Federal law No. 152-FZ "On personal data"
In Yandex.Cloud, measures were implemented to protect personal data pursuant to Resolution No. 1119 and FSTEC Order No. 21 regarding requirements for 1st-level protection (UZ-1).
When a client, acting as an operator, places personal data on Yandex.Cloud resources, the client entrusts Yandex to process this data. Yandex.Cloud undertakes to respect the confidentiality of personal data and ensure the security of personal data while processing it, as well as meet all the legal requirements for protecting the processed personal data.
For more information, follow the links:
- Accreditation of compliance (in Russian).
- Opinion on Compliance of the Personal Data Protection System with the Requirements of Federal Law No. 152 "On Personal Data".
- Data Processing Agreement.
- Customer actions for personal data protection.
GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) regulates the collection and processing of personal data of individuals who reside in the European Economic Area. It was designed to strengthen data privacy protection and ensure the transparency of data collection, storage, and processing on the internet.
Yandex.Cloud meets key GDPR requirements. Procedures have been put in place to process requests from personal data subjects regarding personal data receipt, modification, and deletion. Data protection measures have been implemented and a procedure for notifying users of incidents has also been established.
For more information on the subject, see the Data Processing Addendum.
The Yandex.Cloud Information Security Management System (ISMS) satisfies the requirements of the International Organization for Standardization (ISO). The ISMS was audited by an international team from BSI. Based on their findings, Yandex.Cloud was certified ISO 27001, ISO 27017, and ISO 27018 compliant.
ISO 27001 defines the requirements for information security (IS) management systems, including their implementation, operation, maintenance, and regular improvement. The ISO 27001 guidelines help organizations guarantee a high level of security for their core information assets.
ISO 27017 includes a set of practical information security recommendations for cloud providers. These recommendations supplement the ISMS implementation requirements set out in ISO 27001 and are intended for cloud service providers.
ISO 27018 addresses the requirements for the security of personal data processed by cloud service providers. The standard sets out information security guidelines for protecting the personal information of clients. They supplement the requirements of the basic standard, ISO 27001.
You can read more at:
PCI DSS (Payment Card Industry Data Security Standard) contains a set of requirements for cardholder data protection. They are mandatory and apply to all companies that process data from payment systems like Visa, MasterCard, American Express, JCB, and MIR.
By ensuring that our cloud infrastructure meets PCI DSS requirements, we enable Yandex.Cloud clients to use cloud services to process payment card data with verified high levels of security.
Yandex.Cloud has a certificate of compliance with PCI DSS v3.2.1. Compliance with the standard is checked by a QSA auditor on an annual basis.
You can read more at:
- PCI DSS certificate for Yandex.Cloud.
- PCI DSS certificate for the Yandex data center.
- PCI DSS Attestation of Compliance (AOC) for Yandex.Cloud.
- PCI DSS Attestation of Compliance (AOC) for the Yandex data center.
- Responsibility matrix.
- Requirements and recommendations for building the PCI DSS infrastructure.
GOST R 57580
GOST R 57580 is a Russian national standard for the security of banking and financial transactions. The standard has been mandatory for all credit and non-credit financial organizations operating on the territory of the Russian Federation since its introduction on January 1, 2018.
The compliance of the cloud platform’s services with the requirements of this standard helps organizations hosting their systems and applications in the cloud to meet the requirements of the Central Bank and ensure compliance with the standard on the side of their systems running in the cloud.
You can read more at: