You can find the list of regulatory legal acts, which establish mandatory requirements for the activities of legal entities and individual entrepreneurs to monitor the compliance of personal data processing with the requirements of the legislation of the Russian Federation in the field of personal data here.
Federal Law 152-FZ Cloud
Cloud infrastructure for storing employees' or customers' personal data in a secure environment in accordance with the requirements of Federal Law No. 152 "On Personal Data".
152-FZ Compliant Hosting
Simplify compliance with Russia’s strict data protection laws. Our cloud infrastructure ensures your business avoids legal risks while securely storing personal data of Russian citizens.
Solutions built on both international and Russian software (including import-substitution products).
White Paper on the processing of personal data
We have updated the White Paper. This is a detailed guide to personal data protection according to 152-FZ.
What Data Protection Level Do You Need?
Russian law classifies personal data into four categories. Let our experts help you determine your requirements:
Public Data (Level 1)
Openly available information shared with consent. Example: Race participant lists published online.
Biometric Data (Level 2)
Unique biological traits that allow an individual to be identified. Example: fingerprints or DNA.
Special Data (Level 3)
Sensitive details: health records, political views, ethnicity.
Other Data (Level 4)
General personal info: employee salaries, partner details, vacation dates.
Protection requirements depend on your data type and usage. Book a free consultation to assess your needs.
Our Compliance Services
Meeting Federal Law 152-FZ can be complex. Cloud4Y’s security specialists handle every step:
- Audits & protection level assessments.
- Threat modeling using FSB-approved methods.
- Custom security architecture design.
- Documentation (technical designs, organizational policies).
- Implementation of encryption, firewalls, antivirus, and more.
- Compliance testing aligned with FSTEC Order No. 21.
Our Certificates
Why Store Data in Cloud4Y?
- Certified infrastructure (УЗ1-4, 1К, 1Г)
- FSB & FSTEC-licensed security tools.
- Certificates for cloud security elements
- Protection against unauthorized access to data
- SQL, 1C, and database support.
Independent Compliance vs. Cloud4Y Hosting
The table compares the benefits of hosting personal data information systems in the protected cloud with independent organization and certification of the infrastructure.
Independent Setup | Cloud4Y Hosting | |
|---|---|---|
| Full legal responsibility | Zero liability – we handle compliance | |
| High upfront costs for licenses/equipment | No CAPEX – use our certified tools | |
| Mandatory infrastructure certification | Pre-certified (meets 1УЗ, 1Г, 1К standards) | |
| Wasted resources (30%+ idle) | Hourly billing – pay only for active usage | |
| Need in-house IT security team | 24/7 expert support included | |
| Manual audits & reporting | We manage all documentation |
How We Protect Your Data
To bring the infrastructure into compliance with the requirements of Federal Law No. 152, information protection is examined at the data center level and at the provider level.
Data Center Level
Provider Level
Development of internal documents governing the processing of personal data, the identification of responsible persons, the determination of the level of protection of personal data and the protection requirements.
Firewalls, Dr.Web antivirus, encryption, access logs.
Why trust Cloud4Y
16 years in cloud computing
Since 2009 the company successfully operates on the international cloud market.
Reliable infrastructure
4 TIER III data centers, Enterprise level hardware and software: HP, Cisco, Juniper, NetApp, VMware, Veeam, Microsoft, etc.
SLA 99.982%
Optical ring, MetroCluster and redundancy mechanisms guarantee fault tolerance of services up to SLA 99.99%.
Transparent Billing Options
Hourly billing and pay-as-you-go allow you to pay only for the resources consumed.
Geo-Distributed Backup
Automatic backup (14 restore points) in a separate remote data center.
Flexible scalability
You can add and reduce the amount of resources without contacting technical support service.
24/7 technical support
If any technical issue occurs, our team of support experts is available round-the-clock, response time is 10 minutes.
Partner Program
Earn up to 35% of your annual contract. White Label is available.
Download a full product presentation. Download a presentation
Шаблоны
FAQ
What is the essence of the Federal Law-152 Cloud Service?
We have built a secure circuit in our data centre, which has been certified for security requirements in accordance with Federal Law-152 and has received a certificate of compliance for the protection of personal data up to and including security level 1. And we help our customers to solve the compliance problem from a technical point of view. Government agencies may also be interested in the Class 1 Certificate of Conformity for State Information Systems (according to the 17th Order of the FSTEC) and the Class 1G Certificate of Conformity for the Protection of Confidential Information (according to the STR-K).
Who is a personal data operator according to the Federal Law No. 152?
The personal data operator under Federal Law No. 152 is a legal entity, natural person, state or municipal authority that processes and collects personal data for purposes other than labour law purposes and determines the purposes and content of such processing of personal data.
What is the purpose of the Federal Law No. 152 "On personal data"?
The purpose of the 152-FZ initiative is defined by Article 2 of the Federal Law of 27.07.2006 No. 152-FZ (ed. 31.12.2017) "On Personal Data": "The purpose of this Federal Law is to ensure the protection of human and civil rights and freedoms in the processing of personal data, including the protection of the right to privacy, personal and family secrecy".
Who is subject to the requirements of Federal Law No. 152?
