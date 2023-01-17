Data privacy in Yandex Cloud
Privacy and security of user data are top priorities in Yandex Cloud. As a company guided by the principles of openness and transparency, we take this matter very seriously so that our users can be sure their data is always safe.
Data protection
Even under the “shared responsibility” model, users maintain full control over their data.
Yandex Cloud is committed to ensuring the security and privacy of its users' data.
Data privacy principles
To ensure a high level of data storage reliability, we follow the following data processing principles:
Lawfulness and confidentiality
Personal data is only processed with the user’s consent, in the presence of an agreement with them, or for other legal reasons. Without the user’s permission, no personal information can be disclosed.
Data security
Yandex Cloud prevents unauthorized or accidental access, modification, deletion, blocking, or duplication of user data.
Privacy by design
Yandex Cloud follows “Privacy by Design” principles throughout the platform development lifecycle and in all business processes that involve the processing of personal data.
Transparency and accountability
To ensure the privacy of our users' information, we provide detailed and transparent reports of all data processing activities.
Limitation and minimization
The collection and processing of personal data are strictly limited to the pursuit of explicit and lawful objectives and are not carried out in an indiscriminate or otherwise excessive manner.
Ensuring data privacy
Privacy assurance procedures and policies are audited and certified.
Вопросы и ответы
What are the requirements for storing and transferring personal data in Russia?
Personal data of Russian citizens must be stored inside Russia. Cross-border data transfers are only possible with the owner’s consent and if the data had originally been added to a database hosted in Russia. The law also imposes requirements on how data is processed and the technical protection of the information system, including the part located in Russia.
Is it required that the entire cloud system be located in Russia?
It is sufficient to locate a database containing the personal data of Russian citizens and the infrastructure components responsible for their processing within the borders of the Russian Federation (subject to legal restrictions that may apply to the entire set of data and organization).
How does the cloud platform help meet security requirements?
Yandex Cloud data centers are located in Russia and their infrastructure fully meets the requirements of Federal Law No. 152-FZ. All you have to do is ensure the application side is compliant, build a number of processes, and create the relevant documentation. You can assign these tasks to our partners.
What is the responsibility of the cloud provider to protect personal data?
The provider’s responsibility varies depending on the cloud service model used by the customer — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) — and the security mechanisms and policies available to the cloud provider.
For IaaS: The provider is responsible for the physical security and fault tolerance of the platform itself, network security, and the collection and analysis of security events from hypervisors and other infrastructure components.
For PaaS/SaaS: The provider ensures the security of PaaS/SaaS components. This includes VM protection, DB backups, and encryption of user data hosted in the cloud under Federal Law № 152-FZ.
What is the responsibility of the customer to protect personal data?
The customer is responsible for managing access rights to resources and preventing unauthorized access to data. In both private infrastructure and cloud service models, companies are solely responsible for ensuring that data is labeled and properly classified to fulfill any regulatory compliance requirements.
The customer’s responsibility also varies depending on the cloud service model chosen: IaaS, PaaS, or SaaS. Companies that use the IaaS model should be responsible for the security of guest VMs, back up VMs, protect the virtual network, control access to resources, and secure cloud user accounts.
When using managed services (PaaS/SaaS), it is the responsibility of the customer to classify data, ensure access control, set up data protection, and manage their users and end devices.
While storing personal data in the cloud under Federal Law № 152-FZ, you continue to be the owner of the data and must fulfill all the duties as the data operator. This includes acquiring consent to process personal data, notifying Roskomnadzor about data processing, and modeling threats to your information systems.
You can do this yourself or with the help of one of Yandex Cloud’s trusted information security partners.
Do you have questions?
If you have any questions about the security of the cloud platform infrastructure, please contact us. Yandex Cloud experts will help you choose the best solution for your project.