Skip to main content

Information Security Whitepaper

This whitepaper is copyrighted by Ningbo Qingcheng Zaowu Technology Co., Ltd. No entity may reproduce, extract, or use the content of this whitepaper in any other way without written authorization; those already authorized in writing should use it within the authorized scope and indicate "Source: Ningbo Qingcheng Zaowu Technology Co., Ltd." Our company reserves the right to pursue relevant legal liabilities against entities violating the above statement.

Preface

Ningbo Qingcheng Zaowu Technology Co., Ltd. ("hereinafter referred to as Qingcheng Zaowu") provides a new generation LaTeX tool service: LoongTeX Research Platform ("hereinafter referred to as LoongTeX"), characterized by "user-friendly experience, asynchronous collaboration, unified entry," helping researchers improve research efficiency, reduce production and management costs, and initiate transformation towards more efficient, collaborative, and secure intelligent research teams.

LoongTeX includes LaTeX editor, notes, whiteboard, AI, formula editor, table designer, etc., with products having high scalability and availability. We adopt industry-leading management and technical means to ensure full lifecycle security protection for products and user data. LoongTeX's design, development, and operation fully consider compliance requirements and user personal information privacy requirements, ensuring products meet national laws, regulations, and principle requirements related to network security, personal privacy, and data protection.

1. Security Team and Functions

As a SaaS service provider, Qingcheng Zaowu has always prioritized the security protection of user business and data as the highest priority work. The company has a comprehensive infrastructure security and user business/data security protection system, providing users with all-round protection from physical to application and data levels.

Qingcheng Zaowu's product security team consists of dedicated teams for security management, compliance, business security, data security, emergency response, security tool development, etc. Work content includes product design security assessment, code security review, vulnerability scanning, penetration testing, threat intelligence, intrusion detection, emergency response, data security, security compliance, etc.

2. Compliance

Qingcheng Zaowu highly values product compliance, with dedicated security compliance specialists responsible, actively benchmarking against the highest standard compliance requirements domestically and internationally.

Qingcheng Zaowu actively follows domestic and international product compliance requirements, connects with regulatory agencies at all levels through security management and compliance teams to ensure provided products and services meet requirements. It also has a dedicated privacy team that reviews user privacy agreements, product privacy protection design, and the collection and use of user privacy data, ensuring user privacy data is properly used and processed, maintaining reasonable transparency to users.

3. Personnel Security

3.1 Human Resource Management Process

Qingcheng Zaowu has established a secure human resource management process:

New employee appointments must be approved by human resource specialists and department heads requiring the position, with new employee recruitment processes and results recorded in the human resource system; before hiring new employees, the human resource department conducts background checks based on position importance and within national laws and regulations, ensuring employee hiring complies with company rules and regulations; new employees must sign labor contracts and confidentiality agreements, which standardize employees' responsibilities and obligations in information security; the legal department reviews legal terms of employee confidentiality agreements and third-party confidentiality agreements at least once annually and updates when needed, with updates published through internal knowledge platforms to ensure all employees and relevant personnel can access the latest confidentiality agreements; employee resignations must be initiated by the employee or department head in the human resource system, reviewed by the human resource department and relevant functional departments before formal resignation, with all accounts deactivated before resignation and all hardware and software assets (such as computers, work documents, etc.) returned.

3.2 Security Training and Learning

Qingcheng Zaowu has established a comprehensive training and learning system. New employees must participate in training including company culture, rules and regulations, information security, and reward/punishment mechanisms after joining. Meanwhile, the company organizes training for employees' professional knowledge skills and information security awareness irregularly, establishing the following training mechanisms:

The company organizes customized information security training based on actual business needs to enhance employee information security awareness, at least three times annually; the company holds information security activities irregularly to promote information security awareness, at least once annually; the company communicates security awareness to employees through various methods irregularly, such as creating security awareness promotional materials and reaching employees through online and offline channels.

3.3 Terminal Security Control

LoongTeX has established comprehensive employee terminal security control policies and deploys them to all terminals by default, with employees unable to delete or modify security configurations personally. LoongTeX employee computer terminals all have antivirus software installed, and through backend security configurations, employees cannot close, uninstall, or modify antivirus software configurations themselves. Only authorized information technology department personnel have administrator accounts for antivirus software to perform security configurations. Antivirus software has real-time virus database updates enabled and regularly performs full-disk virus scans on employee office terminals. LoongTeX uses full-disk encryption on employee office device disks to protect data and file security. When employees resign, they must return office equipment, and the information technology department erases employee device information by wiping hard drives.

