Since the server is not located at your home, you do not have access to it, and certainly cannot in any way influence the policy of the data center, you simply do not have the opportunity to fulfill a number of legal requirements. There is only one thing left to do, find a hosting that meets the requirements of the law.

I’m not Beget now, I wrote them a letter about their FSTEC license for protection confidential information. They answered vaguely, like I’m not me and the house is not mine, we’re just these and in general we shouldn’t... To summarize, they don’t have a license, which means, by and large, a site that collects personal data cannot be kept there. I surfed the Internet (not very extensively yet) and so far I have only found RU-CENTER with a license.

License for activities for the development and (or) production of means of protecting confidential information
LICENSE No. 0917 dated September 20, 2011

License to operate technical protection confidential information
LICENSE No. 1594 dated September 20, 2011
Copyright holder: Joint Stock Company "Regional Network Information Center"
License validity period: unlimited

Hosting of confidential information in RU-CENTER

On March 6, 2012, RU-CENTER begins to provide a new service - hosting of confidential information.
Hosting of confidential information is the placement of a website on the Internet using additional measures to protect information.
This service will allow you to fulfill a number of mandatory requirements of the current legislation (Law N 152-FZ), which are presented when processing personal data.
In addition to the basic methods of data protection and information storage used in other RU-CENTER services, confidential information hosting offers:

• specialized certified equipment that allows a number of actions to protect information during network access;
• additional restriction physical access to the equipment on which the service is provided;
• daily backup(2 copies);
• accounting of the physical media used;
• MySQL dedicated to each service.

Main consumers new service- small and medium-sized businesses, online stores, forums, systems marketing research and many other Internet resources that, when processing and storing users’ personal data, must comply with the requirements of the legislation of the Russian Federation (Law N 152-FZ).

The real question is, how are they quality?
And if anyone finds other hosters with a FSTEC license to protect confidential information, post it in this thread.

• Federal Law "On Personal Data" dated July 27, 2006 N 152-FZ

Publications

Since September 2015 in Russian Federation The provision on localization of storage of personal data came into effect (242-FZ dated July 21, 2014). This innovation, of course, turned out to be one of the main drivers for Russian market hosting and cloud computing, forcing both personal data operators and hosting providers to once again think about how to ensure compliance of such a seemingly simple entity as a website with the requirements of legislation on personal data.

Despite the fact that Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” was adopted quite a long time ago, not everyone has adapted to it and learned to implement it. Partly due to the large number of regulatory documents and regularly issued changes to them. Today they come from four departments: the Government, Roskomnadzor, FSTEC and the FSB. And also thanks to the rather balanced position of the regulator, who, instead of the policy of driving in nails, chose a strategy of smooth but inevitable tightening of the screws.

If large businesses and government authorities, as the most disciplined market participants, have, for the most part, already brought their personal data information systems (PDIS) into compliance with the law, then medium and small businesses are only now beginning to realize that for their further existence and development, they need everything -we will still have to come out of the shadows, including in terms of the implementation of legislation on personal data, especially since this very shadow remains less and less and is already beginning to be not enough for everyone.

What should the owner of a website where users’ personal data is collected and stored (for example, in the personal account of an online store)? Let's try to figure this out together.

If a website collects personal data, then it is a personal data information system and is subject to 152-FZ

Here is what Roskomnadzor itself says about this: “According to clause 9 of Art. 3 of the Federal Law “On Personal Data”, a personal data information system is a set of personal data contained in databases and ensuring their processing information technologies And technical means. If the website meets the specified requirements, it is an information system.”

We all intuitively know what personal data is, but it is important to understand what it is from a legal point of view. According to paragraph 1 of Article 3 of Federal Law No. 152-FZ, personal data is any information relating directly or indirectly to a specific or identifiable individual. That is, this is almost anything: from tax identification number to hair color and shoe size, not to mention the phone number and address, be it email or postal.

Thus, an online store or just a website where there is a personal account or user registration, online ordering, booking, payment, delivery, etc. etc., in terms of 152-FZ, all this is a personal data information system (ISPD), and its owner is a personal data operator.

The law on personal data takes into account trends in cloud computing and outsourcing

A lot has already been said and written about the relevance and prospects of IT outsourcing, especially for companies in the small and medium-sized enterprise sector, so in this article I will not agitate the reader “for the clouds”. Moreover, we all know very well that most sites on the Internet are hosted on public web servers of hosting service providers.

