We announced the Global Transparency Initiative in October 2017. Its purpose: to show the world that we have nothing to hide, and that our customers can trust us. We aimed to prove it, too — not just ask for trust.
We will update this post as the project matures.
Update: November 17, 2020
The relocation of data processing and data storage, announced in November 2018, is complete. In addition to Europe, the United States and Canada, Kaspersky has also relocated data storage and processing for a number of Asia-Pacific countries including Australia, New Zealand, Japan, Bangladesh, Brunei, Cambodia, India, Indonesia, South Korea, Laos, Malaysia, Nepal, Pakistan, the Philippines, Singapore, Sri Lanka, Thailand, and Vietnam.
We now process the customer threat-related data shared by users in those locations in two data centers in Zurich, Switzerland. That data includes suspicious or previously unknown malicious files that our products send to the Kaspersky Security Network (KSN) for automated malware analysis.
We announce the opening of our North American Transparency Center in partnership with the CyberNB Association, a nonprofit organization in New Brunswick, Canada. The facility will start operating in early 2021. The company’s fifth location will provide Kaspersky’s partners the opportunity to review our source code and to learn more about engineering and data-processing practices, as well as our product portfolio.
Earlier in 2020, Transparency Centers in São Paulo and Kuala Lumpur became fully operational. Kaspersky has also relaunched its first Transparency Center in Zurich, which we relocated to the Interxion data center.
Given the challenging travel and visitor restrictions in place at the moment, customers and partners can also review the source code remotely. To request remote access to Kaspersky Transparency Centers, follow this link.
We have launched the Cyber Capacity Building Program, announced in May 2020, alongside Vietnam’s Authority of Information Security (AI), which includes the country’s national CERT and National Cyber Security Centre (NCSC). The program now includes an additional section on code fuzzing, conducted with Kaspersky’s ICS CERT Team. In 2021, the program will be available to business partners and other companies to enhance their readiness as well as to gauge the resilience of their systems and networks against supply-chain risks. To request access, follow this link.
We’ve expanded the product scope of our bug bounty program. Researchers can now submit vulnerability reports relating to Kaspersky VPN Secure Connection, including third-party software modules that are part of the VPN solution. Since March 2018, our program has seen 76 bugs resolved and 37 reports rewarded with total bounties of $57,750.
Update: February 13, 2020
We continue to make progress in the development of our Global Transparency Initiative. As part of this process, we have achieved ISO/IEC 27001:2013 certification. Issued by TÜV AUSTRIA, the certification confirms that our company’s data security systems, including Kaspersky Security Network, meet industry best practices.
To be certified, we had to prove our adherence to standards of implementing, monitoring, maintaining, and continually improving our Information Security Management System (ISMS).
The assessment by independent certification body TÜV AUSTRIA covered management systems for the delivery of malicious and suspicious files using the Kaspersky Security Network (KSN) infrastructure, as well as safe storage and access to these files in our Distributed File System (KLDFS), and it included our data centers in Zurich, Switzerland; Frankfurt, Germany; Toronto, Canada; and Moscow, Russia.
Certification is publicly available on TÜV AUSTRIA’s Certificate Directory and also on our website. The ISO 27001 audit further assures our partners and customers not only that our products and services are the best when it comes to protection from cyberthreats, but also that we treat customer data with the highest level of respect and care.
Update: November 13, 2019
Today we announce our fourth Transparency Center, slated to open in São Paulo, Brazil, in January 2020. It will be our first in Latin America, following on the company’s European Transparency Centers in Madrid and Zurich and its Asia-Pacific Transparency Center in Cyberjaya, Malaysia. The new center is a further reflection of our commitment to demonstrate that we are transparent and can address any security issues promptly and thoroughly.
Our data storage and processing infrastructure relocation is progressing. Following the migration of our European customers’ data to Switzerland, now we are starting to move US and Canada customer data as well. The data is shared voluntarily with the Kaspersky Security Network (KSN), our advanced, cloud-based system that automatically processes cyberthreat-related data. We expect to complete this stage of the migration by the end of 2020 and we will steadily add other regions.
As an early signatory of the Paris Call for Trust and Security in Cyberspace, we were proud to announce these steps at the Paris Peace Forum 2019.
Our Transparency Center visitors gain the opportunity to learn more about engineering and data-processing practices, to compile, with the assistance of our experts, Kaspersky’s software from its source code, and to compare it with the publicly available code. We will also use the Center for demonstrating our portfolio as well as our engineering and data processing practices.
Update: August 15, 2019
We’re pleased to announce that our third Transparency Center will open in early 2020 in Cyberjaya, Malaysia. Like the ones we opened earlier in Zurich and Madrid, this Transparency Center will serve as a trusted facility for our partners and government stakeholders, a place where they can check the source code of our products. CyberSecurity Malaysia, the country’s cybersecurity agency, will host it.
Our CEO Eugene Kaspersky notes that this Transparency Center, the company’s first in the APAC region, shows our pioneering Global Transparency Initiative, which aims to address the growing demand from partners and government stakeholders for more information on how our products and technologies work, remains on track.
Update: July 11, 2019
Our second Transparency Center opened in Madrid in June for Kaspersky’s customers and partners. We plan on having at least three Transparency Centers worldwide by 2020.
But that’s not all. An important part of our Global Transparency Initiative, the third-party Service Organization Controls (SOC2 Type 1) review of Kaspersky’s cybersecurity risk management controls has been completed. One of the Big Four auditors has reviewed our controls over regular automatic updates of antivirus databases for products for Windows and Unix Servers and concluded that development and release of these databases are protected from unauthorized changes. This serves as yet another confirmation that our products are secure and can be trusted. According to the terms of the contract, we can disclose the report to our clients and regulators upon request.