4. Web Client Security

4.1 Web Client Runtime Environment Security

Qingcheng Zaowu's web client strictly detects the runtime environment, including debugging detection, injection detection, etc. The detection purpose is to ensure the web client runs in a trusted browser environment to prevent programs from being cracked or exploited by malicious software.

4.2 Web Client Data Security

Qingcheng Zaowu's web client uses the operating system's built-in security mechanisms for permission isolation between web clients. Browser local information is encrypted for storage. All communication between browsers and servers uses HTTPS or WSS for encryption.

Qingcheng Zaowu has integrated a team-developed data security solution in the web client, providing system-level encryption capabilities for local privacy data in the web client and unique binding functionality between data and devices. Even if attackers steal users' encrypted data, they cannot decrypt and use it on their own devices. This greatly enhances users' data security boundaries and significantly reduces the likelihood of user data leakage.

4.3 Web Client Security Vulnerability Protection

Qingcheng Zaowu has a dedicated network security vulnerability mining team that conducts security assessments and vulnerability mining for web clients on Android, iOS, Windows, macOS, Linux, etc., while also performing vulnerability detection on used third-party components (libraries, SDKs), discovering application vulnerabilities as much as possible to ensure web client security. Additionally, LoongTeX regularly invites external professional third-party security companies to conduct security penetration testing on LoongTeX and promptly follows up on issue fixes and resolutions.

4.4 Product Security Capabilities

  • Account Security: Ensures account security through two-factor authentication, SSO authentication protects applications.

  • Data Security: Ensures enterprise information security through functions like information barriers, fine-grained file permission control, document permission default value management, mobile file encryption, custom watermarks, etc.

  • Email Security: Provides email security capabilities such as anti-phishing, anti-spam, black/white lists, data protection rules, etc.

LoongTeX product security capabilities are updated and iterated rapidly. The latest functions can be referenced on the official website introduction or by contacting customer service for consultation.

5. Network Security

5.1 Network Access Control

Qingcheng Zaowu uses Access Control Lists (ACL) for network isolation. Internally, different network areas are divided such as guest network, office network, development test network, production network, etc. All employees outside the company network boundary need to access company internal resources through VPN connections. The company internal audit department audits access logs, etc., discovers and traces violation operation records, and imposes corresponding penalties.

Qingcheng Zaowu has established strict employee access control policies to restrict internal resource access. Employees accessing internal resources need identity verification; after identity confirmation, employees have only minimum permissions by default. New permission acquisition requires approval and recording by relevant responsible personnel. Permissions have validity periods; after the validity period ends, the system automatically revokes permissions. Employee operations on online services must be conducted through bastion hosts, with all operation logs retained for at least 180 days and audited by the internal audit department.

5.2 Network Firewall

Qingcheng Zaowu uses network firewalls to intercept common network security vulnerability attacks against the LoongTeX suite system. Only authorized security compliance department engineers can uniformly configure network firewall protection rules. The company has established a combined automatic and manual method for updating network firewall configurations.

5.3 DDoS and Network Attack Defense

Qingcheng Zaowu services provide network access to customers through CDN, dynamic acceleration, and access backend services through company load balancing; LoongTeX deploys industry-leading anti-DDoS services, capable of effectively defending against traffic-based, connection-based attacks, etc.

5.4 Network Transmission Encryption

Qingcheng Zaowu products use HTTPS, WSS for encrypted transmission on both internal and external networks, ensuring transmission process security and ensuring information cannot be tampered with or stolen by man-in-the-middle attacks.

6. Server Security

Qingcheng Zaowu uses self-procured servers to provide services to customers and has implemented a series of security control measures to ensure server production security and effectively prevent network malicious attack behaviors.

6.1 Server Access Control

Qingcheng Zaowu regularly scans server assets, promptly closes unnecessary ports and services, ensures external permissions are minimized, filters unsafe services, reduces security risks. Security personnel regularly conduct weak password detection, urges server operation and maintenance personnel to improve password complexity, prevent brute-force attacks. All server access must be operated through bastion hosts and audited. Access sources for business services are controlled through whitelists, ensuring services can only be accessed by trusted sources.