There are many reasons for this, but the most important is, of course, the common sense desire of companies to save money and get a cheap web service with high availability. Creating your own computing infrastructure with reliability at least comparable to a Tier-III standard data center costs millions of rubles. Firstly, you need an appropriate room: not a corridor, not a basement, not an attic, so that it does not flood and so that strangers do not have access there. Ventilation and air conditioning are needed, and with a certain redundancy. It is necessary to organize autonomous and backup power supply. To do this, you need to install a diesel generator set somewhere. Finally, physical security and maintenance personnel are needed. In addition, to guarantee service availability, you will have to buy a full set of spare parts for server and network equipment. That is, instead of one server, you actually have to buy two.

Naturally, with the development of cloud computing, virtualization technologies and a clear trend towards outsourcing, more and more companies from the SMB sector are seeking to transfer their information systems from “under-desk” system units to cloud computing resources located in computer centers that meet modern industrial standards.

Information systems of any enterprise store and process a certain amount of personal data. This can be both personal data of company employees and data of clients or counterparties. Corporate information systems are quite diverse, both functionally and technologically. This could be an accounting automation system, for example, 1C and a website with personal account user and online store. At the same time, these information systems, as a rule, are interconnected - they transmit information to each other, including personal data.

According to clause 3 of Article 3 of 152-FZ, the processing of personal data is any action (operation) or set of actions (operations) performed using automation tools, or without the use of such tools with personal data, including collection, recording, systematization, accumulation , storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Thus, placing an ISPD on the provider’s server is nothing more than outsourcing, at a minimum, such functions for processing personal data as recording, storage, reading (retrieval), transfer and deletion.

According to clause 2 of Article 3 of 152-FZ, an operator (of personal data) is a legal or natural person who, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data, subject to processing, actions (operations) performed with personal data.

Accordingly, the hosting provider, which has assumed the functions of storing and transmitting personal data, is their operator, along with the owner of the site (the information system processing this personal data) and, according to the law, is obliged to take certain measures to ensure their security. In fact, everything is not so bad and we must pay tribute to the authors of the Law “On Personal Data” No. 152-FZ and Government Resolution No. 1119 of November 1, 2012, which provided for the transfer by the operator of personal data of part of the functions for their processing to outsourcing to third-party organizations.

Legislative regulation of hosting websites that process personal data on hosting provided by a third party

The personal data operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, on the basis of an agreement (instruction) concluded with this person. The person processing personal data on behalf of the operator is obliged to comply with the principles and rules for processing personal data provided for by current legislation. The operator’s order must define a list of actions with personal data that will be performed by the person processing personal data and the purposes of processing, must establish the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, and must also indicate requirements for the protection of processed personal data (Clause 3, Article 6 152-FZ).

Thus, the hosting provider, like the site owner, is the operator of personal data processed on the site and is responsible for its availability, safety and security. With only one difference - the site owner is responsible to the subjects of personal data, and, in cases provided for by law, is obliged to obtain permission from the subjects to process personal data, and the hosting provider, as an authorized person, is responsible to the site owner and receives personal data from him and stores them, but is not responsible for obtaining permission from the subjects.

In general, the topic of obtaining the consent of subjects for the processing of their personal data is very large and interesting and, of course, deserves a separate article.

Delineation of the areas of responsibility of the hosting provider and the site owner for compliance with personal data protection requirements

Agree, it would be unfair to shift all responsibility for the security of personal data to the hosting provider. After all, often he has no idea who, how and what the site hosted on his server is written on. What passwords are used to authorize access to personal data, in what form they are stored, and whether they are used at all.

