Yandex Cloud and Federal Law № 152-FZ

Transfer, store, and process your Russian employees' and customers' personal data in a secure cloud inside Russia.

Yandex Cloud offers a ready-made solution for localizing personal data in compliance with Russian data privacy laws (Federal Law № 152-FZ). The platform is FSTEC certified and meets all the requirements for the protection of personal data stored and processed in the cloud.

What makes Yandex Cloud the right choice?

Our own data centers
Yandex Cloud’s fully-owned data centers are located in three geographically distributed zones and are connected by proprietary communication channels. We design and manufacture servers and server racks ourselves, with full control of the entire process.
Easy migration
Many Yandex Cloud services provide APIs compatible with popular cloud platforms. Use the same code and easily migrate your services and applications without losing functionality or interrupting business processes.
Convenient data storage
Store any amount and type of data in Object Storage. Use our managed databases like Managed PostgreSQL to integrate payment systems or Managed ClickHouse to aggregate data from a variety of sources.
Help and tech support
Detailed documentation and 24/7 tech support as you migrate and begin using Yandex Cloud services. Our partners can also help integrate and document your system in line with all legal requirements.
Transparent pricing
Take full control of your spending, and only pay for the resources you actually use. Flexibly scale your solution as activity and data volumes grow.
Platform services
Go beyond simple virtual infrastructure — take advantage of the full potential of Yandex Cloud platform services. Grow your business with our managed, ML, and serverless services.

Yandex Cloud services comply with national and international standards: ISO, GDPR, PCI DSS, and GOST R 57580. Our compliance with Russian Federal Law № 152, confirming the highest level of security, is also certified.

Create resilient, manageable, and scalable applications and projects in compliance with the requirements of Federal Law № 152-FZ. Here’s an example of a hybrid approach to managing personal data using Yandex Cloud services and local infrastructure.

Getting started with personal data

Step 1: Identify data type and processes it is used in
Determine what type of data you plan to work with. If this is personal data, determine its category and choose the appropriate level of security. Determine the business processes and application components that data processing will be performed within.
Step 2: Choose personal data protection tools
Choose which will be Yandex Cloud services, downloaded from the Yandex Cloud Marketplace, or to be installed additionally. You also need to understand the scope of responsibility: your own and that of the service provider.
Step 3: Evaluate compliance with Federal Law № 152-FZ
As you migrate your infrastructure (partially or fully) to the cloud, you will need to evaluate your compliance with the requirements of Federal Law № 152-FZ. Make sure that everything is set up and working properly within your scope of responsibility and that everything is documented correctly from a legal point of view.
Yandex Cloud’s partners can help you reach full compliance with Federal Law № 152-FZ, provide infrastructure protection services during your cloud migration, tell you which components need to be transferred, and prepare documentation and a project to protect the localized system.
B-152: Protecting personal data and bringing business processes into compliance with Federal Law No. 152-FZ and GDPR.
Informzaschita: A leading system integrator in the field of information security.
InCountry: Providing and maintaining corporate infrastructure solutions.
CardSecurity: Physical and document security of financial, payment, and personal data.

Questions and answers

What are the requirements for storing and transferring personal data in Russia?

Personal data of Russian citizens must be stored inside Russia. Cross-border data transfers are only possible with the owner’s consent and if the data had originally been added to a database hosted in Russia. The law also imposes requirements on how data is processed and the technical protection of the information system, including the part located in Russia.

Personal data of Russian citizens must be stored inside Russia. Cross-border data transfers are only possible with the owner’s consent and if the data had originally been added to a database hosted in Russia. The law also imposes requirements on how data is processed and the technical protection of the information system, including the part located in Russia.

Should the entire system be hosted in Russia?

No. Only the databases with Russian citizens' personal data and the infrastructure components responsible for processing this data must be located in Russia.

No. Only the databases with Russian citizens' personal data and the infrastructure components responsible for processing this data must be located in Russia.

How does the cloud platform help meet security requirements?

Yandex Cloud data centers are located in Russia and their infrastructure fully meets the requirements of Federal Law No. 152-FZ. All you have to do is ensure the application side is compliant, build a number of processes, and create the relevant documentation. You can assign these tasks to our partners.

Yandex Cloud data centers are located in Russia and their infrastructure fully meets the requirements of Federal Law No. 152-FZ. All you have to do is ensure the application side is compliant, build a number of processes, and create the relevant documentation. You can assign these tasks to our partners.

What is the responsibility of the cloud provider to protect personal data?

The provider’s responsibility varies depending on the cloud service model used by the customer — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) — and the security mechanisms and policies available to the cloud provider.

For IaaS: The provider is responsible for the physical security and fault tolerance of the platform itself, network security, and the collection and analysis of security events from hypervisors and other infrastructure components.

For PaaS/SaaS: The provider ensures the security of PaaS/SaaS components. This includes VM protection, DB backups, and encryption of user data hosted in the cloud under Federal Law № 152-FZ.

The provider’s responsibility varies depending on the cloud service model used by the customer — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) — and the security mechanisms and policies available to the cloud provider.

For IaaS: The provider is responsible for the physical security and fault tolerance of the platform itself, network security, and the collection and analysis of security events from hypervisors and other infrastructure components.

For PaaS/SaaS: The provider ensures the security of PaaS/SaaS components. This includes VM protection, DB backups, and encryption of user data hosted in the cloud under Federal Law № 152-FZ.

What is the responsibility of the customer to protect personal data?

The customer is responsible for managing access rights to resources and preventing unauthorized access to data. In both private infrastructure and cloud service models, companies are solely responsible for ensuring that data is labeled and properly classified to fulfill any regulatory compliance requirements.

The customer’s responsibility also varies depending on the cloud service model chosen: IaaS, PaaS, or SaaS. Companies that use the IaaS model should be responsible for the security of guest VMs, back up VMs, protect the virtual network, control access to resources, and secure cloud user accounts.

When using managed services (PaaS/SaaS), it is the responsibility of the customer to classify data, ensure access control, set up data protection, and manage their users and end devices.

While storing personal data in the cloud under Federal Law № 152-FZ, you continue to be the owner of the data and must fulfill all the duties as the data operator. This includes acquiring consent to process personal data, notifying Roskomnadzor about data processing, and modeling threats to your information systems.

You can do this yourself or with the help of one of Yandex Cloud’s trusted information security partners.

The customer is responsible for managing access rights to resources and preventing unauthorized access to data. In both private infrastructure and cloud service models, companies are solely responsible for ensuring that data is labeled and properly classified to fulfill any regulatory compliance requirements.

The customer’s responsibility also varies depending on the cloud service model chosen: IaaS, PaaS, or SaaS. Companies that use the IaaS model should be responsible for the security of guest VMs, back up VMs, protect the virtual network, control access to resources, and secure cloud user accounts.

When using managed services (PaaS/SaaS), it is the responsibility of the customer to classify data, ensure access control, set up data protection, and manage their users and end devices.

While storing personal data in the cloud under Federal Law № 152-FZ, you continue to be the owner of the data and must fulfill all the duties as the data operator. This includes acquiring consent to process personal data, notifying Roskomnadzor about data processing, and modeling threats to your information systems.

You can do this yourself or with the help of one of Yandex Cloud’s trusted information security partners.