Yandex Cloud and Federal Law № 152-FZ

Transfer, store, and process your Russian employees' and customers' personal data in a secure cloud inside Russia.

Yandex Cloud offers a ready-made solution for localizing personal data in compliance with Russian data privacy laws (Federal Law № 152-FZ). The platform is FSTEC certified and meets all the requirements for the protection of personal data stored and processed in the cloud.

Talk to an expert

Our own data centers

Yandex Cloud’s fully-owned data centers are located in three geographically distributed zones and are connected by proprietary communication channels. We design and manufacture servers and server racks ourselves, with full control of the entire process.

Easy migration

Many Yandex Cloud services provide APIs compatible with popular cloud platforms. Use the same code and easily migrate your services and applications without losing functionality or interrupting business processes.

Learn more

Convenient data storage

Store any amount and type of data in Object Storage. Use our managed databases like Managed PostgreSQL to integrate payment systems or Managed ClickHouse^® to aggregate data from a variety of sources.

Help and tech support

Detailed documentation and 24/7 tech support as you migrate and begin using Yandex Cloud services. Our partners can also help integrate and document your system in line with all legal requirements.

Learn more

Transparent pricing

Take full control of your spending, and only pay for the resources you actually use. Flexibly scale your solution as activity and data volumes grow.

Pricing

Platform services

Go beyond simple virtual infrastructure — take advantage of the full potential of Yandex Cloud platform services. Grow your business with our managed, ML, and serverless services.

Learn more

Yandex Cloud services are in line with national and international standards: ISO, GDPR, PCI DSS, and GOST R 57580. Our compliance with Russian Federal Law № 152, confirming the highest level of security, is also certified.

About compliance

Create resilient, manageable, and scalable applications and projects in compliance with the requirements of Federal Law № 152-FZ. Here’s an example of a hybrid approach to managing personal data using Yandex Cloud services and local infrastructure.

Calculate costs

Step 1: Identify data type and processes it is used in

Determine what type of data you plan to work with. If this is personal data, determine its category and choose the appropriate level of security. Determine the business processes and application components that data processing will be performed within.

Step 2: Choose personal data protection tools

Choose which will be Yandex Cloud services, downloaded from the Yandex Cloud Marketplace, or to be installed additionally. You also need to understand the scope of responsibility: your own and that of the service provider.

Learn more about the scope of responsibility

Step 3: Evaluate compliance with Federal Law № 152-FZ

As you migrate your infrastructure (partially or fully) to the cloud, you will need to evaluate your compliance with the requirements of Federal Law № 152-FZ. Make sure that everything is set up and working properly within your scope of responsibility and that everything is documented correctly from a legal point of view.

B-152: Protecting personal data and bringing business processes into compliance with Federal Law No. 152-FZ and GDPR.

Informzaschita: A leading system integrator in the field of information security.

InCountry: Providing and maintaining corporate infrastructure solutions.

CardSecurity: Physical and document security of financial, payment, and personal data.

Leading companies trust Yandex Cloud

Key services

Questions and answers

What are the requirements for storing and transferring personal data in Russia?

Personal data of Russian citizens must be stored inside Russia. Cross-border data transfers are only possible with the owner’s consent and if the data had originally been added to a database hosted in Russia. The law also imposes requirements on how data is processed and the technical protection of the information system, including the part located in Russia.

Should the entire system be hosted in Russia?

How does the cloud platform help meet security requirements?

What is the responsibility of the cloud provider to protect personal data?

The provider’s responsibility varies depending on the cloud service model used by the customer — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) — and the security mechanisms and policies available to the cloud provider.

For IaaS: The provider is responsible for the physical security and fault tolerance of the platform itself, network security, and the collection and analysis of security events from hypervisors and other infrastructure components.

For PaaS/SaaS: The provider ensures the security of PaaS/SaaS components. This includes VM protection, DB backups, and encryption of user data hosted in the cloud under Federal Law № 152-FZ.

Learn more about the provider's responsibility

What is the responsibility of the customer to protect personal data?

The customer is responsible for managing access rights to resources and preventing unauthorized access to data. In both private infrastructure and cloud service models, companies are solely responsible for ensuring that data is labeled and properly classified to fulfill any regulatory compliance requirements.

The customer’s responsibility also varies depending on the cloud service model chosen: IaaS, PaaS, or SaaS. Companies that use the IaaS model should be responsible for the security of guest VMs, back up VMs, protect the virtual network, control access to resources, and secure cloud user accounts.

When using managed services (PaaS/SaaS), it is the responsibility of the customer to classify data, ensure access control, set up data protection, and manage their users and end devices.

While storing personal data in the cloud under Federal Law № 152-FZ, you continue to be the owner of the data and must fulfill all the duties as the data operator. This includes acquiring consent to process personal data, notifying Roskomnadzor about data processing, and modeling threats to your information systems.

You can do this yourself or with the help of one of Yandex Cloud’s trusted information security partners.

Learn more about customer actions

Yandex Cloud Marketplace

RED OS is a Linux distributive based on open source solutions and in-house developments by RED SOFT.

NeoCAT is used to evaluate resources and services in the cloud for compliance with security requirements and standards, and analyze the effectiveness of using the cloud.

Postgres Pro Enterprise Database is the most functional PostgreSQL-based database.

Ready to get started?

Ask a question Get started

Useful links

Pricing

Documentation

Find a partner

ClickHouse is a registered trademark of ClickHouse, Inc.

Yandex Cloud and Federal Law № 152-FZ

What makes Yandex Cloud the right choice?

Our own data centers

Easy migration

Convenient data storage

Help and tech support

Transparent pricing

Platform services

Getting started with personal data

Step 1: Identify data type and processes it is used in

Step 2: Choose personal data protection tools

Step 3: Evaluate compliance with Federal Law № 152-FZ

Our trusted partners can help you

Leading companies trust Yandex Cloud

Key services

Questions and answers

What are the requirements for storing and transferring personal data in Russia?

Should the entire system be hosted in Russia?

How does the cloud platform help meet security requirements?

What is the responsibility of the cloud provider to protect personal data?

What is the responsibility of the customer to protect personal data?

Yandex Cloud Marketplace

Ready to get started?

Useful links