According to Government Decree No. 1119 (clauses 13 - 16), in order to ensure the required level of security of personal data when processed in information systems, the following requirements must be met:

№	Requirement PP 1119	Required level of security	Area of ​​responsibility
	Organization of a security regime for premises in which the information system is located	UZ-4; UZ-3; UZ-2; UZ-1;	Hosting provider;
	Ensuring the safety of personal data carriers		Hosting provider;
	Approval by the head of the operator of the list of persons with access rights to personal data
	Use of certified information security tools (that have undergone the assessment of compliance with legal requirements)		Hosting provider;
	Appointment of an official responsible for ensuring the security of personal data	UZ-3; UZ-2; UZ-1;	Site owner; Hosting provider;
	Access to the contents of the electronic message log is only possible for persons who have the appropriate access rights	UZ-2; UZ-1;	Site owner; Hosting provider;
	Automatic registration in the electronic security log of changes in the powers of the operator’s employees to access personal data	UZ-1;	Website owner, hosting provider
	Creation of a structural unit responsible for ensuring the security of personal data		Website owner, Hosting provider

The hosting provider must have a license from Roskomnadzor to provide communication services

As you know, to provide communication services, a Roskomnadzor license is required. This follows, for example, from paragraph 36 of Article 12 of the Federal Law of May 4, 2011 No. 99-FZ “On licensing of certain types of activities.”

According to the list of names of communication services included in licenses for carrying out activities in the field of providing communication services, approved by Decree of the Government of the Russian Federation of February 18, 2005 No. 87), licensed communication services include, among other things:

• Telematic communication services (this includes hosting);
• Communication services for data transmission, with the exception of communication services for data transmission for the purpose of transmitting voice information.

To host sites that process personal data, the hosting provider must have a FSTEC license

federal Service for Technical and Export Control (FSTEC of Russia) - regulates activities related to the technical protection of information, deals with issues of state policy in this area of ​​legislation, standardization, licensing, and also conducts relevant inspections.

Since the hosting provider, as a person authorized under the assignment agreement, is an operator of personal data, he is obliged to take technical measures to protect them, that is, to provide services for the technical protection of information, which, in accordance with the provision on licensing activities for the technical protection of confidential information , approved by Decree of the Government of the Russian Federation of February 3, 2012 N 79, relate to licensed types of activities.

The organizational and technical measures to ensure the security of personal data, approved by FSTEC Order No. 21 dated February 18, 2013, include:

• identification and authentication of access subjects and access objects;
• access control of access subjects to access objects;
• limitation of the software environment;
• protection of computer storage media;
• security event logging;
• antivirus protection;
• intrusion detection (prevention);
• control (analysis) of the security of personal data;
• ensuring the integrity of the information system and personal data;
• ensuring the availability of personal data;
• protecting the virtualization environment;
• protection of technical means;
• protection of the information system, its communications and data transmission systems;
• identifying incidents and responding to them;
• configuration management of ISPDn and SZPDn.

To carry out work to ensure the security of personal data, it is allowed to engage on a contractual basis third-party organizations that have a license to operate in the technical protection of confidential information (clause 2, paragraph 2 of FSTEC Order No. 21).

A number of measures to ensure the security of personal data require the hosting provider to have an FSB license

The measures to ensure an appropriate level of protection of personal data, according to FSTEC Order No. 21, include the following measures:

• Implementation of protected remote access subjects of access to access objects through external information and telecommunication networks (UPD.13);
• Ensuring the protection of personal data from disclosure, modification and imposition (entering false information) during its transmission (preparation for transmission) via communication channels that extend beyond the controlled area, including wireless communication channels (ZIS.3);
• Ensuring the authenticity of network connections (interaction sessions), including protection against spoofing network devices and services (ZIS.11);

Based on the essence of these measures, it is clear that their implementation requires the use of cryptographic information protection tools (CIPF). As is known, issues related to the use of CIPF in the Russian Federation are regulated by the Federal Security Service (FSB of Russia).

According to the regulations on licensing activities for the development, production, distribution of encryption (cryptographic) tools, approved by Decree of the Government of the Russian Federation of April 16, 2012 No. 313, the list of works that constitute licensed activities includes:

• Development of secure information and telecommunication systems using cryptographic tools;
• Installation, installation, adjustment of cryptographic means and information and telecommunication systems protected with their use;
• Work on maintenance of cryptographic means;
• Transfer of cryptographic means and information and telecommunication systems protected with their use;
• Providing information encryption services.

The computing center of the hosting provider must be located on the territory of the Russian Federation

On September 1, 2015, the Russian Federation came into effect on the localization of storage and certain processes of processing personal data, defined in Federal Law No. 242 of July 21, 2014 “On amendments to certain legislative acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunication networks”, according to clause 1 of Article 2 of which, when collecting personal data, including through the information and telecommunications network Internet, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

At the same time, it is important to note that the cross-border transfer of personal data, as such, is not prohibited, but is regulated by law. You can read more about this in Art. 12 152-FZ.

