Kaspersky relocates data processing to Switzerland

Kaspersky is adapting to the needs of an ultra-connected world. A world in which people and organizations require greater transparency and trust. Starting from 2018, we are redesigning our infrastructure and moving the location for where we store and process some of our data, and build new software: the stuff that keeps our customers the world over safe from existing, new and emerging threats.

Data, Software Assembly and more...

Within the framework of our Global Transparency Initiative we are relocating to Switzerland the data storage and processing for a number of regions. We have also opened our first Transparency Center in the country.

User Data

User Data

Information received from users of Kaspersky products in Europe, the United States and Canada, with more regions to follow, will be processed and stored on Swiss servers.

Transparency Center

Transparency Center

A facility for trusted partners and government stakeholders to review the company's code, software updates and threat detection rules. The company opened Transparency Centers in Zurich and Madrid. In 2020, new Transparency Centers will be opened in Kuala Lumpur, Malaysia, and in São Paulo, Brazil.

Software Assembler

Independent review

Third-party assessment of internal processes to verify the integrity of Kaspersky solutions and processes.
In 2019 Kaspersky has achieved the SOC 2 Type 1 report in accordance with the SSAE 18 standard (Security criteria) issued by one of the Big Four accounting firms.

How it works

Why Switzerland?

- Long and famous history of neutrality, similar to our policy for the detection of malware: we detect and remediate any malware attack

- Robust approach to data protection legislation

TRANSPARENCY CENTERS

Transparency Centers serve as facilities for trusted partners to access reviews of the company’s code, software updates and threat detection rules, along with other activities. Through them, we provide governments and partners with information on our products and their security, including essential and important technical documentation, for external evaluation in a secure environment.

Kaspersky’s first Transparency Center was open in November 2018 in Zurich, Switzerland. In June 2019 another Transparency Center was opened in Madrid that also serves as a briefing center where trusted stakeholders can learn more about the company’s portfolio, engineering and data processing practices.

Kaspersky plans to open additional centers in Kuala Lumpur and São Paulo with the same functionality. At all of Kaspersky’s Transparency Centers, the company provides the opportunity to compile the company’s software from its source code and compare it with the publicly available one.

No other cybersecurity provider has done anything as far reaching as this. In opening its Transparency Centers, Kaspersky makes a significant step towards becoming completely transparent about its protection technologies, infrastructure and data processing practices.

To request access to the Transparency Center, please contact TransparencyCenter@kaspersky.com or visit the website.



INDEPENDENT AUDIT

Kaspersky has successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit conducted by one of the Big Four accounting firms.

The Service Organization Controls (SOC) Reporting Framework is a globally recognized report for cybersecurity risk management controls, developed by the American Institute of Certified Public Accountants (AICPA) to inform customers about effective design and implementation of security controls. Being a responsible and transparent company for its customers, Kaspersky has chosen this standard to demonstrate the trustworthiness of its product and the company’s commitment to the AICPA Trust Service Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The final report confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorized changes by strong security controls. To learn more and to request the Kaspersky SOC 2 Type 1 Report, please visit the website.



The next level of Data Protection!

While Kaspersky’s current data protection practices are implemented in accordance with the highest industry standards and provide an extremely high level of security for any information processed by the company’s products and services, the company continuously improves its procedures for the protection of its customers’ data.

From November 2018, malicious and suspicious files voluntarily shared by users of Kaspersky products in Europe have started to be processed in two datacenters in Zurich. These provide world-class facilities in compliance with industry standards to ensure the highest levels of security. As the next step, the company is moving data from customers from the United States and Canada.

In addition, TÜV AUSTRIA has certified that Kaspersky applies a management system in line with the ISO/IEC 27001:2013 standard in the delivery of malicious and suspicious files using Kaspersky Security Network (KSN) infrastructure, as well as safe storage and access to these files in the company’s Distributed File System (KLDFS). This include the company’s data -centers in Zurich, Switzerland; Frankfurt, Germany; Toronto, Canada and Moscow, Russia. Learn more here.


