户管理员能够管理 Yealink 的会议设备,如 SIP 电话、会议室设备等,允许部署、配置和持续维护。YMCS 在客户管理员主动授权和指令下激活。当 YMCS 激活并使用时,将处理某些账户信息、系统管理信息和资源管理信息等,以实现 Yealink 设备的集中管理。以下是一个详细表格,列出了在 YMCS 场景下将收集和处理的具体数据类型(“YMCS 数据”)。关于 YMCS 数据如何由 Yealink 处理和保护,请参阅 YMCS 隐私政策。请注意,以下列出的所有数据均为企业级数据,包含与客户联系人账户信息和用户凭证相关的有限可识别个人信息。 当处理 YMCS 的客户数据时,Yealink 作为数据处理者,而 YMCS 客户则是数据控制者。
Collected Information of YMCS | ||
Account Information | Users provide: Data Center*, Company Name*, Authority*, Company Mailbox*, Country or Region*, Time Zone*, Company Contact Person, Company Contact Phone Number, Whether Login Protection is Open The system automatically generates an initial password, which should be changed when the customer first logs in. | |
Device Management Dashboard | Device Type Options | |
Device Management Information | Telephone Device | Users provided: Device Name, Site, Group, Model, MAC, Machine ID, Binding Account, RPS Account, Binding or Not |
Yealink collects: Public IP, Intranet IP, Running Firmware, Device Status, Active Status, Account Status, Creation Time, Reporting Time, VPN, VPN Active | ||
RPS Management | Users provide: RPS device (MAC, Server Name, Unique URL, Username, Password) RPS server (Server Name, Server URL, Authentication Username, Authentication Password, Trusted Certificate, Server Certificate, Customized Certificate) | |
USB Device | Description of Yealink’s storage for persistent data: RPS device (MAC, Server Name, Unique URL, Username, Password) RPS Device (IP, Binding time, Last Connection Time) RPS Server (Server Name, Server URL, Authentication Username, Authentication Password, Trusted Certificate, Server Certificate, Customized Certificate) Description of Non-persistent data: User Agent (including model and version), which is transmitted by the device but not stored by Yealink; | |
Users provide: Site, Device Notes | ||
YUC Software | Yealink collects: Device ID, Model, Device Name, Host IP, Connection Version, Running Firmware, Device Status, Running Time, Sites | |
Users provide: Local Name, MAC, Site | ||
Conference Room Device | Yealink collects: Host PC Name, Software Version, Software Status, Sites | |
Users provide: Name of Conference Room, Site, Model, MAC, Machine ID, Group, Description | ||
Single Device Configuration Management | Yealink collects: Public IP, Intranet IP, Connection Version, Device Status, Associated Devices, Account Status, Reporting Time. | |
Configuration in existing device information | ||
Task Management | Sub-site Configuration | Configuration Name, Site, Setup Parameters (Account, Directory, Key, Features, Network, Security, Settings, System), Associated Device Type, Supported Models, Description |
Group Configuration | Configuration Name, Device Type (Phone Device, USB Device, Conference Room Device), Supported Models, Associated Groups, Setup Parameters (Accounts, Directory, Keys, Characteristics, Network, Security, Settings), Description | |
Global Parameter Configuration | Auto Update URL, Device Pre-Research, NTP Server IP Address, Auto Update Server Username Auto Update Server Password, AutoP Repeat Cycle, Time Interval, DHCP Activation, DHCP Option Value, Zero Touch | |
Timed Task | (Send message, update firmware version, reboot device, update configuration file, etc.) Task Name, Repeat, Execute Time, Set Time Zone | |
Alarm Diagnosis | Task Execution List | Summary list of timed tasks |
Alarm List | Alarm information reported by the device (Alarm Event, Cause, Details, Module, MAC, etc.) | |
Data Statistics | Equipment Diagnostics | Diagnostic Tools: One-click Export, Capture Packets, Monitor the Network, Export System Logs, Export Configuration Files, Screenshots, Data and files generated in configuration backups |
Equipment Statistics | Statistical Summary of Associated Phone Devices, Conference Room Devices, and USB Devices | |
Resource Management | Alarm Statistics | Data analysis (based on available data) |
Call Quality Statistics | Users provide: MAC Address, Device Model | |
SIP Account Management | Yealink Collects: Firmware Version, Call Duration, Call Quality, Local URL, Opposite Caller URL, Start Time of the Call, Call Duration, User Information, Station, Audio Device (MAC Address, Model, Firmware Version, IP address), Audio Information (Inbound + Outbound: Average Jitter, Total Packets Loss, Average Packet Loss Rate, Maximum Packet Loss Rate, Average Latency, Maximum Latency, Maximum Jitter, Average Answer Mos) | |
Owning Site, Registration Name, Username, Password, Label, Display Name, Server 1 Address + Port, Server 2 Address + Port, Enable Outbound Proxy Server, Description | ||
Space Management | H.323 Account Management | Site, Username, Extension Number, Gatekeeper Type (Disabled, Manual, Automatic), Gatekeeper Server 1 Address + Port, Gatekeeper Server 2 Address + Port, Description |
SFB Account Management | Site, Account Information (Registered Name, Password, Login Address), PIN Information (Extension Number, PIN), Other Descriptions | |
Firmware Management | Users provide: Firmware Name, Firmware File, Version Number, Site, Select Type (Phone Device, USB Device, Conference Room Device), Applicable (Master Device, Accessory), Supported Models, Description | |
Configuration Templates | Yealink collects: Add Time, File Size | |