Briefly about the main thing

So, let's summarize the above.

A website is a personal data information system if its functionality allows you to enter, store or view personal data. A good example Almost any website with a personal account, the possibility of online booking, ordering or purchasing with delivery, etc. can serve.

Processing personal data of clients online is not only a necessity of modern e-commerce, but also broad opportunities for marketing, the description of which deserves a separate article.

The owner of a website that is an ISPD is required to submit a notification to Roskomnadzor, indicating: what personal data it stores and processes, where the servers on which the ISPD operates are physically located. You can read about this in my article “How to submit a notification to the RKN and not get into trouble.”

An agreement with a hosting provider, in addition to the quantitative and qualitative characteristics of computing resources, must necessarily contain an order for the processing of personal data, indicating a specific list of actions that will be performed with them, it must indicate the purposes and procedure for processing personal data, requirements to their protection, and the provider’s responsibility for the security of personal data must be established.

In addition to the standard Roskomnadzor licenses for hosting companies for the provision of telematic communication services, in order to protect personal data processed on client sites, the hosting provider must have a FSTEC license for activities related to the technical protection of confidential information and a FSB license for the provision of services related to the use of encryption (cryptographic) ) funds.

And finally, the provider’s server on which personal data is physically stored must be located on the territory of the Russian Federation.

So, this article discusses many, but not all, aspects of placing an ISPD on the computing resources of providers cloud services. More detailed information can be obtained from the following documents and information resources:

Legislation

• Decree of the Government of the Russian Federation of November 1, 2012 N 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems"
• Order of the FSTEC of Russia dated February 18, 2013 No. 21 On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems

  Telegram Passport will allow you to identify the user's identity. All necessary documents and data will need to be uploaded to Telegram once, and then you can instantly transfer them to Telegram partners. It is planned that by the time the new service is launched, it will be possible to use the services of several such partners, including Qiwi.

  Read more...

Amendments to the federal law came into force on September 1, 2015 “On personal data” (Law 152 Federal Law).
According to the law, the data that the client enters on your website must be stored in the Russian Federation.
And that is not all. Read about who this law will affect and what to do in our article.

On September 1, 2015, amendments to the Law “On Personal Data” came into force.
According to this law, all data that the client enters on your website and which is specifically personal data (passport details, addresses, including e-mail, payment information, etc.) must be stored on the territory of the Russian Federation.

HERE IS AN EXCERPT FROM LAW 152 on the protection of personal data

“When collecting personal data, including through the information and telecommunications network Internet, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation , except for the cases specified in paragraphs 2, 3, 4, 8 of part 1 of article 6 of this Federal Law" (part 5 of article 18 of the Federal Law “On Personal Data”).”

The term “Operator” should be understood all companies, in particular e-commerce, on whose websites customers provide personal information.

Well, that's not all. In February 2017, further amendments were made to the law on the protection of personal data. These amendments oblige all website owners and online stores (Operators) to notify users that when entering personal data on the website, they consent to their collection, processing and storage.

If you ignore these amendments to the law, you risk receiving a fine of up to 75,000 rubles for one violation. And if there are more of them, then the amount of the fine will increase (on violation of the legislation of the Russian Federation in the field of personal data - Article 13.11 of the Code of Administrative Offenses of the Russian Federation)

WHAT ELSE IS THE RISK OF FAILURE TO COMPLY WITH THE PERSONAL DATA LAW?

We have already talked about considerable fines. This can affect everyone. And don’t think that this is not about you :) Look at the judicial practice and you will understand that this is not a joke. Here, for example, is the sensational case of the Tambov law firm (Resolution No. 4A-288/2016 of October 4, 2016 in case No. 4A-288/2016), which was fined for violations in the field of storing personal data. The amount of the fine is insignificant, but you need to keep in mind that since July 1, 2017, fines have increased significantly.

In addition to administrative liability, there may also be criminal liability. So if you cause moral harm to a user whose personal data, for example, fell into the wrong hands.
Well, for such violations, Roskomnadzor can block the site and add you to the so-called “black list”.
And then be prepared for additional checks from Roskomnadzor.

