Information Security & Data Privacy

Users trust Yandex with their data, making information security and responsible handling of user data our top priority.

Yandex services are certified to information security standards.

  • ISO 27001

    Provides requirements for establishing, implementing and maintaining an information security management system.
  • ISO 27017

    Gives guidelines for information security controls applicable to the provision and use of cloud services.
  • ISO 27018

    Establishes commonly accepted control objectives, controls and guidelines for the providers of public cloud services for implementing measures to protect Personally Identifiable Information.
  • ISO 27701

    A privacy extension to ISO 27001. Specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System
  • SOC 2

    The Service and Organization Controls 2 (SOC 2) standard developed by the American Institute of Certified Public Accountants. Defines criteria for managing customer data (Trust Service Criteria) and establishing control processes and practices.
  • SOC 3

    A public form of the report of the SOC audit findings that outlines information related to internal controls for security, availability, processing integrity, confidentiality and privacy.

    The Payment Card Industry Data Security Standard. Provides a set of principles to secure and protect credit card data.

Privacy Controls

Yandex employs the most advanced security infrastructures and systems to ensure protection of personal information. We also entitle our users to manage their personal data and decide what data Yandex can keep about them.

Advanced data management tool

In June 2021, Yandex introduced an advanced data management tool that users can now access in their Yandex ID accounts. This tool enables them to obtain a comprehensive copy of the personal data collected by Yandex services and request their deletion. By the end of 2021, deletion requests were supported by over 70 services, and in 2022, this capability was extended to all major services. A similar tool is available to Yandex’s business partners, who can now request and delete archived data about their business accounts.

Yandex ID protection

A technology that determines whether login credentials have been exposed to immediately suggest password resetting. It also verifies the user's phone number during login via sms, and blocks access to old accounts linked to it in case the change in SIM card ownership has been determined by our partner mobile operators.

Your Tracking Protection

Third-party tracker blocking feature in Yandex Browser that enables users to access a list of all third-party trackers and choose which of them to allow or block.

Protection from scammers

A set of features that remove fraudulent weblinks from search index to protect banking details and transactions. Yandex Browser also displays website reviews to warn about risks.

Yandex password manager

An automated generation of strong, unique passwords and built-in password storage for secure yet seamless authorization.

Bug Bounty Programm

Is there something our data security specialists possibly overlooked? We encourage programmers from outside of Yandex to help us safeguard our products and services by participating in a Bug Bounty contest for identifying vulnerabilities. Contestants who succeed in reporting a vulnerability get a cash prize and are also features in the Hall of Fame on the contest’s official webpage. There are three streams within the Bug Bounty program, each with its own rules and regulations.

About Cybersecurity System

At Yandex, everybody is responsible for keeping users’ data safe. While there is a dedicated Information Security Department headed by Chief Information Security Officer and an appointed Chief Privacy Officer who are in charge of in-depth oversight and reporting to the Board of Directors, all our employees regularly get trained on information security, personal data protection and are expected to follow strict security guidelines.
Cybersecurity risk monitoring is a continuous process that is accompanied by proactive measures to detect vulnerabilities, such as sensitivity testing, as well as clear protocols on how to act in case an incident has occurred. While we have been working hard over years to build secure, reliable systems that make such incidents highly unlikely, there is always a negligible chance we want to be vigilant about. We believe honest communication is the key to minimizing damage and are therefore committed to informing our users immediately if their data has been compromised.
  • We empower users to manage their data.
  • We only use our users’ data to create new services for them and improve those that already exist.
  • We never sell any user data to anyone.
  • We only process personal data that for a specific purpose only.
  • We only keep personal data for as long as it is necessary to fulfil the purpose for which it was collected or to comply with legal and regulatory requirements.
  • If we are required to disclose our user information at the request of a law enforcement agency, we do so in strict accordance with the law and only to the minimum extent necessary. We regularly report on the number of requests where some information was disclosed in our Transparency Report.
  • We commit to acting in strict compliance with applicable data protection laws.