Configuration Name, Device Type (Phone Device, USB Device, Conference Room Device), Supported Models, Description | ||
Other Resource | Users provide: Resource Type (Phone Device, USB device, Conference Room System), Resource Type (Daylight Saving Time Template, BToE, Language Packs, Input Method, Call Hold Cloaking, Device License, etc.), Resource Name, Site, Select File, Description | |
Dashboard | Statistical summary of associated conference rooms and conference room equipment | |
Conference Room Management | Users provide: Name of Conference Room, Capacity, Location, Description, License Assignment, MAC, Machine ID, Device Model, Device Name, Conference Room to which it belongs | |
Yealink collects: Conference Room Status, Device Type and Quantity in Conference Room | ||
System Management | Site Management | Site Name, Parent Site, Site Description, Site IP |
Alarm Notification | Policy name, Push Method (Station Warning, E-mail Warning), Alert Period, Alert Receiver, Alert Content (SERIOUS, MAJOR or GENERAL, Notification of Abnormalities), Device Range | |
Alarm rules | Trigger Time, Detection Threshold | |
Space Tree Management | Spatial Hierarchy Setup (Country/Region, State/Province, City, Park Area, Building, Floor, Conference Room) | |
RPS Settings | Binding Status, Whether to select automatic synchronization, Whether to synchronize the creation of the server site | |
IP Whitelisting | Users provide: IP Address, Description | |
Yealink Collection: Operator, Modification Time | ||
Interception Records | Type, IP, MAC, IP Status, Time | |
Single Sign On | On State, Authentication Platform, Client ID, Tenant ID | |
Sub-account Management | Register Email, Contact, Contact Phone, Role Name, Enable Status, Description | |
Role Management | Add Groups & Roles, Sub Accounts, Description | |
Log Management | Login and Operation Log | |
Preference | Default Login Display Site |
Apart from the YMCS, Yealink also offers local deployment services named the Yealink Device Management Platform (YDMP) for customers’ centralized management of their Yealink devices on a private cloud platform. YDMP is an installation package that users can download for private deployment and is locally deployed on the private storage environment of Yealink’s customers for their self-management and control of the Yealink devices. Yealink adds SHA1 (stands for Secure Hash Algorithm) and MD5 (stands for Message Digest) algorithms in the YDMP package ready for releasing to use the verification codes to verify the authenticity and integrity of the installation package. After receiving the code package, the customers install and deploy it by themselves. Yealink has no access to or information about the data processed by a Yealink device that deploys YDMP.
除了 YMCS,Yealink 还为顾客提供名为 Yealink 设备管理平台(YDMP)的本地部署服务,以便顾客在私有云平台上集中管理他们的 Yealink 设备。YDMP 是一个用户可以下载的安装包,用于私有部署,并在 Yealink 顾客的私有存储环境中本地部署,以便他们自行管理和控制 Yealink 设备。Yealink 在 YDMP 包中添加了 SHA1(代表安全散列算法)和 MD5(代表消息摘要)算法,以便在发布时使用验证码来验证安装包的真实性和完整性。收到代码包后,顾客自行安装和部署。Yealink 无法访问或获取部署 YDMP 的 Yealink 设备处理的数据信息。
Fourthly, data is gathered and processed by meeting channels and applications such as the SIP, Microsoft Teams, and Zoom. For details of such data processing, please find our explanation in the above paragraph 5 of our response to this 7).
第四,数据通过 SIP、Microsoft Teams 和 Zoom 等会议渠道和应用进行收集和处理。关于此类数据处理的具体细节,请参阅我们对此 7)的回应中上述第 5 段的内容。
Lastly, for the purpose time calibration, a Yealink device also connects to the Network Time Protocol (NTP) server to synchronize time over network. The data processed by the NTP server only includes the local time of the Yealink device and the Coordinated Universal Time (UTC) from the internet.
最后,为了进行时间校准,Yealink 设备也会连接到网络时间协议(NTP)服务器,以通过网络同步时间。NTP 服务器处理的数据仅包括 Yealink 设备的本地时间和从互联网获取的协调世界时(UTC)。
【待收到定稿后的数据流转图后补最后Google那两个小模块的描述,一两句话即可】
a. Records sufficient to show the types of data generated or owned by, or associated with, U.S. customers that is stored, managed, processed, gathered, or protected by Yealink.
a. 足够的记录,以显示存储、管理、处理、收集或由 Yealink 拥有或与之关联的美国客户生成的数据类型。
Response: Please find details in the above-mentioned table in 7). Please also find the reports named D.1.5.2 Yealink--FY23 SOC2 Type2报告_20240119 and D.1.5.5 Penetration Test Attestation for more information about the protection capability of Yealink.
回应:请参阅上述第 7)中提到的表格中的详细信息。请参阅名为 D.1.5.2 Yealink--FY23 SOC2 Type2 报告_20240119 和 D.1.5.5 渗透测试证明的报告,以获取更多关于 Yealink 保护能力的信息。
b. Records sufficient to show any analytics Yealink has conducted on data generated or owned by, or associated with, U.S. customers that is stored, managed, processed, gathered, or protected by Yealink.
b. 证明 Yealink 对存储、管理、处理、收集或保护由美国客户生成、拥有或与之关联的数据所进行的任何分析活动的记录。
Response: Please find detailed explanation above. To sum up, Yealink’s processing of data does not include analytic conduct.
回复:请参见上述详细说明。总之,Yealink 对数据的处理不包括分析行为。
c. Records sufficient to show any analytics Yealink has conducted or reviewed on metadata or derived data related to data generated or owned by, or associated with, U.S. customers.
c. 证明 Yealink 对与美国客户生成、拥有或与之关联的数据相关的元数据或衍生数据所进行的任何分析或审查活动的记录。
Response: Yealink performs no analytics on data in its possession, not to mention any analytic on metadata or derived data as Yealink collects no such data.