6.2 Vulnerability Scanning

Qingcheng Zaowu uses automated vulnerability scanning tools to regularly conduct server vulnerability detection. After confirmation by security personnel, notifications are immediately sent to relevant personnel for processing and repair. Additionally, operation and maintenance personnel regularly perform system patch updates to effectively ensure stable server operation.

6.3 Intrusion Detection

Qingcheng Zaowu has comprehensively deployed HIDS (Host Intrusion Detection System) on physical servers, which can monitor server file baseline changes in real-time, detect abnormal processes, capture active abnormal external connections, trojan backdoors, and other abnormal behaviors, and respond promptly. Additionally, all traffic from web clients passes through WAF (Web Application Firewall) for attack detection and verification, ensuring its security and legitimacy, with malicious requests being blocked in real-time. The security team closely tracks security situations and the latest attack methods, researches intrusion characteristics, and regularly upgrades defense strategies.

6.4 Anomaly Detection

Built on big data platforms and machine learning platforms, the security team conducts multi-dimensional security analysis on massive host logs generated by servers and data collected by self-developed HIDS, establishes anomaly detection models, promptly discovers abnormal behaviors such as risk operations, abnormal processes, malicious network connections on servers, and responds promptly. The security team closely tracks security situations and the latest attack methods, continuously iterates security algorithm models, can update abnormal behavior characteristics, and regularly upgrades defense strategies.

7. Application Security

7.1 Secure Development Process

Qingcheng Zaowu strives to control security risks from the source of security vulnerabilities. By creating security courses and providing training in both on-site and online classroom formats, all developers and product managers must receive security training to understand related security vulnerability causes and coding knowledge. The security team communicates with project managers at project initiation to ensure security requirements and security testing are reflected in project plans. Simultaneously, the security team evaluates and conducts vulnerability mining on third-party libraries and tools used by products to ensure no vulnerabilities are introduced through the supply chain. The security team conducts security reviews of design and coding together with product teams. Before product launch, penetration testing and deployment security assessments are conducted to ensure service security.

7.2 User Account Security

User access to the LoongTeX system can be authenticated through password plus dynamic verification code methods. For logins initiated from unrecognized devices, risk control strategies increase their login verification difficulty. Simultaneously, the account system has defense capabilities against abnormal and brute-force login attempts.

LoongTeX integrates self-developed risk control and anti-cheating systems. It has protection functions such as anti-malicious registration, anti-credential stuffing, anti-brute-force login cracking, etc. Users adopt password + dynamic password multi-factor authentication login, which can effectively avoid account leakage caused by password loss.

7.3 Vulnerability and Security Incident Management

Qingcheng Zaowu monitors internal and external security vulnerabilities and threat intelligence information through various means. The security team uses automated security scanning tools to scan its own services and operating systems, and conducts security checks on application systems through regular penetration testing. After vulnerability and threat intelligence information is confirmed by the security team, risk levels are determined based on harm severity, and notifications are immediately pushed to relevant departments for repair processing. The company has a comprehensive vulnerability lifecycle management strategy, with professional security teams following up on the resolution of all security issues.

Simultaneously, Qingcheng Zaowu's security team maintains close cooperation and communication with industry-leading third-party assessment companies and white-hat communities, irregularly invites external companies and white-hat hackers to conduct penetration testing on services, and provides them with rewards to discover as many security vulnerabilities as possible.

Qingcheng Zaowu has a comprehensive incident management process, implementing 7*24 emergency response strategies. When security incidents occur, the security team quickly classifies incidents according to security emergency plans and initiates emergency response processes to prevent security incidents from expanding. After security incident handling is completed, incident reviews are conducted, including the causes of incident occurrence, incident handling processes and results, main responsible persons for incidents, and follow-up measures, etc. Review results and follow-up measures are recorded to ensure incident closure. When security incidents affect users or customers, we will promptly notify users, customers, or other relevant parties according to incident handling procedures.

8. Data Security

Qingcheng Zaowu has complete lifecycle management for data, with clear processes and technical guarantees from data creation, storage, transmission, use, to destruction. The company has corresponding control measures to ensure the security of data transmission, data storage, data access, and data destruction processes.

