1

3

Section II –

Management’s Report of Its Assertions on the Effectiveness of Its Controls over the

Lark Technologies Pte. Ltd.’s Lark Suite Services System Based on Trust Services

Criteria for Security, Availability, Confidentiality and Privacy

December 31, 2019

We, as management of Lark Technologies Pte. Ltd. (“Lark Technologies” or “we” or the

“Service Organization”), are responsible for:

• Identifying the Lark Technologies’ Lark Suite Services System (the “System”) and

describing the boundaries of the System, which are presented in Section III;

• Identifying our principal service commitments and system requirements;

• Identifying the risks that would threaten the achievement of its principal service

commitments and service requirements that are the objectives of our system, which

are presented in Section III;

• Identifying, designing, implementing, operating, and monitoring effective controls

over the System to mitigate risks that threaten the achievement of the principal service

commitments and system requirement; and

• Selecting the trust services categories that are the basis of our assertion.

We assert that the controls over the System were effective throughout the period June 1, 2019

to November 30, 2019, to provide reasonable assurance that the principal service commitments

and system requirements were achieved based on the criteria relevant to Security, Availability,

Confidentiality and Privacy set forth in the AICPA’s TSP section 100, 2017 Trust Services

Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Very truly yours,

Lark Technologies Pte. Ltd.

4

Section III – Description of Lark Technologies Pte. Ltd.’s Lark Suite Services System

Relevant to Security, Availability, Confidentiality and Privacy Throughout the Period June 1, 2019 to November 30, 2019

Overview of the Organization

Founded in 2018, Lark Technologies Pte. Ltd. (“Lark Technologies” or “the Company”)

provides cloud-based Software-as-a-Service (“SaaS”) as the core of its service. The Company

is dedicated to developing and providing secure, stable and reliable cloud-based office suite

solutions with a mission to enable user entities to transform the way they work and provide

cloud-based office suite services.

Lark Technologies provides the new generation office suite SaaS – Lark Suite, which is mobile-

friendly, supports real-time collaboration and provides single access. Lark Suite helps user

entities improve work efficiency and reduce production cost and administrative cost, so as to

enable them to shift to more efficient, better coordinated and more secure intelligentized

businesses. Meanwhile, the Company has leveraged information technology and application

systems to support the implementation of control activities related to the development and

operation of Lark Suite.

Scope of the Report and System Boundaries

The services of Lark Suite within the scope of the report are as follows:

Lark Instant Message (“IM”)

Lark IM (“Lark”) supports online communication, transmission of text messages, documents

and pictures as well as voice and video communication via IM technology. The messages

(including text, picture, voice, video and document) sent via Lark will be stored in the client

terminal of sender and receiver and the backend database of Lark as well.

Online Document

Online Document (“Docs”) supports multiple users to edit online document simultaneously.

The formats of the document include Word and Excel. Multiple users can collaborate with each

other to edit the same document and the document can be set as private or shared. Docs are

prohibited to share outside the tenant by default, unless the document is set to share outside the

tenant. Users are able to insert various types of contents in the document, including comments,

other documents, tables and contact group cards.

Cloud Storage

Cloud Storage supports high-speed uploads and downloads, previews of multi-format files. All

files are stored in cloud computing environment in real time to build online corporate

knowledge center, rather than stored locally. Cloud Storage also enables the historical record to

be traced back or restored at any time that allows users to view, edit, share and access their files

anywhere, on any device to make the most of knowledge resources.

5

Calendar

Calendar is designed to help businesses and users coordinate and arrange personnel, conference

rooms and other resources to achieve more intelligent synergy of schedule management.

Calendar supports schedule creation, conference invitation, one-click conference group

creation, schedule sharing, subscription to others’ schedules and public calendar creation, etc.

Audio/Video Conference

Audio/Video Conference supports efficient, high-definition and stable teleconference and

remote office for up to 10 people for free via Internet. If the number of attendees needs to be

increased, the user entity can apply for chargeable function.

Open Platform

Open Platform provides user entities with efficient application development and use capability.

Open Platform provides simple and easy-to-use development environment to help user entities

develop stable and secure applications quickly, which are not only available for themselves but

also for a large number of other user entities as the products of the Application Center on Open

Platform. As a user, user entity can integrate the third-party applications purchased from the

Application Center into its Lark Suite tenant. The third-party applications include applets, H5

and robots, etc.

The report only covers Lark IM, Docs, Cloud Storage, Calendar, Audio/Video Conference and

Open Platform of Lark Suite which is deployed in Amazon Web Services (“AWS” or the

“subservice organization”), and excludes the internal controls (such as elastic compute

service, physical access and physical environmental security, etc.) implemented by AWS.

Principal Service Commitments and System Requirements

Lark Technologies designs its processes and procedures related to the service systems to meet

its service commitments and system requirements for Lark Suite services. Those service

commitments and system requirements are based on the service commitments that Lark

Technologies makes to its user entities, and the operational, and compliance requirements that

Lark Technologies has established for the services.

Security, availability, confidentiality and privacy commitments to user entities are documented

and communicated in agreements with user entities. Security, availability, confidentiality and

privacy commitments are established by setting up standards and protocols and include, but are

not limited to, the following:

• Applying management controls, operation controls and technological controls to

protect business data and confidential information to guarantee the sustainable

operation of business and application systems;

• Deploying encryption technologies to protect business data and confidential

information in transit; and

• Applying management controls, operation controls and technological controls to

ensure the compliance and security for personal information’s collection, usage,

retention, disclosure and disposal.

Lark Technologies establishes operational requirements that support the achievement of

6

security, availability, confidentiality and privacy commitments and other system requirements.

