Safe and Stable Operations

Operational safety and stability represent one of our core value objectives. With comprehensive security strategies and technical measures, the Group spares no effort to ensure business continuity and data security.

Operation Safety and Business Continuity

VNET has always adhered to delivering high-quality and sustainable internet infrastructure services. It pays close attention to and effectively copes with the internal and external risks faced in business operations to ensure the security, stability, and continuity of business operations.

In terms of safety operations, we first prioritize site selection of data centers in regions that are distant from significant natural and geographical risks to minimize the impact of natural disasters on operations. Data center designs strictly adhere to Level A standards outlined in the Code for Design of Data Centers (GB 50174-2017) and meet the physical environment security requirements of Level 3 Cybersecurity Protection Standards. Rigorous physical access controls are enforced, including security personnel, smart turnstiles, and access authorization systems at data center and office entrances to strictly manage entry permissions according to access authorizations. Comprehensive surveillance systems cover all internal and perimeter areas of data centers, ensuring no security blind spots.

The Group has established and effectively operated a business continuity management system. We have formulated and continuously evaluated the Business Continuity Management Strategy, Business Impact Analysis, and Business Continuity Plan, updating them in a timely manner according to actual needs to ensure that the control measures of the strategies and procedures remain appropriate, sufficient, and effective. Comprehensive business impact analysis and risk assessments are conducted for data centers to ensure key businesses can operate continuously, or that they recover to acceptable service levels within predefined timelines during major security incidents, disasters, or disruptions. Each business unit develops Emergency Response Plans tailored to their operational activities and risk scenarios, conducts regular drills, and refines emergency procedures through post-event reviews to enhance business continuity management capabilities. Currently, multiple sites involved in the main business have been certified with the Business Continuity Management System (ISO 22301).

Cybersecurity and Privacy Protection

Leveraging its extensive security management expertise, VNET continuously strengthens operational capabilities for data centers and cloud service platforms through robust cybersecurity management systems, rigorous data protection protocols, advanced cybersecurity tools, and risk management procedures, providing solid safeguards for cybersecurity and privacy protection.

·Management Structure and System

VNET strictly adheres to cybersecurity and privacy laws of where we operate, and continuously strengthens the management system construction and implementation through policies such as Network and Information System Management Regulations, Information Security Management Requirements, and Information Security Risk Management Procedures. These policies clarify cybersecurity responsibilities across business units and standardize daily security practices. We have formulated a group-wide Privacy Statement, which clarifies the type and nature of the information that may be collected, how it will be used, the consent processes, and how it will be retained, stored, and protected, etc., ensuring comprehensive protection of customer privacy.

The Group has established a sound information security governance structure to oversee and execute information security (including data and privacy protection). The Audit Committee of the Board of Directors monitors the disclosure of cybersecurity matters in the periodic reports of the Group. The Group's information security program is overseen by our Chief Information Security Officer (CISO), with collaboration across businesses and functions and input from both management and the Board of Directors. The CISO is responsible for developing and executing the Group's information security strategy, with the primary goal of safeguarding the Group's information and technical assets. This includes monitoring, reporting, managing and remediating cyber threats.

The Group actively engages in certification efforts related to information security and privacy protection to consolidate and enhance its information security protection capabilities. At present, the Group has obtained the Information Technology Service Management System (ISO/IEC 20000) and the Information Security Management System (ISO/IEC 27001) certifications across all business types1. Furthermore, the online services operated by 21Vianet have obtained the Code of practice for protection of personally identifiable information in public clouds (ISO/IEC 27018) certification.

Guided by our security policies and objectives, the Group conducts regular internal audits focused on management compliance reviews, covering operational management, service delivery, information security, business continuity, etc. Annual third-party security audits by accredited external firms provide objective evaluations of data center operations, identifying and eliminating potential operational and data security risks to continuously improve the standardization and security of business management. For validating the security and availability of internet data center services, we engage independent third parties to conduct SOC 2 Type II audit. 21Vianet Blue Cloud has obtained 9 Trusted Cloud certifications from the China Academy of Information and Communications Technology and passed SOC 1 Type II, SOC 2 Type II, and SOC 3 audits by independent third parties.

·Guarantee Measures

• ◇Cybersecurity

• VNET primarily offers data center colocation services, which involve leasing IT equipment hosting space, internet access bandwidth, and network links to clients, along with providing data center O&M support. Customers retain full management authority over their servers, and we do not directly or indirectly access data or information stored within their servers. Therefore, our focus is on strengthening physical security measures for data centers to ensure a stable physical environment for clients' IT equipment, safeguarding both the physical integrity and operational reliability of their systems.




• In addressing cybersecurity and network perimeter defense, we strictly adhere to the Group's cybersecurity management and data protection policies to ensure timely and effective risk mitigation, thereby protecting the security of the Group's networks and data assets.




