KASPERSKY GLOBAL TRANSPARENCY INITIATIVE

Today, transparency is a vital element in the digital world we all rely on.
Kaspersky Global Transparency Initiative includes a number of actionable and concrete measures to engage with the wider cybersecurity community and stakeholders in validating and verifying the trustworthiness of its products, internal processes and business operations.

DATA, INDEPENDENT REVIEWS AND MORE...

Within the framework of our Global Transparency Initiative we have relocated our data storage and processing for a number of regions to Switzerland. We have also opened our first Transparency Center in the country.

User Data

User Data

Information received from users of Kaspersky products in Europe, the United States, Canada and several countries in the Asia-Pacific region is processed and stored on Swiss servers.

Transparency Center

Transparency Center

A facility for trusted partners and government stakeholders to review the company's code, software updates and threat detection rules. The company opened Transparency Centers in Zurich (Switzerland), Madrid (Spain), Kuala Lumpur (Malaysia), and São Paulo (Brazil).

Software Assembler

Independent review

Third-party assessment of internal processes to verify the integrity of Kaspersky solutions and processes:
• SOC 2 audit by one of the Big Four accounting firms;
• ISO 27001 certification for data security systems.

How it works

Why Switzerland?

- Long and famous history of neutrality, similar to our policy for the detection of malware: we detect and remediate any malware attack

- Robust approach to data protection legislation

TRANSPARENCY CENTERS

Transparency Centers serve as facilities for trusted partners to access reviews of the company’s code, software updates and threat detection rules, along with other activities. Through them, we provide governments and partners with information on our products and their security, including essential and important technical documentation, for external evaluation in a secure environment. They also serve as a briefing center where trusted stakeholders can learn more about the company’s portfolio, engineering and data processing practices.

Kaspersky Transparency Centers are operating in Zurich, Madrid, Kuala Lumpur and São Paulo. In early 2021, our North American Transparency Center will open in New Brunswick, Canada in partnership with the CyberNB Association.

At all of Kaspersky’s Transparency Centers, the company provides the opportunity to compile the company’s software from its source code and compare it with the publicly available one.

No other cybersecurity provider has done anything as far reaching as this. In opening its Transparency Centers, Kaspersky makes a significant step towards becoming completely transparent about its protection technologies, infrastructure and data processing practices.

To request access to the Transparency Center, please contact TransparencyCenter@kaspersky.com or visit the website.



INDEPENDENT AUDIT

Kaspersky continuously undertakes third-party assessments to verify the integrity of its solutions and processes. The company successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit, conducted by one of the Big Four accounting firms.

The final report confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorized changes by strong security controls. To learn more and to request the Kaspersky SOC 2 Type 1 Report, please visit the website.

Kaspersky has also attained ISO27001 certification for its data services.



The next level of Data Protection!

While Kaspersky’s current data protection practices are implemented in accordance with the highest industry standards and provide an extremely high level of security for any information processed by the company’s products and services, the company continuously improves its procedures for the protection of its customers’ data.

Malicious and suspicious files voluntarily shared by users of Kaspersky products in Europe, the United States, Canada and several countries in the Asia-Pacific region* are processed and stored in two data centers in Zurich. These provide world-class facilities in compliance with industry standards to ensure the highest levels of security.

In addition, TÜV AUSTRIA has certified that Kaspersky applies a management system in line with the ISO/IEC 27001:2013 standard in the delivery of malicious and suspicious files using Kaspersky Security Network (KSN) infrastructure, as well as safe storage and access to these files in the company’s Distributed File System (KLDFS). This include the company’s data centers in Zurich, Switzerland; Frankfurt, Germany; Toronto, Canada; and Moscow, Russia. Learn more here.

* Australia, New Zealand, Japan, Bangladesh, Brunei, Cambodia, India, Indonesia, South Korea, Laos, Malaysia, Nepal, Pakistan, Philippines, Singapore, Sri Lanka, Thailand and Vietnam.


TRANSPARENCY REPORT

Kaspersky publicly shares its approach in responding to requests from global government and law enforcement agencies for two categories: user data and technical expertise. We also disclose information about the number of such requests by country.

Download Law enforcement and government requests report for 2020 and H1 2021.

Download the latest information about requests received from users.


Latest news on the Global Transparency Initiative

To keep you up-to-date with news on the relocation to Switzerland and the other activities that form part of our Global Transparency Initiative, we’ll be posting regular updates and progress reports in this section.


Our answers to your questions

  • Why is it important?

    Supply chain issues and ‘balkanization’ are major challenges for the security of today’s ultra-connected global landscape. To overcome them, the world needs trust and transparency in cybersecurity. We believe that companies will need to increase transparency in their products and business operations in order to earn and maintain trust. Our new measures demonstrate our approach for achieving that: through tangible, practical steps implemented within the overall framework of our Global Transparency Initiative

  • What is Kaspersky’s Global Transparency Initiative?