8.1 Data Transmission

Qingcheng Zaowu provides tenants with data transmission links supporting strong encryption protocols. Data transmissions such as message pulling, identity authentication, and operation instructions all use HTTPS for encryption and use 2048-bit RSA keys; message push encrypts transmitted data through WSS protocol for protection; video chat uses DTLS-based end-to-server encryption to ensure data transmission security.

8.2 Data Storage

Qingcheng Zaowu uses secure key mechanisms to encrypt and store data. We encrypt and store all customer data such as messages, documents, human resources, finance, etc.

Qingcheng Zaowu has established comprehensive data classification and grading management methods. User information collected by LoongTeX, tenant information in backend management systems, etc., are all strictly classified and graded for management, and sensitive information stored in all systems is encrypted for processing, effectively ensuring user information security.

Encryption algorithms are embedded in each application's source code; keys are generated by the Key Management System (referred to as "KMS system") and called by each application. KMS service is responsible for the lifecycle management of keys and sensitive configuration information, including creation, storage, distribution, use, update, deletion, etc. The master keys used for LoongTeX user data encryption and various other sensitive information of LoongTeX services (such as database accounts, passwords, etc.) are all stored in the KMS system maintained by LoongTeX, and access requires KMS access. The root key of the KMS system is maintained using Hardware Security Modules (HSM). HSM management requires multiple keys to cooperate, with these keys distributed to different functional roles for management. The KMS system uses envelope encryption to encrypt and decrypt data. Master keys used by different tenants are isolated from each other.

In addition to using standard tenant master keys and AES-256 algorithm to encrypt data and data keys for storage, LoongTeX supports customer self-managed keys, where KMS generates data keys, and data and data keys are encrypted for storage using customer-defined master keys and specified encryption algorithms. Customers can independently choose encryption algorithms (such as AES_256, SM4 national cryptographic algorithm, etc.) and independently control key rotation.

8.3 Data Access

User data access is strictly permission-isolated. Users cannot access each other's data without authorization. Data access must be completed through explicit authorization by data owners, such as sharing operations, etc. (e.g., documents created by User A are visible only to User A by default, unless he actively grants access permissions to others).

Qingcheng Zaowu employees have no access permissions to any user data by default. All employee operations are strictly restricted and audited.

8.4 Data Destruction

Individual accounts can be deleted or personal information deletion requests can be made through the LoongTeX web client. After receiving account deletion or personal information deletion applications, LoongTeX will delete or anonymize data and documents of the deleted account, etc.

Departing employees of user organizations can submit account deletion applications to tenant administrators. After the user organization confirms that data such as group ownership, schedules, documents, etc., within the departing employee's account have been transferred, the tenant administrator contacts Qingcheng Zaowu through LoongTeX's customer service function. Qingcheng Zaowu, based on the application from the user organization's tenant administrator, deletes or anonymizes data and documents related to the account to be deleted.

When signing cooperation agreements with user organizations, Qingcheng Zaowu agrees with user organizations that when cooperation is terminated, LoongTeX processes account-related data according to legal and regulatory requirements through methods including but not limited to deletion, anonymization, etc.

All data deletion and anonymization technical means comply with industry common standards and legal and regulatory requirements, and are all irreversible.

8.5 Data Security Detection

All login behaviors, operation behaviors, server security baseline file changes, access permission changes, and data access behaviors of servers in Qingcheng Zaowu's online environment are recorded. The security team establishes user behavior profiles and abnormal behavior models to achieve identification, analysis, and correlation of abnormal behaviors, automatically and in real-time detecting various abnormal data access behaviors, such as illegal data access, malicious data crawling and risk operations, login anomalies, permission escalation, etc., and performs alerting or blocking.

9. Physical Infrastructure Security

Qingcheng Zaowu adopts internationally first-class infrastructure to provide customers with secure and stable services. The company has established data center security management systems, clearly specifying requirements such as computer room access management, computer room environmental security, etc., and has implemented comprehensive management and technical measures to ensure infrastructure security.

LoongTeX's supporting data centers are located in Beijing, Hangzhou Zhejiang, and Hohhot Inner Mongolia respectively. Colocation Service Agreements (referred to as "Colocation Agreements") are signed between LoongTeX and colocation service providers, clarifying both parties' responsibilities and obligations, specifying service scope and data center service availability levels. In these facilities, colocation service providers provide physical security services meeting LoongTeX's requirements in different regions, industrial parks, equipment buildings, office areas, critical facilities, and key areas, etc.