回复:Yealink 对其拥有的数据进行无分析处理,更不用说对元数据或衍生数据进行任何分析,因为 Yealink 不收集此类数据。
d. Records sufficient to identify each individual or entity that is located in, a national of, or organized under the laws of a Foreign Adversary that has access to any data generated or owned by, or associated with, U.S. customers that is stored, managed, gathered, processed, or protected by Yealink, including name, IP address, and location of each individual and entity on this list, and detailed descriptions of the level of access.
d. 足够识别每个位于、为外国对手国民或根据外国对手法律组织的企业或个人的记录,包括任何可访问由 Yealink 存储、管理、收集、处理或保护的数据的企业或个人的名称、IP 地址和位置,以及每个企业或个人在此列表中的详细描述和访问级别的详细说明。
Response: Even though most of Yealink Personnel are located in, or nationals of PRC, Yealink generally will not access any data generated or owned by, or associated with, U.S. customers from PRC or any other Foreign Adversary, except that when customer actively registers for the YMCS or raises a diagnosis request for Yealink to identify specific function errors. Under the registration and log in process of YMCS, only the name of the customer’s administrator and the account name will be gathered and processed by Yealink for authentication. Under the YMCS diagnose support scenario, the diagnose data may be transferred to and accessed by individual that runs a diagnose from PRC. Data accessed by Yealink when performing diagnose are limited to device data, tech support data (including screenshots, network packets, logs, configuration files), which are provided to Yealink by a customer in connection with the customer’s use of Yealink products or services. The YMCS default setting for Remote diagnose support assistance is off. Only customer account administrator can modify the setting. Please also note that information accessible by Yealink under this scenario is limited to the data on YMCS only, data in relation to other applications and the OS cannot be accessed by Yealink. If data other than the types listed above is intended to be provided to Yealink, customer will have to take a photo or video by themselves and send it to Yealink via email. Please find below a description of the data flow of the function of Yealink diagnose support assistance. The YMCS Diagnose Support Assistance Privacy Statement describes in detail Yealink’s processing of such data.
回复:尽管大部分 Yealink 员工位于中国或为中国公民,但 Yealink 通常不会访问来自中国或任何其他外国敌对方的美国客户生成或拥有的数据,除非客户主动注册 YMCS 或向 Yealink 提出诊断请求以识别特定功能错误。在 YMCS 的注册和登录过程中,只有客户管理员的姓名和账户名称将被 Yealink 收集和处理以进行身份验证。在 YMCS 诊断支持场景下,诊断数据可能会被从中国运行诊断的个人传输和访问。Yealink 在执行诊断时访问的数据仅限于设备数据、技术支持数据(包括截图、网络数据包、日志、配置文件),这些数据是由客户在关联使用 Yealink 产品或服务时提供给 Yealink 的。YMCS 远程诊断支持辅助的默认设置是关闭的。只有客户账户管理员可以修改此设置。 请注意,在此情况下,Yealink 可访问的信息仅限于 YMCS 上的数据,Yealink 无法访问与其它应用和操作系统相关的数据。如果打算向 Yealink 提供上述类型以外的数据,客户需自行拍照或录像,并通过电子邮件发送给 Yealink。以下是对 Yealink 诊断支持辅助功能数据流描述。YMCS 诊断支持辅助隐私声明详细说明了 Yealink 对这些数据的处理。
8) Records sufficient to show policies or procedures for data retention and/or data disposition following the termination of services to U.S customers provided or facilitated by Yealink.
8)记录足以证明 Yealink 提供或促进的美国客户服务终止后数据保留和/或数据处理的政策或程序。
Response:
回复:
Only the YMCS platform is involved in the storage of YMCS Data [the definition and the data collecting scope shall be referred to our response to 7)], Other devices and platforms of Yealink do not have the ability to store user data. This platform will take the initiative to completely delete and clean up user data after the termination or expiry of services, and the aforementioned requirements are strictly bound by the following policies.
仅 YMCS 平台参与 YMCS 数据的存储[定义和数据收集范围请参阅我们对第 7 条的回复)],Yealink 的其他设备和平台没有存储用户数据的能力。该平台将在服务终止或到期后主动完全删除和清理用户数据,上述要求严格受以下政策的约束。
Policy | Terms |
Terms of Service of Yealink Management Cloud Service | 2.4.3 Deletion after termination Following termination or expiry of Products, Customer data shall be deleted within 3 months. except as required to be retained by applicable law or returned to Customer in a timely manner according to Customer's choice. |
Privacy Policy | 7.Account cancellation 7.1 When You wish to terminate the access or use of the Service, You can follow there quired procedures and delete Your account, The account You apply for termination must be Your own account registered in accordance with this Agreement. 7.2 Before applying for cancellation, you should ensure that the account does not have unsettled rights and obligations or other circumstances that may cause disputes due to cancellation of the account, or are investigated by any state agencies, or are in litigation or arbitration proceedings, otherwise, We may stop Your cancellation without any responsibility, and report illegal activities or provide relevant information to the regulatory or judicial authorities when necessary. 7.3 The cancellation of an account is irreversible. After the account is canceled, you will no longer be able to use or access any of the Service with this account. All information and data bound to the account can also be erased/deleted. You should backup the relevant information and data of the account yourself, we will not be responsible for any loss of information and data resulting. |
9) Records sufficient to show the revenue from the sale of ICTS within the United States from 2019 to the present date, including:
9) 证明 2019 年至今天为止在美国销售 ICTS 的收入的记录,包括:
a. Records sufficient to show all individuals or entities that distribute or resell Yealink ICTS in the United States.
a. 证明在美国分销或转售 Yealink ICTS 的所有个人或实体的记录。
b. Records sufficient to show the specific products and related services that Yealink provides or intends to provide or make available to customers in the United States.