    Kaspersky’s Global Transparency Initiative (GTI) is a reaffirmation of the company’s commitment to earning and maintaining the trust of its most important stakeholders: its customers. It includes a number of actionable and concrete measures to involve external independent cyber security experts and others in validating and verifying the trustworthiness of the company’s products, its internal processes and business operations, and to introduce additional accountability mechanisms by which the company can further demonstrate that it addresses any security issues promptly and thoroughly.

    In the context of GTI, the storage and processing of user data, shared voluntarily with the Kaspersky Security Network, has been relocated from Russia to Switzerland.

    We have also opened Transparency Centers across the globe which serve as facilities for trusted partners and government stakeholders to review the company’s code, software updates, and threat detection rules; as well as a briefing center to learn more about Kaspersky’s engineering and data processing practices. Our Transparency Centers are open in Zurich, Switzerland, Madrid, Spain, Kuala Lumpur, Malaysia, and São Paulo, Brazil. In 2021, a new Transparency Center will open in New Brunswick, Canada.

  • Why did you decide to relocate infrastructure?

    The relocation reflects our willingness to address customer concerns by, firstly, moving some of our data storage and processing to a neutral region while maintaining our high global standards of data security and integrity.

    This move further demonstrates our enduring commitment to assuring the integrity and trustworthiness of Kaspersky solutions in the service of our customers, and to addressing any concerns outlined by regulators.

  • Why is data from some countries not moved to Switzerland, but will be processed in Russia? Based on what principle did you divide the countries for the relocation of data processing?

    A decision about the relocation of data processing for each country is based on market specifics, customer demands and local regulation. The company has moved data processing and storage for our customers in Europe, the United States, Canada, and several countries in the Asia-Pacific region.

  • How will the relocation affect the data of other users?

    There is no difference between Switzerland and Russia in terms of data processing. In both regions we adhere to our fundamental principle of respecting and protecting people’s privacy, and we will use a uniform approach to processing users’ data, with strict policies applied.

  • What will be available for independent review and assessment in the Transparency Center?

    Trusted partners will have access to the company’s code, software updates and threat detection rules, among other things.

    The Transparency Center’s functions include:

    - Access to secure software development documentation
    - Access to the source code of any publically released product
    - Access to threat detection rule databases
    - Access to the source code of cloud services responsible for receiving and storing the data of Kaspersky customers
    - Access to software tools used for the creation of a product (the build scripts), threat detection rule databases and cloud services

    We provide three options to government stakeholders and enterprise customers for independent assessment of Kaspersky products. Given the challenging travel and visitor restrictions, customers and partners now also have an opportunity to review the source code remotely. Learn more here.

  • Who is be able to review?

    Transparency Centers in Zurich and Madrid are open for inspections by trusted partners and government stakeholders. Please refer to our Access policy for more information.

  • What is a SOC 2 Type 1 report?

    A SOC 2 Type 1 report is designed to meet the needs of existing or potential customers who need assurance about the design and implementation of controls at a service organization. It covers controls that are relevant to the security, availability, or processing integrity of the system used by the service organization to process customers’ information, or the confidentiality or privacy of that information.

  • What are further steps to be taken in the framework of Global Transparency Initiative?

    We will continue to work with the community to prioritize transparency and accountability, and to enhance the security of modern software products, to further build consumer trust. Our core belief is that through collaborative multi-stakeholder efforts we are able to enhance confidence and trust in technology. More information about our transparency principles is available here.

  • How do you work with national law enforcement agencies?

    Kaspersky works with national, regional or international law enforcement organizations, such as INTERPOL, in the best interests of international cybersecurity, providing technical consultations or expert analysis of malicious programs to support cybercrime investigations and in accordance with applicable laws. We share our expertise, knowledge, technical findings and technical analysis of malicious programs during cybercrime investigations.

  • How do you then handle requests from LEAs in regards to the user data?

    All incoming requests go through a mandatory legal verification – this is our by-default rule to protect our users, ensure their security and privacy, and ensure Kaspersky’s compliance with applicable laws and procedures. Requests should be:

    - legally justified;
    - issued in accordance with applicable laws and legal procedures;
    - valid with the principles above;
    - technically feasible; and
    - their implementation should not affect the security or privacy of Kaspersky’s users, or the integrity of Kaspersky’s products and services.

    If requests fail to meet the five criteria, then we proceed further to reject or challenge the request or ask for additional clarifications. Where allowed by law, we will give prior notice to users whose data is requested. All requests are logged, and information about them is made public here