Compliance#

Note

To comply with legal requirements for information security, companies can enable additional features in K2 Cloud:

  1. Automatic blocking if users are inactive for 45 days.

  2. Forced password change for all users at least once every 60 days.

To enable the features, apply on the support portal or email us to support@k2.cloud.

Compliance with the Russian legislation on personal data#

K2 Cloud employs personal data (PD) protection measures according to Security Level 1 as per Decree No. 1119 by the Russian Government and FSTEC Order No. 21.

When hosting personal data in K2 Cloud, a customer may instruct K2 Integration (“K2”) to handle this data. In this case, K2 guarantees the confidentiality of hosted personal data and its security during processing, including protection as per Federal Law No. 152-FZ “On Personal Data” and delineating the areas of responsibility.

Compliance with the information security management standards#

The information security management system of K2 Cloud complies with the Russian standard “GOST R ISO/IEC 27001-2021 — Information Technology. Security methods and tools. Information security management systems. Requirements”.

The ISO 27001-compliant ISMS uses a risk-oriented approach to information security management and guarantees reliable protection of information assets.

K2 Cloud ISMS compliance with GOST R ISO/IEC 27001-2021 is annually audited and certified by Test-St. Petersburg, a management system certifying body.

The information security management system of K2 Cloud complies with the Russian standard “GOST R ISO/IEC 27017-2021 — Information Technology. Security methods and tools. Code of practice for information security controls based on ISO/IEC 27002 for cloud services”.

The ISO 27017-compliant ISMS implements the cloud provider approach to information security management and guarantees reliable protection of information assets hosted in cloud services.

K2 Cloud ISMS compliance with GOST R ISO/IEC 27017-2021 is annually audited and certified by Test-St. Petersburg, a management system certifying body.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS)#

K2 Cloud infrastructure components comply with PCI DSS regarding payment card data security. The Payment Card Industry Security Standards Council (PCI SSC) developed this standard, established by Visa, MasterCard, American Express, JCB, and Discover.

PCI DSS compliance certifies strong data protection in K2 Cloud and allows the use of cloud services for payment card data processing.

K2 Cloud compliance with PCI DSS is annually audited and certified by Compliance Control, a qualified security assessor.

Compliance with the security standard for financial transactions#

K2 Cloud complies with the requirements of Russian standard GOST R 57580.1-2017 “Security of financial (banking) transactions. Protection of information in financial organizations” as per the highest security level UZ-1 (which means “Protection Level-1”). Total score is 0.92 out of 1.0, which corresponds to the highest degree of a cloud platform compliance with the Central Bank requirements.

GOST R 57580.1-2017 compliance allows financial organizations to:

  • place in K2 Cloud the data that require protection in accordance with the regulations of the Central Bank of Russia;

  • migrate critical processes, including those related to financial transactions, to the cloud;

  • deploy the most protected security systems in the cloud;

  • ensure compliance with all requirements of the Russian legislation and the Central Bank of Russia.

CROC Cloud platform complies with GOST R 57580.1-2017 as confirmed by Rapid Assessment Delivery Cooperative/RAD COP licensed auditor.

Data Center compliance with Uptime Institute TIER III standard#

K2 Kompressor Data Center hosting ru-msk-comp1p availability zone was awarded the Uptime Institute TIER III Certification of Operational Sustainability (TCOS).

The compliance confirms the efficient management and operation of the data center and the high skills of employees and risk elimination in the operation of the data center.

K2 Kompressor Data Center has the following certifications by Uptime Institute:

  • Tier III Certification of Design Documents for K2 Kompressor Data Center.

  • Tier III Certification of Constructed Facility for K2 Kompressor Data Center.

  • Tier III Gold Certification of Operational Sustainability for K2 Kompressor Data Center.

Independent information security audits#

K2 takes all measures to ensure the protection and security of user data in K2 Cloud. We regularly arrange independent audits to check the reliability of information protection systems and the effectiveness of information security management processes.

Security management and assurance mechanisms are checked regularly:

Audit criteria

Auditing authority

Frequency

GOST R 27001-2021

Test-St. Petersburg

Annually

GOST R 27017-2021

Test-St. Petersburg

Annually

PCI DSS v. 3.2.1

Compliance Control

Annually

Tier Certification of Operational Sustainability (TCOS) by Uptime Institute

Uptime Institute

At least every three years

Personal data legislation

FSTEC-licensed companies

Every three years

In addition, independent companies regularly perform penetration tests (at least once a year and after critical changes) and scan K2 Cloud infrastructure components for vulnerabilities (at least four times a year and after necessary changes).