Kaspersky relocates data processing to Switzerland

Kaspersky is adapting to the needs of an ultra-connected world. A world in which people and organizations require greater transparency and trust. Starting from 2018, we are redesigning our infrastructure and moving the location for where we store and process some of our data, and build new software: the stuff that keeps our customers the world over safe from existing, new and emerging threats.

Data, Software Assembly and more...

Within the framework of our Global Transparency Initiative we are relocating to Switzerland the data storage and processing for a number of regions as well as our software assembly infrastructure. We have also opened our first Transparency Center in the country.

User Data

User Data

Information received from users of Kaspersky products in Europe, to be followed by other countries including the U.S., Canada, Australia, Japan, South Korea and Singapore, will be processed and stored on Swiss servers.

Software Assembler

Software assembly

Relocation of assembly line of Kaspersky products and threat detection rule databases (AV databases) to Switzerland, where they will also be signed with a digital signature before delivery to the endpoints.

Transparency Center

Transparency Center

A facility for trusted partners and government stakeholders to review the company's code, software updates and threat detection rules. The company opened Transparency Centers in Zurich and Madrid, and aims to have at least three Transparency Centers globally by 2020.

How it works

Why Switzerland?

- Long and famous history of neutrality, similar to our policy for the detection of malware: we detect and remediate any malware attack

- Robust approach to data protection legislation

The Independent third-party organization

A new, non-profit organization qualified to conduct technical software reviews. The organization is currently working to onboard several partners.

TRANSPARENCY CENTERS

Transparency Centers serve as facilities for trusted partners to access reviews of the company’s code, software updates and threat detection rules, along with other activities. Through them, we provide governments and partners with information on our products and their security, including essential and important technical documentation, for external evaluation in a secure environment.

Kaspersky’s first Transparency Center was open in November 2018 in Zurich, Switzerland. In June 2019 another Transparency Center was opened in Madrid that also serves as a briefing center where trusted stakeholders can learn more about the company’s portfolio, engineering and data processing practices.

No other cybersecurity provider has done anything as far reaching as this. In opening its Transparency Centers, Kaspersky makes a significant step towards becoming completely transparent about its protection technologies, infrastructure and data processing practices.

To request access to the Transparency Center, please contact TransparencyCenter@kaspersky.com or visit the website.



INDEPENDENT AUDIT

Kaspersky has successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit conducted by one of the Big Four accounting firms.

The Service Organization Controls (SOC) Reporting Framework is a globally recognized report for cybersecurity risk management controls, developed by the American Institute of Certified Public Accountants (AICPA) to inform customers about effective design and implementation of security controls. Being a responsible and transparent company for its customers, Kaspersky has chosen this standard to demonstrate the trustworthiness of its product and the company’s commitment to the AICPA Trust Service Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The final report confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorized changes by strong security controls. To learn more and to request the Kaspersky SOC 2 Type 1 Report, please visit the website.



The next level of Data Protection!

While Kaspersky’s current data protection practices are implemented in accordance with the highest industry standards and provide an extremely high level of security for any information processed by the company’s products and services, the company continuously improves its procedures for the protection of its customers’ data.

From November 13, malicious and suspicious files voluntarily shared by users of Kaspersky products in Europe have started to be processed in two datacenters in Zurich. These provide world-class facilities in compliance with industry standards to ensure the highest levels of security.

The integrity and security of data processing and storage from users of Kaspersky Security Network’s (KSN) will be regularly checked and confirmed by an independent, third-party, Swiss-based organization. Moreover, every interaction between the data centers and Kaspersky’s security researchers around the world will be logged, and assessed if needed by the organization.


How our trusted Software Assembler works

Conveyor

Latest news on the Global Transparency Initiative

To keep you up-to-date with news on the relocation to Switzerland and the other activities that form part of our Global Transparency Initiative, we’ll be posting regular updates and progress reports in this section.


Our answers to your questions

  • Why is it important?

