Federal law No. 152-FZ "On personal data"
In Yandex.Cloud, measures were implemented to protect personal data pursuant to Resolution No. 1119 and FSTEC Order No. 21 regarding requirements for 3rd-level protection (UZ-3).
When a client, acting as an operator, places personal data on Yandex.Cloud resources, the client entrusts Yandex.Cloud to process this data. Yandex.Cloud is committed to respecting the confidentiality of personal data, ensuring its security during processing, and meeting all legal requirements pertaining to the protection of processed personal data.
For more information, follow the links:
- Statement of personal data protection system compliance with the requirements of Federal Law No. 152 "On Personal Data"
- Data Processing Agreement
GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) regulates the collection and processing of personal data of individuals who reside in the European Economic Area. It was designed to strengthen data privacy protection and ensure the transparency of data collection, storage, and processing on the internet.
Yandex.Cloud meets key GDPR requirements. Procedures have been put in place to process requests from personal data subjects regarding personal data receipt, modification, and deletion. Data protection measures have been implemented and a procedure for notifying users of incidents has also been established.
For more information on the subject, see the Data Processing Addendum.
The Yandex.Cloud information security management system (ISMS) satisfies the requirements of the International Organization for Standardization (ISO). The ISMS was audited by an international team from BSI. Based on their findings, Yandex.Cloud was certified ISO 27001, ISO 27017, and ISO 27018 compliant.
ISO 27001 defines the requirements for information security (IS) management systems, including their implementation, operation, maintenance, and regular improvement. The ISO 27001 guidelines help organizations guarantee a high level of security for their core information assets.
ISO 27017 includes a set of practical information security recommendations for cloud providers. These recommendations supplement the ISMS implementation requirements set out in ISO 27001 and are intended for cloud service providers.
ISO 27018 addresses the requirements for the security of personal data processed by cloud service providers. The standard sets out information security guidelines for protecting the personal information of clients. They supplement the requirements of the basic standard, ISO 27001.
PCI DSS (Payment Card Industry Data Security Standard) contains a set of requirements for cardholder data protection. They are mandatory and apply to all companies that process data from payment systems like Visa, MasterCard, American Express, JCB, and MIR.
By ensuring our cloud infrastructure meets PCI DSS requirements, we enable Yandex.Cloud clients to use cloud services to process payment card data with verified high levels of security.
All Yandex.Cloud availability zones are PCI DSS v3.2.1 certified in physical security. The audit checked for the following:
- The granting and blocking of physical access to data centers.
- The use of video surveillance and access control systems (ACS) to control physical access.
- The logging and accompaniment of visitors during their visit to data centers.
- The monitoring of data storage and managing of access to data carriers.
- The destruction of data carriers.
- The detection and identification of unauthorized wireless access points on a quarterly basis.
- The policies and procedures for restricting physical access and detecting wireless access points.