b. 证明 Yealink 提供或打算提供或向美国客户提供的具体产品和相关服务的记录。
c. Records sufficient to show the number of U.S. Customer using the Yealink Management Cloud Service (YMCS) since January 19, 2021, including the number of U.S. Customers’ data that are currently managed by Amazon Web Services (AWS).
c. 证明自 2021 年 1 月 19 日以来使用 Yealink 管理云服务(YMCS)的美国客户数量,包括目前由亚马逊网络服务(AWS)管理的美国客户数据数量。
d. Records sufficient to show the number of U.S. Customers using the Yealink Management Cloud Service (YIvICS) since January 19, 2021, including the number of U.S. Customers’ data that are currently managed by Amazon Web Services (AWS).
d. 证明自 2021 年 1 月 19 日起使用 Yealink 管理云服务(YIvICS)的美国客户数量,包括目前由亚马逊网络服务(AWS)管理的美国客户数据数量。
Response:
回复:
a. The names of the top 10 resellers (including distributers and resellers) and the transaction data for 2019-2024 in the United States are detailed in the table below. Please note that (1) as most of Yealink’s sales in U.S. are completed by Yealink Network Technology Co., Ltd. but not YEALINK (USA) NETWORK TECHNOLOGY CO., LTD., data provided herein is mostly related to Yealink Network Technology Co., Ltd. instead of YEALINK (USA) NETWORK TECHNOLOGY CO., LTD.; (2) because of the limited timeframe, data provided herein has not been strictly verified and there may be data errors and omissions.
a. 以下是 2019-2024 年在美国的前 10 大分销商(包括分销商和零售商)的名称以及交易数据表格。请注意:(1)由于大部分 Yealink 在美国的销售是由 Yealink 网络技术有限公司完成,而不是 YEALINK(USA)网络技术有限公司,因此此处提供的数据主要与 Yealink 网络技术有限公司相关,而不是 YEALINK(USA)网络技术有限公司;(2)由于时间范围有限,此处提供的数据尚未经过严格核实,可能存在数据错误和遗漏。
b. Yealink does not sell provides products directly to customers in the United States.
b. Yealink 不直接向美国客户销售产品。
c. The number of VoIP phones sold to customers in United States is shown in the table below.
c. 以下表格显示了销售给美国客户的 VoIP 电话数量。
d. The new version of the YMCS platform is set up on Azure and currently serves 3,993 customers in the United States; the old version of the YMCS platform is set up on AWS and currently serves 330 customers in the United States.
d. 新版本的 YMCS 平台已部署在 Azure 上,目前为美国 3,993 名客户提供服务;旧版本的 YMCS 平台部署在 AWS 上,目前为美国 330 名客户提供服务。
10) Records sufficient to show the source code for any of Yealink’s products used by U.S. Customers that were written, developed, or coded in the People’s Republic of PRC (PRC) during the Request Period, including:
10) 足够的记录以显示在请求期间在中国(PRC)编写、开发或编写的任何 Yealink 产品用于美国客户的源代码,包括:
a. Records sufficient to show the source code for any of Yealink’s products used by U.S. Customers that are licensed to third parties for inclusion in the third parties’ products or code bases.
a. 足够的记录以显示任何用于美国客户的 Yealink 产品源代码,这些产品已许可给第三方以包含在第三方的产品或代码库中。
Response: The source code of Yealink’s products in the U.S. is written, developed, or coded in PRC. However, Yealink has not licensed the source code to any third party for their inclusion in the third parties’ products or code bases.
回复:美国销售的 Yealink 产品源代码是在中国编写、开发或编写的。然而,Yealink 并未将源代码许可给任何第三方,以包含在第三方的产品或代码库中。
11) Records sufficient to show Yealink’s service contracts or future contracts to provide VoIP phones and associated VoIP device management services to U.S. customers either directly or through agreements with resellers and partners.
11)记录足以证明 Yealink 与美国客户签订的服务合同或未来合同,直接或通过与分销商和合作伙伴的协议提供 VoIP 电话和相关 VoIP 设备管理服务。
Response:
回复:
The following table summarizes the contract status (the date the contract signed or renewed) of the top 10 resellers (including distributers and resellers) in the United States. It should be noted that Yealink is still in business cooperation with these resellers, even though some of which have not renewed their contracts, but they still maintain the purchasing business relationship with Yealink.
以下表格总结了美国前 10 大分销商(包括分销商和零售商)的合同状态(合同签订或续签的日期)。需要注意的是,尽管其中一些分销商未续签合同,但 Yealink 仍然与这些分销商保持业务合作关系,他们仍然与 Yealink 保持采购业务关系。
12) Records sufficient to show how data is transferred from Yealink devices in the United States to infrastructure abroad, including in the PRC. With this response, please include what data is transferred and what intermediate products or devices—such as the Yealink Device Management Platform (YDMP)—are involved and how. Please provide a diagram of these data flows.
12) 证明数据如何从美国 Yealink 设备传输到海外基础设施的记录,包括在中国大陆的。请随此回复提供传输的数据以及涉及的中间产品或设备(如 Yealink 设备管理平台[YDMP])及其传输方式。请提供这些数据流的图表。
Response:
回复:
Data in Yealink devices in the U.S. is stored in the U.S. in principle and will only be assessed by or transferred to a Yealink Personnel abroad, including the PRC. Please find details in our response to 7) d.
美国 Yealink 设备中的数据原则上存储在美国,并且仅由海外 Yealink 人员(包括中国大陆)评估或传输。请参阅我们对第 7) d.问题的回复以获取详细信息。
Please also note that if a U.S. customer chooses to employ the YDMP, data will only be stored and processed in such U.S. customer’s local server under the customer’s control and Yealink does not have access to or any information regarding the data on the Yealink devices. Therefore, Yealink have no clue about how data is transferred from Yealink devices in the United States to infrastructure abroad, including in the PRC for the YDMP circumstances.