WHAT TO DO?

1. The first thing to do is notify users about the processing of personal data. If you haven't done this yet, now is the time. Develop and post on the website a document on the processing of personal data, and also obtain users’ consent to such processing (for example, by placing a checkbox with information under each registration form).
   In general, this can be done in different ways, depending on your goals and business characteristics. For example, Ozone publishes a privacy policy on the website and, when registering a user, takes consent to process personal data. Or you can post information about the collection of PD as part of a public offer, as Lamoda does, and also collect consent to processing during registration. Or like SberBank, which places such information in the agreement.
2. Prepare internal documents regulating the rules for the implementation of this law. These include orders, instructions and appointments of persons responsible for storing personal information.
3. It is very important to make sure that the data is stored in Russia (on Russian servers).
   This is required by the law on the protection of user information (Part 5 of Article 18 of the Federal Law “On Personal Data”).
   Therefore, check with your hosting provider for the address of the location of the servers on which your site is hosted and enter into an agreement with it, where this address will be indicated. You will need this address to fill out a notification to Roskomnadzor. If you have your own server, be sure to save documents on it. They may be required by Roskomnadzor during a possible inspection. The same is true for a contract with a hosting provider.

   If your hosting provider places its servers in a Russian Data Center, then everything is fine.
   This is the easiest way to satisfy legal requirements by purchasing hosting from a domestic provider.

   There is another method called cross-border data transfer. This is not prohibited by law. Storage of personal data abroad is allowed, but with some reservations. So, in any case, the company, in addition to storing personal data abroad, must have such a database on the territory of the Russian Federation. But at the same time, the database should be as complete and up-to-date as possible. The scheme here is this: the entire database with personal data is collected, systematized and stored on the territory of the Russian Federation, and then the data can be transferred abroad. It is important to understand here that the primary source is a base on the territory of the Russian Federation.

4. After this, prepare and send a notification to Roskomnadzor.
   This can be done through electronic form Online :

   There is no need to submit a notice if:

   
   → you only process employee data;

   → you enter into an agreement with a specific person and the data specified in the agreement is used only for the execution of this agreement, i.e. information is not published or transferred to third parties without the consent of the subject of personal data (this point is ambiguous, since questions may arise due to the specifics of the business. It is important to correctly draw up an agreement, taking into account all the nuances that meet the requirements of the law. Therefore, we recommend consulting with lawyer. And if there is no definite answer, then it is better to submit a notice.);

   → if the collected data includes only the full name of users;

   → if the user himself has made his personal data publicly available.

note, that we are talking only about cases when a notification does not need to be submitted. The above data is still personal and the user must be notified about it.

INSTEAD OF CONCLUSION

There is no need to be afraid of this law. It also regulates our rights, as individuals. Each of us at least once purchased goods via the Internet and left our personal data. Now you and I have grounds to defend our rights legally if our rights are violated.

For website owners, the most important thing is to arrange everything correctly. By doing this, you will protect yourself from fines and other liability and gain the trust of your clients.
Small note: We advise you not to make a carbon copy, for example, like your competitors - each has its own specifics. It’s better to spend time developing documentation specifically for your business than to pay fines later. And if you still have questions, Seek help from your lawyer, as this article is not a substitute for a specialist, which will help you do everything as needed and specifically for your goals and objectives.

• Share:

After the entry into force of clause 4, part 2, article 19 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” each enterprise is obliged to bring its information systems and processes related to the processing of personal data in accordance with the requirements of the Legislation of the Russian Federation .

What does this mean for legal entities?

Organizations are obliged to ensure the protection of the rights and freedoms of individuals and citizens when processing their personal data, including the protection of the rights to privacy, personal and family secrets. Thus, they become “personal data operator organizations.” The Federal Service for Supervision of Communications, Information Technologies and Mass Communications (Roskomnadzor), FSTEC and the FSB of Russia will monitor compliance with the requirements of the Legislation.

The federal law applies to companies of any organizational form - these include government bodies, federal and municipal institutions: banks, insurance companies, medical institutions, telecom operators, online stores, retail chains, manufacturing companies and other organizations processing personal data received from employees, clients and other individuals and legal entities.