    Supply chain issues and ‘balkanization’ are major challenges for the security of today’s ultra-connected global landscape. To overcome them, the world needs trust and transparency in cybersecurity. We believe that companies will need to increase transparency in their products and business operations in order to earn and maintain trust. Our new measures demonstrate our approach for achieving that: through tangible, practical steps implemented within the overall framework of our Global Transparency Initiative

  • What is Kaspersky’s Global Transparency Initiative?

    Kaspersky’s Global Transparency Initiative (GTI) is a reaffirmation of the company’s commitment to earning and maintaining the trust of its most important stakeholders: its customers. It includes a number of actionable and concrete measures to involve external independent cyber security experts and others in validating and verifying the trustworthiness of the company’s products, its internal processes and business operations, and to introduce additional accountability mechanisms by which the company can further demonstrate that it addresses any security issues promptly and thoroughly.

    In the context of GTI, the storage and processing of user data, shared voluntarily with the Kaspersky Security Network, together with our software development infrastructure will all be relocated from Russia to Switzerland.

    In November 2018 we opened our first Transparency Center, in Switzerland, which serves as a facility for trusted partners and government stakeholders to review the company’s code, software updates, and threat detection rules. The company has also opened a Transparency Center in Madrid in June 2019. In addition to being a code review facility, the new center will function as a briefing center to learn more about Kaspersky’s engineering and data processing practices.

  • Why did you decide to relocate infrastructure?

    The relocation reflects our willingness to address customer concerns by, firstly, moving some of our data storage and processing to a neutral region while maintaining our high global standards of data security and integrity. And secondly, by assembling software and database updates so that an independent third party can easily ensure the source code from which final products and threat detection rule updates are assembled is the same as that available for security assessment in the Transparency Center.

    This move further demonstrates our enduring commitment to assuring the integrity and trustworthiness of Kaspersky solutions in the service of our customers, and to addressing any concerns outlined by regulators.

  • Why is data from some countries not moved to Switzerland, but will be processed in Russia? Based on what principle did you divide the countries for the relocation of data processing?

    The current list is an initial one. The list of countries for which data will be processed and stored in Switzerland will be further extended.

  • How will the relocation affect the data of other users?

    There will be no difference between Switzerland and Russia in terms of data processing. In both regions we will adhere to our fundamental principle of respecting and protecting people’s privacy, and we will use a uniform approach to processing users’ data, with strict policies applied.

  • What is a new independent, third party organization that will be reviewing your processes in Switzerland?

    Since transparency and trust are becoming universal requirements across the cybersecurity industry, Kaspersky is supporting the creation of a new, non-profit organization to take on this responsibility, not just for the company, but for other partners and members who wish to join. The details of the new organization are currently being discussed and will be shared as soon as they are available.

  • What will be available for independent review and assessment in the Transparency Center?

    Trusted partners will have access to the company’s code, software updates and threat detection rules, among other things.

    The Transparency Center’s functions include:

    - Access to secure software development documentation
    - Access to the source code of any publically released product
    - Access to threat detection rule databases
    - Access to the source code of cloud services responsible for receiving and storing the data of Kaspersky customers
    - Access to software tools used for the creation of a product (the build scripts), threat detection rule databases and cloud services

    We provide three options to government stakeholders and enterprise customers for independent assessment of Kaspersky products. Learn more here.

  • Who is be able to review?

    Transparency Centers in Zurich and Madrid are open for inspections by trusted partners and government stakeholders. Please refer to our Access policy for more information.

  • What is a SOC 2 Type 1 report?

    A SOC 2SM Type 1 report is designed to meet the needs of existing or potential customers who need assurance about the design and implementation of controls at a service organization. It covers controls that are relevant to the security, availability, or processing integrity of the system used by the service organization to process customers’ information, or the confidentiality or privacy of that information.

  • What are further steps to be taken in the framework of Global Transparency Initiative?

    We will continue to expand our transparency policy to further demonstrate that we address any security issues promptly and thoroughly. The company had announced plans to have three transparency centers worldwide by 2020. More information about our transparency principles is available here.