请注意,如果美国客户选择使用 YDMP,数据将仅存储和处理在该客户控制下的本地服务器上,Yealink 无法访问或获取 Yealink 设备上的任何数据信息。因此,Yealink 对于 YDMP 情况下数据如何从美国 Yealink 设备传输到海外基础设施,包括中国大陆,没有任何了解。
13) Records sufficient to show how Yealink protects U.S. Customer data, including:
13) 证明 Yealink 如何保护美国客户数据的记录,包括:
a. Records sufficient to show whether Yealink has the technical capability to store or process any U.S. customer data in the PRC, including U.S. customer information and data collected by their products, and if so, whether any of this data would be subject to PRC laws that could compel Yealink to provide such data to the PRC government.
a. 证明 Yealink 是否有技术能力在中华人民共和国存储或处理任何美国客户数据,包括美国客户信息和由其产品收集的数据,以及如果有的话,这些数据是否受中华人民共和国法律约束,可能迫使 Yealink 向中华人民共和国政府提供此类数据。
Response: Yealink will not have the technical capability to store or process U.S. customer data in the PRC if a U.S. customer chooses to use YMCS. Even in the situation that a U.S. customer actively authorizes Yealink to do diagnose in the PRC, Yealink does not store process U.S. customer data in the PRC once the diagnose is completed. Please find details in our response to 7) d.
回复:如果美国客户选择使用 YMCS,Yealink 将不具备在中华人民共和国存储或处理美国客户数据的技术能力。即使在情况下,美国客户主动授权 Yealink 在中华人民共和国进行诊断,一旦诊断完成,Yealink 也不会在中华人民共和国存储或处理美国客户数据。请参阅我们对第 7) d.的回复中的详细信息。
To the greatest extent we understand, under no circumstances will Yealink be compelled to disclose such diagnosis data to the PRC government according to the current effective laws and regulation of China as such data is generated in U.S. and is not integrated with any data from the PRC.
根据我们最大的理解,在任何情况下,根据中国现行有效的法律法规,Yealink 都不会被迫向中华人民共和国政府披露此类诊断数据,因为这些数据是在美国生成的,并且没有与任何来自中华人民共和国的数据集成。
b. Records sufficient to show whether Yealink stores and processes any U.S. customer data in the PRC, including U.S. customer information and data collected by their products, or whether Yealink has stored or processed any U.S. customer data in the PRC in the past and if so, whether any of this data is subject to PRC laws that could compel Yealink to provide such data to the PRC government. Records including what customer data the PRC can access and collect.
b. 有关 Yealink 是否在中国大陆存储和处理任何美国客户数据,包括美国客户信息和由其产品收集的数据,或者 Yealink 是否曾在中国大陆存储或处理过任何美国客户数据,以及如果是的话,这些数据是否受中国大陆法律约束,可能迫使 Yealink 向中国大陆政府提供此类数据。记录包括中国大陆可以访问和收集的客户数据。
Response: Please refer to our response to 13) a.
回复:请参阅我们对第 13) a.的回复。
c. Records sufficient to show whether Yealink has the technical capability to monitor, record and/or store recordings of calls made in the United States and if so, whether these recordings would be subject to PRC laws that could compel Yealink to provide such recordings to the PRC government.
c. 有关 Yealink 是否具备监控、记录和/或存储在美国境内进行的通话录音的技术能力,以及如果是的话,这些录音是否受中国大陆法律约束,可能迫使 Yealink 向中国大陆政府提供此类录音。
Response: Yealink devices had recording features before May 2022 and the recording stored on a Yealink device can be accessed by Yealink upon customer authorization. However, the recording feature must be activated by the customer proactively and some of the Yealink devices by then needed to insert USB to store recordings. Also, the recording record could only be uploaded to YMCS upon the manual setting by the administrator of the customer and this is for the administrators’ purpose to analyze the quality of the transmission in accordance with the assessment of the IP connection status. The recording feature has been removed since May 2022 and the calls made in the United States cannot be recorded by Yealink devices, except that when some customers in the U.S. choose YDMP to deploy their service, because the update of features on a locally deployed device must be triggered actively and manually by the customer. Even so, in the case of YDMP, Yealink has no access to the Yealink device as the device is locally deployed for customer’s internal use and control.
回复:Yealink 设备在 2022 年 5 月之前具有录音功能,存储在 Yealink 设备上的录音在客户授权后可以被 Yealink 访问。然而,录音功能必须由客户主动激活,当时一些 Yealink 设备需要插入 USB 存储录音。此外,录音记录只能在客户管理员手动设置后上传到 YMCS,这是为了管理员根据 IP 连接状态的评估分析传输质量。自 2022 年 5 月起已移除录音功能,美国地区使用 Yealink 设备拨打的电话无法被记录,除非美国的一些客户选择 YDMP 部署服务,因为本地部署设备的功能更新必须由客户主动手动触发。即便如此,在 YDMP 的情况下,Yealink 无法访问 Yealink 设备,因为该设备是本地部署供客户内部使用和控制的。
d. Records sufficient to show whether Yealink monitors, records and/or stores recordings of calls made in the United States, or whether Yealink has monitored, recorded and/or stored recordings of calls made in the United States; where such recordings are stored; and whether these recordings are subject to PRC laws that could compel Yealink to provide such recordings to the PRC government.
d. 证明 Yealink 是否监控、记录和/或存储在美国境内拨打的电话录音,或者 Yealink 是否监控、记录和/或存储了在美国境内拨打的电话录音;此类录音存储的位置;以及这些录音是否受中国法律约束,可能迫使 Yealink 向中国政府提供此类录音。
Response: Please find our response above to 13) c. As Yealink has disabled the feature of recording since May 2022, Yealink does not monitor, record and/or store recordings of calls made in the United States. Recordings collected before May 2022 was stored on AWS in Virginia, U.S. and Frankfurt, Germany.