Such requirements are communicated in the Company’s system policies and procedures and

system design documentation. Information security policies define an organization-wide

approach about how systems and data are protected. These include policies around how the

internal control system is operated, how the internal application systems and networks are

managed and how employees are hired and trained. In addition to these policies, standard

operating procedures have been developed and documented on how to carry out specific manual

and automated processes required in the development and operation of the service systems.

Software and Infrastructure

Lark Technologies takes advantage of information technology system and application system

to support the effective implementation of control activities related to Lark Suite. Lark

Technologies has deployed a series of management information systems to support its operation

and maintenance management, including human resource management, identity authentication,

authority management, development and test management, key management, security

vulnerability management, system operation management, etc.

Lark Technologies has established a series of formal polies and procedures to regulate software

and infrastructure related specifications and management requirements, covering identity and

access management, software security development and change management, data security and

key management, security vulnerability and security incident management, system operation

management, availability management, privacy protection, etc.

Lark Technologies uses subservice organizations to provide IT equipment colocation service.

The Company has signed service agreements with subservice organizations to define the

requirements over access management to server rooms and environment security, etc. The

Company reviews monthly inspection report of server rooms provided by the subservice

organizations every month and carries out security inspection of the data centers at least once a

year. The inspection covers environmental management of infrastructure, access and

authorization management and asset security management, etc. If any exception identified, the

Company communicates the inspection results to the subservice organizations in a timely

manner.

Lark Technologies uses AWS to provide Elastic Compute Service to host Lark Suite. The

Description includes only the controls of Lark Technologies and excludes controls of the

subservice organization. The Description does not extend to controls of AWS.

Lark Technologies acquires the System and Organization Controls (“SOC”) reports from AWS,

so as to evaluate whether the internal control requirements of the cloud computing services

provided by AWS which are utilized by the Company have been met. If exceptions are noted,

the Company communicates with AWS for follow-up measures.

People

Lark Technologies has established a comprehensive organizational structure and has clearly

defined responsibilities of employee in different positions and roles. In the meantime, Lark

Technologies utilizes Human Resource management system to maintain employee information

7

on their job responsibilities, departments and reporting lines.

Lark Technologies has established a structured onboarding process to help new employees

understand their responsibilities in information security, code of conduct and performance

evaluation. Before the new employee is hired, the Human Resources Department conducts

background check subject to the laws and regulations of the country according to the

importance of the employee’s position, to ensure that the recruitment meets the Company's

rules and regulations. In addition, new employees must sign off the confidentiality agreement

prior to joining the Company, which describe the employee’s obligations and responsibilities

on information security.

Lark Technologies has established a series of information security training and learning

mechanism to meet the Company’s requirements. Newly hired employees are required to

participate in trainings on corporate culture, rules and regulations, information security, and

reward and punishment mechanisms. Meanwhile, the Company organizes the trainings to

enhance employees' professional knowledge and skills and information security awareness on

an aperiodic basis.

Procedures

Lark Technologies has designed and implemented a series of procedures in its routine operation

and management in terms of security, availability, confidentiality and privacy, including but

not limited to:

• Control Environment

• Information and Communication

• Risk Assessment

• Monitoring

• Product Security

• Identity and Access Management

• Change Management

• Data Security and Key Management

• Security Vulnerability and Security Incident Management

• Endpoint Security

• Capacity, Backup and Business Continuity Management

• Privacy Protection

Data and Confidentiality

Lark Technologies has established formal policies to regulate data security management

procedures. In the meantime, Lark Technologies has established a series of controls to ensure

the security and confidentiality of data transmission, storage, access and disposal process.

Lark Suite uses pull and push mechanisms for two-ways protection of message data to ensure

the reachability of message; uses the key mechanism to support the encrypted storage of data;

provides communication channel based on security encryption protocol for data transmission.

Lark Technologies agrees with the user entity in the privacy policy that when the service is

8

terminated, the corresponding data will be disposed according to the user entity’s requirements.

Availability

Lark Technologies analyzes and plans the capacity needs of Lark Suite every year, then forms

capacity management plans based on the analysis results, to ensure that the Company has

sufficient resource for business development. Meanwhile, Lark Technologies has designed and

implemented technical control measures and management processes to regulate the expansion

and reduction of capacity management under the daily operation, so as to ensure the availability

of server resource.

Lark Technologies has established strategies of backup, backup retention and backup

monitoring to ensure the availability of the Lark Suite.

Lark Technologies has developed business continuity management plan to provide guidelines

of emergency response and recovery measures to scenarios that may lead to business disruption.

The Company performs analysis of business influences and risk assessment on an annual basis

to identify the key business activities, identifying the potential business threat, evaluation of

risk level and develops risk response strategy.

Lark Technologies has defined the emergency plan and response process for different emergent

scenarios and documented in emergency response plan. The Company organizes disaster

recovery drill at least once a year for pre-defined scenarios that may lead to business disruption.

Privacy

Lark Technologies has developed Software Privacy Policy which describes the definition of

personal information and describes the requirements of collection, usage, retention, disclosure

and disposal of personal information. In the meantime, Lark Technologies assesses the

compliance of privacy protection at least once a year to monitor the compliance with various

data protection regulations.

The Company provides users the ability to access and confirm their personal information. The

Company stipulates the channels to raise objections or complaints for the users in Software

Privacy Policy. If a user has any objection or complaint about the Company’s way to handle

his or her information, the user can contact the Company via email. The Company will respond

to user’s request in a timely manner, and send the follow up results to the user.

In addition, the Company has formulated formal policies to regulate the classification, response

and emergency handling procedure of data leakage incidents.