The legislation applies to any company, state or local authority or natural person who processes personal data for purposes other than compliance with labour law. The list of sectors for which the processing of personal data is a priority is as follows:
- Medicine (public and private)
- Educational institutions
- Financial institutions
- Insurance sector
- Mobile phone operators
- Travel industry companies
- Recruitment agencies
- Passenger transport
- Real estate companies
- HR and accounting departments of any company
What are the penalties for violating Federal Law FZ-152?
To date, fines under 152-FZ and other measures of responsibility are established by the Federal Law FZ No. 405 "On Amendments to Certain Legislative Acts of the Russian Federation", which entered into force on 02 December 2019.
The subject of the violation "Failure of the operator in the collection of personal data... to ensure the recording, systematisation, accumulation, storage, clarification (updating, modification) or retrieval of personal data of Russian citizens using databases located on the territory of the Russian Federation" 13.11 of the Code of Administrative Offences.
Administrative fine for the first violation of the requirements of the legislation for citizens - up to 50,000 rubles, for officials - up to 200,000 rubles and for legal entities - up to 6,000,000 rubles. In the event of repeated violations, the amount of the fine may be increased by a factor of 2 or even 4. For citizens - up to 100,000 roubles; for officials - up to 800,000 roubles; for legal entities - up to 18,000,000 roubles.
How much does it cost to protect personal data under the Federal Law No. 152-FZ?
The cost of organizing protection depends on whether you decide to 'build' and certify the infrastructure yourself or use a cloud provider. According to our experience with customers, the cost of renting cloud resources is often 30-50% lower for a long-term perspective of 2-5 years. The cost is calculated individually for each customer, taking into account volume, security level and hosting terms.
Can you help with documentation?
Yes, we can provide ready-made templates or prepare everything on a turnkey basis.
How is the data transmission channel organized?
The Russian GOST encrypted channel is used through the VipNet coordinator.
Is it considered redundant to store personal data of different organizations in one database?
In practice, keeping a single database of personal data of several organisations is a common solution. But in this case, is Article 5 of the Federal Law on Personal Data 152 still complied with from the point of view of data redundancy? Won't the personal data of the employees of one organization be considered redundant in relation to another organization? What is the correct way to prepare documents for each organization if the information system is shared and the information in it is redundant?
In practice, keeping a single database of personal data of several organisations is a common solution. But in this case, is Article 5 of the Federal Law on Personal Data 152 still complied with from the point of view of data redundancy? Won't the personal data of the employees of one organization be considered redundant in relation to another organization? What is the correct way to prepare documents for each organization if the information system is shared and the information in it is redundant?
In fact, the redundancy concerns the composition of the data subject's personal data. For example, information on medical diagnoses or biometric data is redundant for the purpose of concluding an employment contract. The retention of these data does not correspond to the stated purposes. There are no restrictions that would prohibit the processing of personal data in an information system by different legal entities. Many services on the Internet operate according to this model. For example, the CRM Bitrix24.
In this case, however, it is important that the administrator of the information system sets up the protection system accordingly, so that the data of some users are not available to other users.
What is hosting in compliance with Federal Law-152?
This is a service providing storage and processing of personal data of citizens of the Russian Federation on servers located in Russia. According to this law, personal data operators are obliged to use such hosting solutions in order to comply with data protection and privacy requirements. Hosting providers must ensure compliance with the security requirements established by the FSTEC and protect the information from unauthorised access.
Can personal data be stored abroad?
According to Federal Law No. 152-FZ, it is prohibited to store personal data of Russian citizens abroad. All databases containing personal data must be located on the territory of the Russian Federation. Exceptions may be made only in certain cases of cross-border data transfer, but in general the law requires localisation of storage.
What are the requirements for hosting providers?
Hosting providers who handle personal data must comply with the following requirements :
- Registration and notification: Providers must notify Roskomnadzor of the start of their activities 15 working days in advance.
- Data protection: FSB data protection requirements must be implemented, including the appointment of a security officer and intrusion prevention measures.
- Data storage: All personal data must be stored in Russia and user information must be kept for 3 years.
- User identification: Providers must identify and authenticate customers using specified methods.
- Interaction with the FSB: Obligation to provide the necessary computing power for operational and investigative activities and to respect data confidentiality.
These requirements are designed to protect personal data and ensure its security in accordance with the law.
How do I check if my hosting provider is compliant with the requirements of the Federal Law-152?
To check if your hosting provider is compliant with the requirements of FZ-152, follow the steps below :
- Ask for a certificate of compliance: Make sure the provider has an FSTEC certificate confirming that the infrastructure meets the requirements for the security of personal data.
- Review documentation: Familiarise yourself with the regulatory and methodological documentation confirming information protection measures and the organisation of personal data processing.
- Find out where the servers are located: Make sure that the provider's servers are located in Russia, which is a prerequisite for storing personal data of Russian citizens.
- Conduct a security audit: Ask for information on audits and data security measures.
- Look for certified security measures: Ensure that the provider uses certified information security measures and complies with the requirements of FSTEC Order No. 21.
These measures will help ensure that the hosting provider complies with the requirements of the legislation on the protection of personal data.
Если Вы не нашли ответ на свой вопрос, перейдите в нашу базу знаний, задайте его нашим консультантам на сайте, используя онлайн-чат, или напишите запрос в поддержку, используя тикет систему.