Latest news on the Global Transparency Initiative

To keep you up-to-date with news on the relocation to Switzerland and the other activities that form part of our Global Transparency Initiative, we’ll be posting regular updates and progress reports in this section.


Our answers to your questions

  • Why is it important?

    Supply chain issues and ‘balkanization’ are major challenges for the security of today’s ultra-connected global landscape. To overcome them, the world needs trust and transparency in cybersecurity. We believe that companies will need to increase transparency in their products and business operations in order to earn and maintain trust. Our new measures demonstrate our approach for achieving that: through tangible, practical steps implemented within the overall framework of our Global Transparency Initiative

  • What is Kaspersky’s Global Transparency Initiative?

    Kaspersky’s Global Transparency Initiative (GTI) is a reaffirmation of the company’s commitment to earning and maintaining the trust of its most important stakeholders: its customers. It includes a number of actionable and concrete measures to involve external independent cyber security experts and others in validating and verifying the trustworthiness of the company’s products, its internal processes and business operations, and to introduce additional accountability mechanisms by which the company can further demonstrate that it addresses any security issues promptly and thoroughly.

    In the context of GTI, the storage and processing of user data, shared voluntarily with the Kaspersky Security Network, together with our software development infrastructure will all be relocated from Russia to Switzerland.

    Also, we opened Transparency Centers in Zurich, Switzerland and in Madrid, Spain, which serve as a facility for trusted partners and government stakeholders to review the company’s code, software updates, and threat detection rules. In addition to being a code review facility, the Spanish Transparency Center functions as a briefing center to learn more about Kaspersky’s engineering and data processing practices. In 2020 new Transparency Centers will be open in Kuala Lumpur, Malaysia, and in São Paulo, Brazil.

  • Why did you decide to relocate infrastructure?

    The relocation reflects our willingness to address customer concerns by, firstly, moving some of our data storage and processing to a neutral region while maintaining our high global standards of data security and integrity.

    This move further demonstrates our enduring commitment to assuring the integrity and trustworthiness of Kaspersky solutions in the service of our customers, and to addressing any concerns outlined by regulators.

  • Why is data from some countries not moved to Switzerland, but will be processed in Russia? Based on what principle did you divide the countries for the relocation of data processing?

    In November 2019, in addition to European users, the company has started moving data processing and storage for our United States and Canadian customers. The list of countries for which data will be processed and stored in Switzerland will be further extended.

  • How will the relocation affect the data of other users?

    There is no difference between Switzerland and Russia in terms of data processing. In both regions we adhere to our fundamental principle of respecting and protecting people’s privacy, and we will use a uniform approach to processing users’ data, with strict policies applied.

  • What will be available for independent review and assessment in the Transparency Center?

    Trusted partners will have access to the company’s code, software updates and threat detection rules, among other things.

    The Transparency Center’s functions include:

    - Access to secure software development documentation
    - Access to the source code of any publically released product
    - Access to threat detection rule databases
    - Access to the source code of cloud services responsible for receiving and storing the data of Kaspersky customers
    - Access to software tools used for the creation of a product (the build scripts), threat detection rule databases and cloud services

    We provide three options to government stakeholders and enterprise customers for independent assessment of Kaspersky products. Learn more here.

  • Who is be able to review?

    Transparency Centers in Zurich and Madrid are open for inspections by trusted partners and government stakeholders. Please refer to our Access policy for more information.

  • What is a SOC 2 Type 1 report?

    A SOC 2 Type 1 report is designed to meet the needs of existing or potential customers who need assurance about the design and implementation of controls at a service organization. It covers controls that are relevant to the security, availability, or processing integrity of the system used by the service organization to process customers’ information, or the confidentiality or privacy of that information.

  • What are further steps to be taken in the framework of Global Transparency Initiative?

    We will continue to expand our transparency policy to further demonstrate that we address any security issues promptly and thoroughly. The company has announced plans to open Transparency Centers in Kuala Lumpur, Malaysia, and in São Paulo, Brazil, in 2020. More information about our transparency principles is available here.