The responsibilities of the operating organization include:

• ensuring the legality of processing personal data;
• building a personal data protection system in accordance with the requirements of FSTEC and the FSB of Russia;
• sending a notification to Roskomnadzor;
• development of internal documentation;
• conducting certification tests or conformity assessments;
• systematic updating of the personal data protection system.

Often, this turns out to be a difficult and costly task, including due to the need to obtain a document confirming the effectiveness of the measures taken to protect personal data. That is why most companies prefer to optimize this process by searching for a reliable partner with a ready-made solution in an external virtual infrastructure.

To ensure that all legal entities in Russia comply with the law of the same name Federal Law No. 152, we - a hosting site in collaboration with the WELLSERVICE company - offer a less costly and time-consuming solution: placing personal data storage and processing systems in a secure cloud system, which we call “ISPDn in the cloud”.

Servers for personal data information systems (PDIS) are provided to any companies located on the territory and who are residents of the Russian Federation.

What is “ISPDn in the cloud”?

The “ISPDn in the Cloud” product is a separate secure virtual server, at the tariff you choose, and fully complies with the requirements of Federal Law-152.

Each “ISPDn in the cloud” is a completely isolated object. This means that access to your ISPD from the hosting provider is blocked using certified security tools and is absolutely confidential!

Confidentiality of processed information is achieved through:

• Access to data located on the “ISPDn in the cloud” is limited using certified by FSTEC Russia means of protection against unauthorized access (NAD) and using the functions of a virtual machine hypervisor (which is part of a certified protection tool).
• Data transmitted via communication channels from the terminal of the organization-operator of personal data to the network interface virtual machine, are encrypted using cryptographic information protection tools (CIPF) certified by the FSB of Russia. Disk images virtual machines are also encrypted using CIPF.
• None of the data centers has any access keys to the CIPF facilities located in the client’s virtual machine. So, for example, to download operating system on a VPS, the client independently enters the password for the crypto container containing the system partition. This procedure is implemented using an operating system boot loader specially developed by our company on a virtual machine. At the same time, access keys can be regenerated by the user of the virtual machine independently at any time, and the cryptocontainer can be re-encrypted accordingly.
• Availability and integrity of the processed information is ensured by the use of reserved communication channels, reliable data storage systems, cooling devices and uninterruptible power supply. Our partners are the best data centers in Russia: Miran, IXCellerate, KIAEHOUSE.

What does ISPDn in the cloud give to companies in Russia?

Simple procedure: we will undertake the entire complex of organizational, legal and technical work- development of a security threat model, the concept of a protection system, certification methodology, direct certification testing and issuance of a certificate of conformity. By choosing our “ISPDn in the Cloud” product, you DO NOT NEED TO OBTAIN THE CONSENT OF THE SUBJECTS OF PERSONAL DATA when collecting it.

Significant savings: our product frees the customer company from the costs of creating and owning a secure IT infrastructure for storing, processing and protecting personal data. Moreover, hosting ISPD in the cloud is provided as a service; the customer company does not have capital costs.

Our advantages:

• the secure system “ISPDn in the cloud” has passed all the necessary certifications as fully complying with all the requirements of the legislation of the Russian Federation in the field of personal data;
• full compliance with the requirements of FSTEC and the FSB of Russia of all hardware, software, and network elements of the system;
• you will not need to obtain the consent of the subjects of personal data when collecting it;
• consultations and support at all stages of implementation and work with the product.
• a complete package of organizational, administrative and regulatory documents;
• no capital costs.

What is the service delivery process?

1

Registration of a representative of the customer company on our website and subsequent filling out an application form for the “ISPDn in the Cloud” service: the need for certification, details of the organization, type of activity.

Depending on the ISPD requirements, you select a suitable tariff plan with the required server parameters: disk space and RAM.

Concluding an agreement for the provision of the “ISPDn in the cloud” service and making payment.

Based on the data provided, we will prepare for you a set of organizational, administrative and regulatory documents, including a statement on personal data, an ISPD classification act, a threat model and other necessary documents. A specialist from our company will verify the correct completion and approval of these documents.

We agree with you on the date of the on-site certification of the workplace. After a specialist visits and checks all the requirements for the workplace, you receive a certificate of compliance and the entire package of documents certifying full compliance of your ISPD with the requirements and standards No. 152-FZ “On Personal Data” and all by-laws.