LoongTeX provides services such as power supply, HVAC, fire detection, fire extinguishing, etc., for data centers through colocation service providers. LoongTeX requires all colocation service providers to provide appropriate temperature, humidity, power supply, event management, and technical compliance for data centers. According to colocation agreements, colocation service providers provide operational reports to LoongTeX monthly, including data center environmental operational data, indicators, maintenance summaries, data center events, etc.

Data centers are maintained daily by professional personnel and have 7*24 monitoring. Visitors need to apply to LoongTeX to enter data centers and are accompanied by LoongTeX personnel throughout the visit. Entry to data centers and server rooms is reviewed by relevant LoongTeX personnel.

Simultaneously, LoongTeX conducts data center inspections at least annually, reviewing colocation service providers, monitoring colocation service security and operational standards, such as infrastructure environmental management, personnel access and permission management, and asset security management, etc., and issues inspection reports with service providers promptly handling abnormalities found therein. LoongTeX arranges on-site personnel to monitor hardware status and whether destruction is needed. Operators, after receiving notifications from relevant personnel, execute hardware destruction and send back destruction results via email for recording.

10. Disaster Recovery and Business Continuity

10.1 Backup and Disaster Recovery

Qingcheng Zaowu has established relevant regulations to standardize database backup strategies, backup data custody, and backup recovery testing, etc. Business databases all have regular snapshots and backups, with data stored in two locations with three backups. Simultaneously, the company has deployed backup execution monitoring mechanisms to ensure data backup integrity and regularly conducts backup data recovery testing.

Full data backups are executed weekly, incremental backups are performed automatically in real-time. The company has deployed backup execution monitoring mechanisms. If database backup tasks fail, alerts are automatically sent to database administrators through LoongTeX push functionality. Database administrators check failure reasons and handle them.

Simultaneously, production environment databases have deployed one-master-multiple-slave mechanisms, deploying databases in data centers at different locations to achieve data availability requirements.

The company extracts backup data daily for recovery testing. R&D personnel propose backup data recovery requirements through database operation and maintenance platforms. After review by R&D leaders, database administrators perform data recovery, and R&D personnel verify whether backup data is usable.

10.2 Business Continuity Assurance

Business system access layers all adopt high-availability access methods, accessing through public gateway services provided by basic service providers. Backends adopt multi-instance access to ensure service reliability. Traffic and faults are meticulously monitored. During traffic surges or faults, degraded operation methods are adopted to ensure business availability.

Qingcheng Zaowu has established emergency response and recovery measures for scenarios that may cause business interruption. Business impact analysis and risk assessment are conducted annually, identifying important business processes and threats that may cause company business and resource interruptions; defining indicators such as Maximum Tolerable Downtime, Recovery Time Objective, and Minimum Service Level; developing response strategies for interruption scenarios of different businesses.

10.3 Emergency Drills

Qingcheng Zaowu has a complete emergency drill mechanism, regularly conducting fault drills, with participants including business teams, security teams, operation and maintenance teams, etc. At least annually, disaster recovery drills are conducted for situations that may cause business interruption to ensure data availability.

11. Change Control

11.1 Program Change

Qingcheng Zaowu has established comprehensive program change management regulations, clarifying change management requirements and processes, including change plan formulation, change approval, and change implementation, etc. Operations that have known or potential impacts on the stability, availability, and security of online services all fall within the scope of online changes. LoongTeX product development strictly controls change operations to prevent change operations from affecting service stability. Online operations must have operation tickets and can only proceed after approval. The company deploys independent development, testing, and production environments for each product-related application. Change operations follow gradual release for launch, and launches all require small traffic testing before formal release, thereby ensuring service stability and security.

11.2 Source Code Control

Qingcheng Zaowu has established strict source code management processes. R&D personnel can only access and manage code repositories corresponding to their teams. Each project code repository in code repositories has set code repository leaders. If R&D personnel need to apply for code repository access permissions outside their teams, they must submit applications in code repositories. After approval by their department heads and the applied code repository leaders, corresponding permissions can be added; redundant permissions unused for long periods will be revoked.