回复:请参阅上述对 13) c.的回复。由于 Yealink 自 2022 年 5 月起已禁用录音功能,Yealink 不监控、记录和/或存储在美国境内拨打的电话录音。2022 年 5 月之前的录音存储在美国弗吉尼亚州的 AWS 和德国法兰克福。
e. Records sufficient to show under what circumstances calls are monitored or recorded. Please provide a factual example.
e. 证明在何种情况下会监控或记录通话。请提供一个事实性例子。
Response: Please find our response above to 13) c. Calls will not be monitored or recorded by Yealink devices. Only the quality of transmission will be recorded in accordance with Yealink’s assessment of the IP connection status.
回复:请参阅上述对 13) c.的回复。Yealink 设备不会监控或记录通话。仅根据 Yealink 对 IP 连接状态的评估,会记录传输质量。
f. Records sufficient to show whether Yealink allows personnel in the PRC to have access to any of the products provided to customers in the United States or any networks or systems in which these products are deployed, including the data on cloud services in the U.S.
f. 有关 Yealink 是否允许中国人员访问向美国客户提供的任何产品、或这些产品部署的任何网络或系统,包括美国云服务中的数据的记录。
Response: Please refer to our response to 7) d. for detailed description on the scenario when a U.S. customer chooses to use YMCS.
回复:请参阅我们对第 7) d. 的回复,以获取美国客户选择使用 YMCS 时场景的详细描述。
g. Records sufficient to show whether there is an audit trail or other system in place to track changes to data, including how unauthorized modifications are detected and addressed.
g. 有关是否存在审计跟踪或其他系统来跟踪数据变更的记录,包括如何检测和解决未授权修改的记录。
Response: Yealink has been maintaining current Service Organization Control 2 (SOC2) reports, demonstrating its commitment to security, availability, processing integrity, confidentiality, and privacy. Yealink’s SOC2 reports are audited and renewed annually to ensure ongoing compliance with high standards of data protection. Please refer to the opinions provided in the SOC2 report on Controls at Service Organization Relevant to Security, Availability, Confidentiality and Privacy for 2023 by an independent auditor.
回复:Yealink 一直在维护当前的服务组织控制 2(SOC2)报告,展示了其对安全、可用性、处理完整性、保密性和隐私的承诺。Yealink 的 SOC2 报告每年都会接受审计和更新,以确保持续符合高标准的数据保护。请参阅独立审计师提供的 2023 年关于服务组织相关于安全、可用性、保密性和隐私控制的 SOC2 报告中的意见。
14) Records sufficient to show whether Yealink has received any requests from the PRC government to provide U.S. customer information, data, or communications.
14) 足以证明亿联是否收到中国政府要求提供美国客户信息、数据或通信的任何请求的记录。
a. Records sufficient to show whether Yealink notifies users about call monitoring or recording if the company is requested by any government entities to do so.
一个。足以显示亿联是否应任何政府实体的要求通知用户有关通话监控或录音的记录。
b. Records sufficient to show whether Yealink notifies users when the PRC requests any type of customer information.
b.足以显示 Yealink 是否在 PRC 请求任何类型的客户信息时通知用户的记录。
15) Records sufficient to show whether Yealink receives any funding from the PRC government, any subdivision of the PRC government, or the Chinese Communist Party (CCP), and if so, a full description of such funding, all proposals for such funding presented to any PRC government entity, and any rights guaranteed by the provision of such funding.
15) 足以证明亿联是否从中国政府、中华人民共和国政府的任何分支机构或中国共产党 (CCP) 获得任何资金的记录,如果是,则提供此类资金的完整描述、向任何中华人民共和国政府实体提交的此类资金提案,以及提供此类资金所保证的任何权利。
Response:
回复:
The official grants that Yealink has received are all open and equal programs from the Chinese government for market players, and the purpose of the grants is mainly based on Yealink's own contribution to the manufacturing industry's income generation, green development, and so on.
官方确认,Yealink 收到的所有补助都是针对市场参与者的中国政府的公开平等项目,补助的目的主要基于 Yealink 对制造业收入创造、绿色发展等方面的自身贡献。
a. Regarding to whether any members of Yealink leadership are members of CPC, the situation is summarized as follows:
a. 关于 Yealink 领导层成员是否为中国共产党党员的情况,总结如下:
Name | Proportion of Equity Stake | Responsibility | CPC Member or Not |
Chen Zhisong | 17.41% | Strategy and Overall Management | Not |
Wu Zhongyi | 16.65% | Not employed | Not |
Lu Rongfu | 10.47% | Investments | Not |
Zhou Jiwei | 7.87% | Manufacturing | Not |
Zhang Lianchang | 4.65% | R&D, Product and Marketing | Not |
Chen Jianrong | 4.24% | Not employed | Not |
16) Records sufficient to show a full identification and description of Yealink’s suppliers involved in the production of Yealink’s VoIP phone and associated VoIP device management services offered in the U.S. and what access, if any, these suppliers have to U.S. customer data.
16) 提供足够记录以显示 Yealink VoIP 电话及其在美国提供的关联 VoIP 设备管理服务的供应商的全面识别和描述,以及这些供应商是否以及如何访问美国客户数据。
Response: Due to the limits of time. We may not be able to list out all the suppliers and we have listed down the information of our top 30 suppliers and other suppliers in relation to chips and other key telecommunication spare parts with encryption functions (such as WiFi modes) for your information involved in the production of Yealink’s VoIP phone and associated VoIP device management services offered in the U.S. are as follows:
回复:由于时间限制,我们可能无法列出所有供应商,但我们已列出我们前 30 家供应商以及与芯片和其他具有加密功能(如 WiFi 模式)的关键电信备件相关的其他供应商的信息,供您了解涉及 Yealink VoIP 电话及其在美国提供的关联 VoIP 设备管理服务的供应商信息如下:
17) Records sufficient to show the purpose of and procedures for configuring a public IP address in YDMP.