• ◇Privacy Protection

• We integrate data protection measures into the development of products and services.  We conduct privacy impact assessments and, by deploying a private cloud and implementing data encryption, access control, backup and disaster recovery and other measures, provide a highly secure and controllable data storage and processing environment for products and services development.




• We have set the Personal Information Collection Notice applicable to all visitors, which clarifies that the Group only collects the personal information necessary for visitor management and keeps the collected and used information strictly confidential. We promise not to disclose, tamper with, sell, or illegally provide it to others. The relevant information will be properly deleted and securely handled after the visitors leave. For confidential or sensitive data such as confidential information of customer projects and personal identifiable information, we enforce stringent access control management to strengthen the security of data access. To prevent data leakage, we enable hard disk encryption and install data loss prevention software on office computers. Third-party vendors operating on-site shall use company-provided laptops with internally managed accounts, adhering to the principle of least privilege for system access. We collaborate with certified data destruction institutions to ensure that end-of-life IT equipment undergoes rigorous degaussing, secure erasure, and physical destruction of storage media, thereby eliminating residual data exposure risks.

·Capability and Culture Building

We keep strengthening employees' awareness and capabilities in cybersecurity and privacy protection. Tailoring to the diverse data security risks associated with different positions, we offer targeted training that encompasses various aspects such as information security laws and regulations, systems, concepts, and technologies. All new employees are required to complete the specialized information security training and pass the examination. The Group further enhances employees' awareness in regard to identifying and avoiding phishing emails. We regularly issue phishing alert notifications and organize company-wide phishing simulation drills, aiming to elevate the organization's collective ability to identify and mitigate cybersecurity threats. As of the reporting period end, 100% of employees have received cybersecurity training.

An internal reporting mechanism has been established, allowing employees to report security incidents, vulnerabilities, or suspicious activities via internal messaging platforms, email, or phone calls to the cybersecurity and information system security working group. The working group reviews submissions, verifies sources, and takes appropriate actions.

VNET has set up a compliance and information security excellence award fund to recognize and reward teams and individuals demonstrating outstanding contributions in these aspects. Conversely, those who delay, falsify, conceal, or omit reporting security incidents, or engage in dereliction of duty, will face disciplinary actions in accordance with the Regulation on Assessment and Accountability of Cybersecurity and Information System Security. Criminal offenses will be prosecuted under relevant laws.

Responsible Supply Chain

VNET strictly complies with applicable laws, regulations, and industry standards. In accordance with the Regulations on Procurement Management, Rules on Supplier Management, and Rules on Procurement Personnel Behavior, we clearly define the division of responsibilities in the procurement process, strictly regulate the professional ethics of procurement personnel, and closely monitor the product delivery quality of partner suppliers to ensure the high-quality operation of the entire procurement management chain.

By the end of 2024, the total number of suppliers in the database was 3,133. Through the integration of the Supplier Relationship Management (SRM) system, the Group has achieved digital management of the entire supplier lifecycle, covering key aspects such as supplier sourcing, access review, contract fulfillment management, and collaborative communication. This has effectively enhanced the visibility and traceability of the procurement management process.

Furthermore, the Group has established a rigorous supplier management process:

• ◇During the supplier qualification phase, we objectively and fairly evaluate suppliers through a scientific assessment system, ensuring only qualified suppliers enter the pool. We also conduct on-site inspections to evaluate suppliers' production capabilities, equipment conditions, quality management processes, etc., so as to select high-quality suppliers.

• ◇For existing suppliers, we continuously conduct monitoring and evaluation and regularly carry out comprehensive assessments, covering service awareness, product quality, contract fulfillment capabilities, and other aspects, to ensure that suppliers consistently meet the Group's requirements.

• ◇For substandard suppliers, following an assessment and rectification process, we classify them as suppliers under rectification, unqualified suppliers, suspended-cooperation suppliers, and suppliers on the blacklist. This allows us to assist suppliers in resolving their problems more effectively.

We formulated and issued the Supplier Code of Conduct, which regulates and restricts suppliers from multiple dimensions such as business ethics, environmental protection, human rights, data security, and privacy protection. All suppliers are required to sign and abide by this code. While ensuring the fulfillment of procurement needs and contractual agreements, we have incorporated ESG risk considerations into the supplier management process, focusing on their performance in environmental protection and low-carbon, cybersecurity and privacy protection, labor rights and interests, occupational health and safety, and integrity and honesty. Additionally, we actively encourage suppliers to improve their sustainable development performance. This year, the Group conducted specialized training and exchanges with key suppliers on core topics such as privacy and data security, integrity and business ethics, and environmental protection, comprehensively enhancing suppliers' awareness and practical capabilities related to sustainable development. In 2024, zero non-compliant behaviors were found among suppliers in terms of business ethics, information security, employees’ rights and interests, or environmental protection.