11.3 Infrastructure Change

Qingcheng Zaowu deploys Access Control Lists at public network boundaries to control network access. If changes to ACL configuration baselines and network access control lists are needed, operation and maintenance personnel submit applications through platforms. Professional engineers judge change reasonableness before executing operations. Only authorized engineers have permission to execute network access configuration change operations.

11.4 Change Monitoring

Qingcheng Zaowu conducts internal audits annually to check company internal control system operation, which covers execution effectiveness checks of change management-related controls, and summarizes results in internal audit reports. If abnormalities are found, the internal audit department communicates with relevant responsible teams and follows up on rectification results. Incompatible duty separation exists in change management processes, including change development, testing, approval, release, and monitoring.

12. Open Platform Ecosystem Security

LoongTeX is committed to building a rich, diverse, secure, and reliable application ecosystem platform to provide enterprises with more diversified SaaS service experiences, meeting personalized needs of different enterprises. In this model, LoongTeX platform, application developers, customers, and users form a multi-party responsibility system. LoongTeX ensures application security, ecosystem health, and user privacy from multiple aspects such as service provider admission, application development and listing review, permission grading classification and approval, regular security checks, etc.

12.1 Service Provider Admission

LoongTeX has established a strict admission system for ecosystem application service providers to ensure service providers have the capability to guarantee user data security. For example: enterprise establishment for a certain number of years, products already mature and commercialized, serving over a certain number of customers, etc.

LoongTeX conducts qualification review for all ISV admission, review content including but not limited to: company qualifications, R&D capabilities, core members, past experience, customer groups, social reputation, etc.

For service providers with excellent security capabilities, such as obtaining ISO27001 Information Security Management System certification, passing network security level protection third-level filing and evaluation, etc., LoongTeX will display this on their application homepages, facilitating users to quickly and intuitively understand service provider security levels.

12.2 Application Development and Listing Review

LoongTeX has formulated detailed development documentation, providing developers with a set of secure and reliable development methods, guiding ISVs to develop secure, reliable, and compliant applications from the development stage. During store application listing stage, LoongTeX will conduct overall acceptance of application deployment environments, application security, content security, compliance privacy, security defense products, and other multiple aspects, confirming application security compliance through supplier questionnaires, application walkthroughs, etc.

LoongTeX conducts 100% strict review for each application before listing, grading processing based on third-party application risks. According to permissions obtained by applications and number of tenants or users used, they are divided into 3 levels. Each level covers deployment environments, application security, content security, compliance privacy, security defense products, and other multiple aspects.

P0: Basic bottom-line requirements: Applicable to all application listings P1: Enhanced security requirements: Applicable to applications with sensitive permissions and high usage volume P2: Recommended security measures: Recommended for top applications to implement

12.3 Permission Grading Classification and Approval

Based on user and customer data security considerations, LoongTeX open platform applications all need to apply for permissions, and can only use permission-bound open capabilities after review by open platform or tenant administrators. We divide permissions into ordinary permissions and advanced permissions:

Ordinary permissions: Permissions with general data sensitivity level. Such as obtaining user user ID, sending messages as application identity, etc. Advanced permissions: Permissions accessing or operating data with higher sensitivity level. Such as obtaining user organizational structure information, updating calendars, schedules, and busy/free information, etc. For enterprise self-built applications and store applications, LoongTeX adopts different levels of permission application and approval strategies, maximizing legitimacy and minimum necessity of permission use under operable premise. For store applications: All permission operations need to pass through two reviews: application listing process and tenant installation application process. Listing is reviewed by open platform, installation is reviewed by tenant administrators during version updates. Tenant administrators configure exemption review rules based on actual data control demands of their tenant to reduce review burden.

Based on personal information protection and other relevant laws and regulations requirements, obtaining certain sensitive personal information or calling system sensitive permissions may require users' separate authorization. Such as: obtaining user geographical location, accessing microphones, etc.

12.4 Security Monitoring Scanning

LoongTeX uses automated vulnerability scanning tools to conduct security scanning on third-party applications, detecting whether servers have vulnerable or easily attacked services, and continuously conducting risk warning and vulnerability detection on third-party applications.

LoongTeX security team irregularly conducts security testing on third-party applications, simulating real hacker attacks to conduct in-depth security assessment on application store applications, achieving security risk left-shift.

LoongTeX — Making Research Happen Better
FOR TRUTH AND BEAUTY