Federal law No. 152-FZ "On personal data"
In Yandex.Cloud, measures were implemented to protect personal data pursuant to Resolution No. 1119 and FSTEC Order No. 21 regarding requirements for 1st-level protection (UZ-1).
When a client, acting as an operator, places personal data on Yandex.Cloud resources, the client entrusts Yandex to process this data. Yandex.Cloud undertakes to respect the confidentiality of personal data and ensure the security of personal data while processing it, as well as meet all the legal requirements for protecting the processed personal data.
For more information, follow the links:
- Statement of personal data protection system compliance with the requirements of Federal Law No. 152 "On Personal Data"
- Data Processing Agreement
GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) regulates the collection and processing of personal data of individuals who reside in the European Economic Area. It was designed to strengthen data privacy protection and ensure the transparency of data collection, storage, and processing on the internet.
Yandex.Cloud meets key GDPR requirements. Procedures have been put in place to process requests from personal data subjects regarding personal data receipt, modification, and deletion. Data protection measures have been implemented and a procedure for notifying users of incidents has also been established.
For more information on the subject, see the Data Processing Addendum.
The Yandex.Cloud Information Security Management System (ISMS) satisfies the requirements of the International Organization for Standardization (ISO). The ISMS was audited by an international team from BSI. Based on their findings, Yandex.Cloud was certified ISO 27001, ISO 27017, and ISO 27018 compliant.
ISO 27001 defines the requirements for information security (IS) management systems, including their implementation, operation, maintenance, and regular improvement. The ISO 27001 guidelines help organizations guarantee a high level of security for their core information assets.
ISO 27017 includes a set of practical information security recommendations for cloud providers. These recommendations supplement the ISMS implementation requirements set out in ISO 27001 and are intended for cloud service providers.
ISO 27018 addresses the requirements for the security of personal data processed by cloud service providers. The standard sets out information security guidelines for protecting the personal information of clients. They supplement the requirements of the basic standard, ISO 27001.
PCI DSS (Payment Card Industry Data Security Standard) contains a set of requirements for cardholder data protection. They are mandatory and apply to all companies that process data from payment systems like Visa, MasterCard, American Express, JCB, and MIR.
By ensuring that our cloud infrastructure meets PCI DSS requirements, we enable Yandex.Cloud clients to use cloud services to process payment card data with verified high levels of security.
Yandex.Cloud has a certificate of compliance with PCI DSS v3.2.1. Compliance with the standard is checked by a QSA auditor on an annual basis.
You can read more at:
- PCI DSS certificate for Yandex.Cloud.
- PCI DSS certificate for the Yandex data center.
- PCI DSS Attestation of Compliance (AOC) for Yandex.Cloud.
- PCI DSS Attestation of Compliance (AOC) for the Yandex data center.
- Responsibility matrix.
- Requirements and recommendations for building the PCI DSS infrastructure.