Compliance
Federal Law No. 152-FZ of the Russian Federation on Personal Data
In Yandex Cloud, measures were implemented to protect personal data pursuant to Resolution No. 1119 and FSTEC Order No. 21 regarding requirements for 1st-level protection (UZ-1).
When a client, acting as an operator, places personal data on Yandex Cloud resources, the client entrusts Yandex to process this data. Yandex Cloud undertakes to respect the confidentiality of personal data and ensure the security of personal data while processing it, as well as meet all the legal requirements for protecting the processed personal data.
For more information about Yandex Cloud compliance with the Federal Law No. 152-FZ on Personal Data, see Compliance with FZ-152.
GDPR (General Data Protection Regulation)
The General Data Protection Regulation (GDPR) governs the collection and processing of personal data of individuals located in the European Economic Area. It was designed to strengthen data privacy protection and ensure the transparency of data collection, storage, and processing on the internet.
Yandex Cloud regards the GDPR as the global standard for privacy and data protection. If our customer is subject to the GDPR, we implement the measures necessary for them to remain compliant when using Yandex Cloud. We value privacy and have procedures in place to inform customers about any possible incidents.
For more information, see the Data Processing Addendum.
ISO/IEC certification
The Yandex Cloud Information Security Management System (ISMS) meets the requirements of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This is evidenced by ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certification.
ISO/IEC 27001 defines the requirements for establishing, implementing, maintaining and continually improving ISMS's. The ISO/IEC 27001 guidelines help organizations guarantee a high level of security for their core information assets.
ISO/IEC 27017 includes a code of practice for information security control for cloud providers. These guidelines supplement the ISMS implementation requirements set out in ISO/IEC 27001 and are intended for cloud service providers.
ISO/IEC 27018 sets the requirements for the protection of personal data processed by cloud service providers. The standard sets out information security guidelines for protecting the personal information of clients. They supplement the requirements of the basic standard, ISO/IEC 27001.
For more information about the ISO 27001/27018, ISO 27017, and ISO 27701 certificates issued to Yandex Cloud, see the ISO standards page.
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) contains requirements for cardholder data protection. These are mandatory and apply to all companies processing data from payment systems like Visa, MasterCard, American Express, JCB, MIR, etc.
By ensuring that our cloud infrastructure meets PCI DSS requirements, we enable Yandex Cloud clients to use cloud services to process payment card data with verified high levels of security.
Yandex Cloud has a certificate of compliance with PCI DSS 3.2.1. Compliance with the standard is checked by a QSA auditor on an annual basis.
For more information about the PCI DSS and PCI DSS AOC certificates issued to Yandex Cloud, see the PCI Security Standards page.
PCI PIN Security
The payment card industry standard defines requirements for securely processing and transmitting PIN codes and managing cryptographic keys used to protect PIN codes. Yandex Cloud Customers can host acquiring and PIN code transaction processing infrastructure components in the cloud.
For more information about the PCI PIN Security certificates issued to Yandex Cloud, see PCI.
PCI 3-D Secure (PCI 3DS)
The PCI 3-D Secure (PCI 3DS) standard defines the requirements for infrastructure used to receive payments through the 3-D Secure protocol. The protocol implements an additional request to authenticate a card transaction. Such protocol components as the Access Control Server (3DS Server or Directory Server) are normally deployed on the card issuing bank's side.
Yandex Cloud customers are able to deploy components implementing the 3-D Secure protocol in the cloud infrastructure.
For more information about the PCI 3DS certificates issued to Yandex Cloud, see PCI.
GOST R 57580.1-2017
GOST R 57580.1-2017 is the Russian national security standard for banking and financial operations. The standard was approved January 1, 2018, and offers a comprehensive approach to developing an information protection process in financial organizations. It also contains requirements for information protection at all lifecycle stages of automated systems and applications used by companies and banks. The standard sets the obligation to apply information protection measures for credit and non-credit financial organizations.
The cloud platform's services are made to comply with this standard to help the organizations whose systems and applications are deployed in the cloud to meet the requirements of the Central Bank (as set forth in Regulations 683-P and 684-P of the Bank of Russia) and ensure compliance with the standard on their cloud systems' side.
The Yandex Cloud platform got a statement of evaluation of compliance with the information security requirements enforced by the Bank of Russia. The statement certifies that the information security management and control system of Yandex.Cloud LLC was evaluated for compliance with the requirements of GOST R 57580.1-2017 for extended information security. As of the audit completion date, the overall score was R=0.92 (Level 5 compliance). According to GOST R 57580.2-2018, this means that the organizational and the technical measures forming part of the information protection system process have been implemented fully and consistently in accordance with the organization's general policies (methods).
Yandex Cloud services can thus be used by systemically important credit institutions, credit institutions providing payment infrastructure services for systemically important payment systems, and credit institutions with significant role in the payment services market.
For more information about the GOST R 57580.1-2017 certificates issued to Yandex Cloud, see GOST R 57580.
Cloud Security Alliance
Yandex Cloud is a corporate member of the Cloud Security Alliance, an international organization with the mission to promote the use of best practices for providing information security in cloud computing and raise awareness thereof.
Yandex Cloud meets the requirements of the Security, Trust, Assurance and Risk (STAR) program at Level 1: Self-Assessment.
For a high-level description of platform security measures in one of the most popular formats, Consensus Assessments Initiative Questionnaire (CAIQ) v.4, see the CSA STAR registry.
We also participate in the Trusted Cloud Provider program that shows our commitment to a comprehensive security approach, including through continuous improvement of our employees' skills and active involvement in the international professional community.
Central Registry of Russian Computer and Database Software
Yandex Cloud is listed in the software registry created pursuant to Article 12.1 of the Federal Law On Information, Information Technologies, and Information Protection under the basic class "02.05 Software tools for cloud and distributed computing, visualization tools, and data storage systems" and additional classes "02.09 Database management systems", "04.07 Linguistic software", and "04.13 Systems for collecting, storing, processing, analyzing, modeling, and visualizing datasets".
The fact of the listing proves that Yandex Cloud and its individual services of the mentioned classes have been developed in Russia — potentially an advantage for organizations enforcing stricter requirements for the use of domestic software.
For more information on the inclusion of Yandex Cloud in the registries of software and hosting providers, see State Registries of the Russian Federation.