Compliance
Russian Federal law No. 152-FZ on Personal Data
In Yandex Cloud, measures were implemented to protect personal data pursuant to Resolution No. 1119 and FSTEC Order No. 21 regarding requirements for 1st-level protection (UZ-1).
When a client, acting as an operator, stores personal data on Yandex Cloud resources, the client authorizes Yandex to process such data. Yandex Cloud is committed to respecting the privacy of personal data, ensuring its security while processing, and meeting all legal requirements pertaining to the protection of personal data being processed.
For more information, see:
- Certificate of compliance
. - Statement of Compliance of the Personal Data Protection System with the Requirements of Federal Act No. 152-FZ on Personal Data
. - Data Processing Agreement
. - Personal data protection guide for clients
.
GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) regulates the collection and processing of personal data of individuals who reside in the European Economic Area. It was designed to strengthen data privacy protection and ensure the transparency of data collection, storage, and processing on the internet.
Yandex Cloud focuses on the GDPR as a global framework in the area of data protection and privacy. If our customer is subject to the GDPR, we make sure that provision of Yandex Cloud platform is in line with legal needs of the customer. We’re completely committed to privacy, with procedures in place for informing our customers when incidents occur.
For more information, see the Data Processing Addendum
ISO/IEC certification
The Yandex Cloud Information Security Management System (ISMS) meets the requirements of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This is evidenced by ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certification.
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving ISMS's. The ISO/IEC 27001 guidelines help organizations guarantee a high level of security for their core information assets.
ISO/IEC 27017 includes a code of practice for information security control for cloud providers. These guidelines supplement the ISMS implementation requirements set out in ISO/IEC 27001 and are intended for cloud service providers.
ISO/IEC 27018 sets the requirements for the protection of personal data processed by cloud service providers. The standard sets out information security guidelines for protecting the personal information of clients. They supplement the requirements of the basic standard, ISO/IEC 27001.
For more information, see:
- ISO 27001/27018 certificate
. - Attachment to ISO 27001/27018 certificate
. - ISO 27017 certificate
. - Attachment to ISO 27017 certificate
. - ISO 27701 certificate
. - Attachment to ISO 27701 certificate
.
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) contains a set of requirements for cardholder data protection. They are mandatory and apply to all companies that process data from payment systems like Visa, MasterCard, American Express, JCB, MIR, and others.
By ensuring that our cloud infrastructure meets PCI DSS requirements, we enable Yandex Cloud clients to use cloud services to process payment card data with verified high levels of security.
Yandex Cloud has a certificate of compliance with PCI DSS v3.2.1. Compliance with the standard is checked by a QSA auditor on an annual basis.
For more information, see:
- PCI DSS Certificate for Yandex Cloud
. - Yandex Cloud PCI DSS Certificate of Compliance with security requirements for merchants
. - PCI DSS AOC for Yandex Cloud
. - PCI DSS Attestation of Compliance (AOC) for the Yandex data center
. - PCI DSS AOC for Yandex Cloud Billing
. - Responsibility matrix
.
PCI PIN Security
The payment card industry standard defines requirements for securely processing and transmitting PIN codes and managing cryptographic keys used to protect PIN codes. Yandex Cloud customers can host acquiring and PIN code transaction processing infrastructure components in the cloud.
For more information, see:
- PCI DSS Attestation of Compliance (AOC) for Yandex Cloud
. - PCI PIN Security Certificate for Yandex Cloud
.
PCI 3-D Secure (PCI 3DS)
The PCI 3-D Secure (PCI 3DS) standard defines the requirements for infrastructure used to receive payments through the 3-D Secure protocol. The protocol implements an additional request to authenticate a card transaction. Such protocol components as the Access Control Server (3DS Server or Directory Server) are normally deployed on the card issuing bank's side.
Yandex Cloud customers are able to deploy components implementing the 3-D Secure protocol in the cloud infrastructure.
For more information, see:
GOST R 57580.1-2017
GOST R 57580.1-2017 is the Russian national security standard for banking and financial operations. The standard was approved January 1, 2018, and offers a comprehensive approach to developing an information protection process in financial organizations. It also contains requirements for information protection at all lifecycle stages of automated systems and applications used by companies and banks. The standard sets the obligation to apply information protection measures for credit and non-credit financial organizations.
The cloud platform's services are made to comply with this standard to help the organizations whose systems and applications are deployed in the cloud to meet the requirements of the Central Bank (as set forth in Regulations 683-P and 684-P of the Bank of Russia) and ensure compliance with the standard on their cloud systems' side.
The Yandex Cloud platform is certified as compliant
Yandex Cloud services can be used by systemically important financial institutions, financial institutions that provide payment infrastructure services for systemically important payment systems, and systemically important financial market utilities.
For more information, see:
- Certificate of compliance
. - Division of responsibility for meeting the requirements of GOST R 57580.1-2017
.
Cloud Security Alliance
Yandex Cloud is a corporate member of the Cloud Security Alliance, an international organization with the mission to promote the use of best practices for providing information security in cloud computing and raise awareness thereof.
Yandex Cloud meets the requirements of the Security, Trust, Assurance and Risk (STAR) program at Level 1: Self-Assessment.
For a high-level description of platform security measures in one of the most popular formats, Consensus Assessments Initiative Questionnaire (CAIQ) v.4, see the CSA STAR
We also participate in the Trusted Cloud Provider program that shows our commitment to a comprehensive security approach, including through continuous improvement of our employees' skills and active involvement in the international professional community.
Central Registry of Russian Computer and Database Software
Yandex Cloud is included in the register of software created pursuant to article 12.1 of the Federal Law "On Information, Information Technologies, and Information Protection" by the basic class "02.05 Software tools for cloud and distributed computing, visualization tools, and data storage systems" and additional classes "02.09 Database management systems", "04.07 Linguistic software", and "04.13 Systems for collecting, storing, processing, analyzing, modeling, and visualizing datasets".
The fact that the platform is included in the Register proves that Yandex Cloud and its individual services of the above-mentioned classes are developed in Russia, which may be an advantage for companies with higher requirements for using software made in Russia. Information about the registration entry in the Register