Download center
FAQ
ru
Sustainability Report
Ethics & Integrity

Information Security & Data Privacy

Users trust Yandex with their data, making information security and responsible handling of user data our top priority.

Yandex services are certified to information security standards.

  • ISO 27001

    Provides requirements for establishing, implementing and maintaining an information security management system.

  • ISO 27017

    Gives guidelines for information security controls applicable to the provision and use of cloud services.

  • ISO 27018

    Establishes commonly accepted control objectives, controls and guidelines for the providers of public cloud services for implementing measures to protect Personally Identifiable Information.

  • ISO 27701

    A privacy extension to ISO 27001. Specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System

  • SOC 2

    The Service and Organization Controls 2 (SOC 2) standard developed by the American Institute of Certified Public Accountants. Defines criteria for managing customer data (Trust Service Criteria) and establishing control processes and practices.

  • SOC 3

    A public form of the report of the SOC audit findings that outlines information related to internal controls for security, availability, processing integrity, confidentiality and privacy.

  • PCI DSS

    The Payment Card Industry Data Security Standard. Provides a set of principles to secure and protect credit card data.

Privacy Controls

Yandex employs the most advanced security infrastructures and systems to ensure protection of personal information. We also entitle our users to manage their personal data and decide what data Yandex can keep about them.

Advanced data management tool

In 2021, Yandex introduced an advanced data management tool that users can now access in their Yandex ID accounts. This tool enables them to obtain a comprehensive copy of the personal data collected by Yandex services and request their deletion. Today, deletion requests are supported by all major Yandex services.
A similar tool is available to Yandex’s business partners, who can now request and delete archived data about
their business accounts.

Yandex ID protection

A technology that determines whether login credentials have been exposed to immediately suggest password resetting. It also verifies the user's phone number during login via sms, and blocks access to old accounts linked to it in case the change in SIM card ownership has been determined by our partner mobile operators.

Your Tracking Protection

Third-party tracker blocking feature in Yandex Browser that enables users to access a list of all third-party trackers and choose which of them to allow or block.

Protection from scammers

A set of features that remove fraudulent weblinks from search index to protect banking details and transactions. Yandex Browser also displays website reviews to warn about risks.

Yandex password manager

An automated generation of strong, unique passwords and built-in password storage for secure yet seamless authorization.

Bug Bounty Programm

Is there something our data security specialists possibly overlooked? We encourage programmers from outside of Yandex to help us safeguard our products and services by participating in a Bug Bounty contest for identifying vulnerabilities. Contestants who succeed in reporting a vulnerability get a cash prize and are also features in the Hall of Fame on the contest’s official webpage. There are three streams within the Bug Bounty program, each with its own rules and regulations.

About Cybersecurity System

Yandex has a designated Information Security Department that implements security standards, monitors vulnerabilities, and investigates incidents to protect our infrastructure and services. This work is governed by Yandex’s Information Security Policy, Incident Management Policy, and other internal guidelines. The results are assessed by the Yandex executive management team.
At Yandex, every employee is responsible for safeguarding user data, and improper handling of personal or confidential information is a violation of the Yandex Group Code of Business Ethics and Conduct. At the executive level, data privacy is overseen by the Chief Privacy Officer (CPO), who coordinates between the Information Security Department and trained specialists within each business unit responsible for managing user data. To ensure proper employee conduct, we provide training on data protection, confidential information handling, and anti-phishing skills.
Cybersecurity risk monitoring is a continuous process that is accompanied by proactive measures to detect vulnerabilities, such as sensitivity testing, as well as clear protocols on how to act in case an incident has occurred. While we have been working hard over years to build secure, reliable systems that make such incidents highly unlikely, there is always a negligible chance we want to be vigilant about. We believe honest communication is the key to minimizing damage and are therefore committed to informing our users immediately if their data has been compromised.
  • We empower users to manage their data.
  • We only use our users’ data to create new services for them and improve those that already exist.
  • We never sell any user data to anyone.
  • We only process personal data that for a specific purpose only.
  • We only keep personal data for as long as it is necessary to fulfil the purpose for which it was collected or to comply with legal and regulatory requirements.
  • If we are required to disclose our user information at the request of a law enforcement agency, we do so in strict accordance with the law and only to the minimum extent necessary. We regularly report on the number of requests where some information was disclosed in our Transparency Report.
  • We commit to acting in strict compliance with applicable data protection laws.

Useful materials