17) 提供足够记录以显示在 YDMP 中配置公网 IP 地址的目的和程序。
Response: As previously mentioned, YDMP is an installation package that users could download for private deployment. YDMP is installed in a server under the control of the customer and is accessed via an IP address owned by the customer. Whether such IP address is a Local Area Network (the “LAN”) or a public IP address is subject to the customer’s own choice. However, such conduct will be completely determined and performed by the customer and is out of the control or of Yealink.
回复:如前所述,YDMP 是一个用户可以下载用于私有部署的安装包。YDMP 安装在客户控制的服务器上,并通过客户拥有的 IP 地址访问。该 IP 地址是局域网(“LAN”)还是公网 IP 地址由客户自行选择。然而,此类行为将由客户完全决定和执行,并超出 Yealink 的控制范围。
【待确认是否需要同时附上表格里的截图】
18) Records sufficient to show the policies and procedures in place for managing Yealink’s Redirection and Provisioning Service (RPS).
18) 提供足够的记录,以展示管理 Yealink 重定向和配置服务(RPS)的政策和程序。
a. Records sufficient to show how the Yealink RPS Server Administrator obtains and maintains access and control over the connected devices when needed.
a. 提供足够的记录,以展示 Yealink RPS 服务器管理员在需要时如何获取和维护对连接设备的访问和控制。
Response: Please refer to our response to 7).
回复:请参阅我们对第 7 点的回复。
b. Records sufficient to show the services that RPS provides, including the type of services, port number, and persistent or nonpersistent data.
b. 足够的记录以显示 RPS 提供的服务,包括服务类型、端口号和持久或非持久数据。
Response: Please find details of the services provided by RPS devices in our response to 7). The port number of RPS is 443. The persistent data includes the description of RPS device, including MAC, server name, exclusive URL, username, and password, and the description of RPS server, including server name, server URL, authentication username, authentication password, trusted certificate, server certificate, and customized certificate. The nonpersistent data includes the information of the user agent carried upon device requests, including equipment model version.
回复:请参阅我们对第 7 点的回复,以获取 RPS 设备提供的服务详情。RPS 的端口号为 443。持久数据包括 RPS 设备的描述,包括 MAC 地址、服务器名称、专用 URL、用户名和密码,以及 RPS 服务器的描述,包括服务器名称、服务器 URL、认证用户名、认证密码、受信任证书、服务器证书和定制证书。非持久数据包括设备请求携带的用户代理信息,包括设备型号版本。
c. Records sufficient to show how a U.S. customer can choose to change the default setting for Yealink’s device management platform known as Yealink Management Cloud Service (YMCS) to be only on AWS cloud services in the United States. Records reflecting a clear explanation to show what cloud service will be used if the U.S. customer fails to change the setting, including the name and address of the cloud service provider.
c. 足够的记录以显示美国客户如何选择将 Yealink 的设备管理平台(称为 Yealink Management Cloud Service,简称 YMCS)的默认设置更改为仅使用美国 AWS 云服务。记录反映明确的解释,以说明如果美国客户未能更改设置,将使用哪种云服务,包括云服务提供商的名称和地址。
Response: Please refer to our response to 7) d. for a U.S. customer’s active selection on the location of the cloud services. According to the SOC2 report named D.1.5.2 Yealink--FY23 SOC2 Type2报告_20240119, there are three main cloud service providers being used by Yealink, Amazon Web Services (the “AWS”) (for Yealink YMCS-Legacy Edition global service), Microsoft Azure (the “Azure”) (for Yealink YMCS global services) and Alibaba Cloud (the “ALI”) (for Yealink YMCS-Legacy Edition and YMCS mainland China service) as its Subservice Organizations (the “Subservice Organizations”).
回复:请参阅我们对 7) d.的回复,以了解美国客户对云服务位置的主动选择。根据名为 D.1.5.2 Yealink--FY23 SOC2 Type2 报告_20240119 的 SOC2 报告,Yealink 正在使用三个主要的云服务提供商,即亚马逊云服务(“AWS”)(用于 Yealink YMCS-Legacy Edition 全球服务)、微软 Azure(“Azure”)(用于 Yealink YMCS 全球服务)和阿里云(“ALI”)(用于 Yealink YMCS-Legacy Edition 和 YMCS 中国大陆服务),作为其子服务组织(“子服务组织”)。
If the administrator of a U.S. customer chooses to use YMCS, Yealink devices will transfer non-personal information such as MAC and SN to the YMCS platform. Please find details of the specific categories of data in the tables in our response to 7). There categories of data will be stored on the YMCS cloud. Customers must select a geographic region (US, EU or AU) during YMCS account creation. The account region determines where Yealink stores data from managed devices (device data and Tech support data). When the customer’s administrator chooses the U.S. as the registration location, data processed will be stored in Azure’s U.S. data center in Virginia. If a U.S. customer chooses to register the Yealink devices elsewhere, data being accessed via and processed by the Yealink devices may be transferred to Azure in Paris. Customer information (the data relating to the customer’s employees who are in contact with Yealink to procure and administer the product on behalf of the customer) is stored in EU region.