In addition to that we’re continuing to expand our Bug Bounty program and recently we have joined the Disclose.io movement, which means that we now provide a Safe Harbor for vulnerability researchers looking into our products and guarantee that there will be no legal actions against them. You can find more about Disclose.io in our blogpost.
Update: April 2, 2019
Our Global Transparency Initiative is making good progress: Today we announce the opening of a second Transparency Center. It will be located in Madrid, Spain, and will serve the purpose of providing more information regarding how Kaspersky’s products and technologies work. In addition to that, the new Center will also serve as a briefing center where visitors can learn about our product portfolio, engineering, and data processing practices. We expect the Center’s first visitors this June. Plans to open Transparency Centers in Asia and North America in 2020 are ongoing.
Relocation of our data processing infrastructure is also on track. We have already relocated the receiving infrastructure to Switzerland and plan to finish relocating the storage part by the end of Q2. We expect to finalize full relocation of data processing for European customers by the end of this year.
In addition to that, we have published the results of a voluntary third-party legal assessment of Russian legislative acts and how they apply to Kaspersky. The assessment was conducted by Dr. Kaj Hober, professor of International Investment and Trade Law at Uppsala University in Sweden and an expert on Russian law system. The key findings are the following:
- Kaspersky may be asked by the federal security service (FSB) to cooperate with it, but the company is not obliged to do so.
- Laws that oblige vendors to assist the FSB with operational-investigative activities apply only to companies that provide electronic communication services, which Kaspersky is not.
- Laws that force companies to store data in Russia and provide it and encryption keys (to decrypt it) to the FSB apply only to telecom providers, and Kaspersky is not a telco.
Last but not least, we have improved our Bug Bounty program, adding Kaspersky Password Manager and Kaspersky Endpoint Security for Linux as well as some other products to the scope of the software available for review. So far more than 50 bugs were discovered and reported through the program, and researchers were paid more than $17,000 in bounties for pointing them out.
Update: November 13, 2018
Our first Transparency Center is now officially open, enabling authorized partners to access reviews of the company’s code, software updates, and threat detection rules.
Starting today, we will also process malicious and suspicious files shared with us by users of Kaspersky products in Europe in our two world-class data facilities in Zurich.
As promised, Kaspersky has also contracted with one of the Big Four professional services firms to conduct an audit, under the SSAE 18 standard, of the company’s engineering practices around the creation and distribution of threat detection rule databases, to independently confirm their accordance with the highest industry security practices.
Update: August 29, 2018
We are making good progress, having already implemented one major change by raising our bug bounty to $100,000. This helped make our products more secure and reliable. At this point, we have also initiated the next phase of the Global Transparency Initiative project, installing the equipment necessary for relocating our user data processing to Europe.
Kaspersky has also signed contracts with two European providers — Interxion and NTS — to host the new infrastructure necessary to collect, process, and store customer data in Zurich, Switzerland, by the end of 2018, addressing concerns from public and private sector stakeholders regarding unauthorized access to customer data. Relocation of data processing and storage will begin with European customers, and other countries will follow. We plan to finalize full relocation for European countries in Q4 2019.
We chose the location for several reasons. On the one hand, Switzerland is located in the heart of Europe. On the other hand, Switzerland is not part of the EU, which makes it an independent country that can make its own decisions. We also find the symbolism appealing: One of our Global Transparency Initiative’s main principles is to show that we are independent, so there’s just no better place than Switzerland to start.
Switzerland is also well known for its highly innovative and advanced IT landscape, and for its strict regulations on processing data requests received from authorities. So, our customer data will be stored and processed in one of the most secure locations in the world.
Global Transparency Initiative phases
Other elements of our Global Transparency Initiative are also being developed.
We’re planning on opening our first Transparency Center in Switzerland. This is currently being set up and will be opened once we’re ready to start processing data in the Zurich data centers (this is scheduled for later this year).
UPDATE: We have opened four Transparency Centers, in Zurich, Switzerland; Madrid, Spain; Cyberjaya, Malaysia; and São Paulo, Brazil. We are about to open one more Center in New Brunswick, Canada.
We’re determined to relocate the facilities that are tasked with customer data processing for other countries too. This is quite a complicated process, so in order to minimize any potential disruption in protecting our customers, we’ve decided to stick to an incremental approach. So we’ll get back to this after we’ve finished relocating the data processing facilities for European citizens to Switzerland.
UPDATE: The relocation of data processing and data storage is complete. In addition to Europe, the United States and Canada, Kaspersky has also relocated data storage and processing for a number of Asia-Pacific countries.
The third-party code and processes review is also due to happen following the relocation; we are now looking for a suitable partner.
UPDATE: One of the Big Four auditors completed its audit using the SOC 2 Type 1 reporting framework.
Another part of our scope is moving the software and threat detection rules database assembly process to Switzerland. However, addressing concerns over unauthorized user data access was higher priority, so this move will happen after we have kicked off the data relocation process.
Implementing the Global Transparency Initiative is a very important process for us. We’re absolutely confident that investing time and effort into this lengthy project is necessary to prove that Kaspersky is fully transparent, independent, and has every reason to be trusted. As we can share more news about the ongoing processes of our Global Transparency Initiative, we’ll continue to update this blog as well as our Transparency Center website, so that everyone can find information about our transparency-related activities in one place.