Our licenses and certificates

* The cost of a secure ISPD server with a package of documents and certification procedure when paid for 1 year.

Sale of secure infrastructure for storing and processing personal data according to the presented tariff plans carried out for a minimum period of 1 year.

When ordering the first server from ISPD, an installation fee of 11,300 rubles is charged.

Cloud solution Federal Law 152» exempts the Personal Data Operator from the costs of creating and owning a secure IT infrastructure to comply with the requirements of 152-FZ and 242-FZ. In other words, if Russian legislation obliges your company to take all necessary organizational and technical measures to protect personal data from unauthorized and unlawful access, choose ready-made solution from Cloud4Y.

Click the "Try for Free" button, fill out the short form and learn how to avoid the hassle of spending a lot of money to set up an IT infrastructure that will meet your requirements Federal Law No. 152

Why do you need “Cloud Federal Law 152”:

• Separate secure, certified and attested “cloud” for hosting ISPD.
• Certification of virtualization mechanisms: computing resource hypervisor, virtualized data network management system, virtualization platform and data storage system.
• Providing security services (based on certified security tools) that can be used by clients hosting their ISPD in the cloud.

Organization of ISPDn placement in the cloud:

• Frees the personal data operator from capital costs for the creation and ownership of a secure IT infrastructure;
• Releases the operator from part of the legal liability for compliance with the requirements of 152-FZ, 242-FZ;
• Allows the use of system-wide and specific provider software;
• Allows you to receive IT infrastructure support by highly qualified personnel 24×7

Features of “Cloud FZ 152”:

• The placement of ISPD is provided as a service, that is, the customer does not have capital costs.
• Cloud4Y acts as the person responsible for processing personal data on behalf of the operator.
• The system has been certified by FSTEC licensees, which confirms its compliance with safety requirements. The protective equipment used has undergone conformity assessment in accordance with the established procedure and has certificates issued by the relevant authorities of the FSTEC and the FSB of Russia.
• Availability of certificates for various cloud elements that implement security functions (hypervisor, security tools integrated into the cloud, security tools offered to clients as security services.
• A set of organizational and technical protection measures that allows clients to eliminate current threats from service personnel, from other clients and other violators.

Regulatory documents and classification

You can read the text of Federal Law No. 152 on personal data by following the link.

White Paper about Federal Law 152 - a book that can be referred to in matters of personal data processing

Cloud4Y experts studied the issue of personal data protection and created a guide on how an organization should act in order to comply with Federal Law 152. We tried our best in simple language explain points of legislation, eliminate confusion and prescribe the steps that need to be taken.

Licenses and certificates

Prices

PROMOTION: only until April 30, 2020 "Cloud Federal Law 152" at the regular price FOREVER! Details

In order to receive a cost estimate for the FZ-152 Cloud service, contact any manager by phone +7 495 268 04 12 or any other in a convenient way available in the section

Read the List of regulatory legal acts establishing mandatory requirements for the activities of legal entities and individual entrepreneurs to ensure that the processing of personal data complies with the requirements of the legislation of the Russian Federation in the field of personal data at the link.

Frequently asked questions (FAQ)

1. What is the essence of your Federal Law-152 service?
We have built a secure circuit in our data center that has been certified for security requirements in accordance with Federal Law-152 and received a certificate of compliance for the protection of personal data up to and including the 1st level of security. And we help our clients close the issue of compliance from a technical point of view. Government institutions may also be interested in the Certificate of Compliance of the 1st class for state information systems (in accordance with the 17th order of the FSTEC) and the certificate for the protection of confidential information in class 1G (in accordance with STR-K).

2. Why do we need this?
Since you are a personal data processor, the effect of Federal Law No. 152 automatically applies to you. And government agencies that own government information systems, are also subject to the 17th order of the FSTEC.

3. How much does it cost?
The cost is calculated individually for the customer, taking into account the volume, level of security, and timing of placement.

4. Can you help prepare documentation?
Yes we can (we provide ready-made templates or we take over the entire turnkey preparation process).

5. How is the data transmission channel organized?
A channel encrypted according to Russian GOST is used through a VipNet coordinator.

If you have not found the answer to your question, go to ours, ask our consultants on the website using online chat, or write a support request using.