如果美国客户的管理员选择使用 YMCS,Yealink 设备将把非个人信息(如 MAC 和 SN)传输到 YMCS 平台。请参阅我们针对 7)的回复中的表格,以获取具体数据类别的详细信息。这些数据类别将存储在 YMCS 云上。客户在创建 YMCS 账户时必须选择一个地理区域(美国、欧盟或澳大利亚)。账户区域决定了 Yealink 存储来自管理设备的数据(设备数据和技支持数据)的位置。当客户的管理员选择美国作为注册位置时,处理的数据将存储在弗吉尼亚州 Azure 的美国数据中心。如果美国客户选择在其他地方注册 Yealink 设备,通过 Yealink 设备访问和处理的数据可能会转移到巴黎的 Azure。客户信息(与客户联系以代表客户采购和管理产品的客户员工的有关数据)存储在欧盟区域。
【待确认是否需要补充表格中的截图】
d. Records sufficient to show how many U.S. customers are currently on the default setting for YMCS, and how many U.S. customers changed the default setting to be on AWS cloud services.
d. 充分的记录以显示目前有多少美国客户使用 YMCS 的默认设置,以及有多少美国客户将默认设置更改为 AWS 云服务。
Response: Totally 330 U.S. customers are currently on the default settings for YMCS, where customer data will be stored on the AWS server in Europe by default, and 3993 U.S. customers changed the default setting to store data on Azure server in U.S.
回复:目前共有 330 名美国客户使用 YMCS 的默认设置,客户数据将默认存储在欧洲的 AWS 服务器上,而 3993 名美国客户已将默认设置更改为将数据存储在美国的 Azure 服务器上。
19) Records sufficient to show whether Yealink validates digital signatures prior to installing software updates. Provide an example.
19) 充分的记录以显示 Yealink 在安装软件更新之前是否验证数字签名。请提供一个示例。
Response: Currently, Yealink does validate digital signatures prior to installing software updates. Such validation is performed after customer’s installation of the software updates and before the device is successfully restarted. The validation starts when the device is power on and the boot ROM is enabled. The boot ROM, also known as secure boot, is an important security feature designed to prevent malicious software from loading when the device starts up (boots). The boot ROM then validates and signs upon authentication of three partitions of the firmware, namely the bootloader, the kernel, and the rootfs, or the authentication of Flash key partition for validity load check to ensure the legitimacy and integrity of the system in the memory chip. If the authentication is passed, the Yealink device will be successfully restarted.
回复:目前,Yealink 在安装软件更新之前会验证数字签名。这种验证是在客户安装软件更新后、设备成功重启之前进行的。验证从设备开机并启用引导 ROM 时开始。引导 ROM,也称为安全引导,是一个重要的安全特性,旨在防止恶意软件在设备启动(引导)时加载。引导 ROM 随后对固件的三个分区进行验证和签名,即引导加载程序、内核和 rootfs,或对 Flash 密钥分区进行验证以确保系统在内存芯片中的合法性和完整性。如果验证通过,Yealink 设备将成功重启。
结论:话机支持了分区加密和安全引导进行分区验签,提升了固件安全性
请见下文illustration
插图of the digital signature validation process.
数字签名验证过程。【待更新图片为清晰原图】
20) Records sufficient to show whether Yealink utilizes or has ever utilized any of the IP addresses listed below. If yes, explain the specific reasoning, including where it applies to U.S. customers.
20) 证明 Yealink 是否使用或曾经使用过以下列出的任何 IP 地址。如果是,请解释具体理由,包括其是否适用于美国客户。
219.148.146.222 | 150.138.142.116 | 121.28.146.74 | 47.89.187.0 |
218.58.76.105 | 47.242.54.215 | 150.138.142.116 | 47.242.54.215 |
116.236.132.51 | 106.15.89.161 | 109.226.242.12 | 106.15.89.161 |
121.28.146.74 | 222.139.4.101 | 128.1.46.131 | 183.214.207.219 |
52.71.103.102 | 221.239.1.89 | 185.54.185.172 | 222.223.191.12 |
182.148.53.3 | 59.61.75.74 | 222.212.87.91 | 183.230.45.180 |
60.30.127.137 | 58.34.23.85 | 140.206.157.166 | 59.45.30.72 |
110.185.170.147 | 117.25.171.206 | 58.247.63.246 | 218.94.60.242 |
222.240.234.162 | 125.45.142.126 | 183.238.9.170 | 3.124.165.251 |
113.98.98.228 | 35.156.148.66 | 47.75.58.202 |
Response: There are seven IP addresses in the table that Yealink has utilized, which is shown in the following table:
回复:Yealink 在以下表格中显示了七个曾经使用过的 IP 地址:
IP Address | Service Provider | District | Description of Utilize |
128.1.46.131 | Ucloud | Russian | Created on May 17, 2018 to provide RPS access and API interface access services to Russian users during the year, it was deactivated before 2019 and has not been reactivated subsequently. |
47.75.58.202 | Alibaba Cloud | Hong Kong, China | Used to provide RPS access and API interface access services for Asia Pacific (non-continental) customers, not for the U.S. market. The IP address has been deleted on July 27, 2022. |
106.15.89.161 | Alibaba Cloud | Shanghai, China | Used to provide RPS access and API interface access services for customers in mainland China, not for the U.S. market. The IP address has been deleted on June 18, 2023. |
47.242.54.215 | Alibaba Cloud | Hong Kong, China | Used to provide RPS access and API interface access services for customers in mainland China, not for the U.S. market. |
52.71.103.102 | Amazon cloud | Virginia, USA | Used to provide RPS access and API interface access services for U.S. customers, no user data is stored. |
47.89.187.0 | Alibaba Cloud | Virginia, USA | Used to provide RPS access and API interface access service for U.S. customers. Due to the large number of users in the U.S. market, this IP was used as a backup for 52.71.103.102 based on the consideration of maintaining product stability. Yealink has subsequently deleted this IP on January 11, 2022, based on the consideration of sufficient technical capabilities and reduction of operating costs. |
3.124.165.251 | Amazon cloud | Frankfurt, Europe | Used to provide RPS access and API interface access services for European customers, not for the U.S. market. |