InCountry Verifies Compliance with the Russian Federal Law on Personal Data (No. 152-FZ)

For yet another year, InCountry has successfully verified compliance of its data residency-as-a-service platform with all the regulations and requirements of the Russian Federal Law on Personal Data (No. 152-FZ).

At InCountry, our commitment to data security and compliance goes beyond established protocols and industry compliance–it’s built into the foundation of our platform. We continually invest our time and resources in security best practices to ensure that your data stays safe with us. InCountry has already passed SOC2/3, PCI DSS, and ISO audits, so the annual verification of compliance with Federal Law No. 152-FZ “On Personal Data” ran smoothly for us.

What the Russian Federal Law on Personal Data (No. 152-FZ) covers

The Russian Federal Law on Personal Data (No. 152-FZ) was initially issued on 27 July 2006. It aimed to guarantee protection for individuals’ personal data and applied to operators of personal data that collect, use, or share such data.

Since 2006, a series of amendments (including Federal Law No. 242-FZ) has significantly changed the legal landscape for entities that wish to process and store personal data online and offline. These changes introduced the personal data localization requirements and gave more control to data subjects on the processing of their personal data.

Our trusted legal partner, CardSecurity, notes, “The main difficulties of being compliant with FZ-152 for international companies are: 

The rest of the technical requirements are pretty common. FZ-152 requires [companies] to have a sub-processing agreement with every sub-processor explicitly indicated in the user agreement. So, if a company processes the personal data of Russian citizens, there should be a Russian entry point for data collection and storage on Russian territory. And if any part of that is provided by a third-party service provider – there must be a way to show sub-processing agreements”.

What compliance with the Russian Federal Law on Personal Data (No. 152-FZ) means for businesses

The critical aspect of the Federal Law On Personal Data is that organizations and companies processing the personal data of Russian citizens or customers in Russia should first store this data within the territory of the Russian Federation before the data is replicated elsewhere. This requirement complicates the operation of SaaS companies that run their business in Russia or deal with Russian customers.

Compliance with this regulation requires operators of personal data to create regional datastores in Russia to store the personal data of Russian customers. The processing of Russians’ personal data abroad can only be performed after achieving compliance. This restriction significantly affects a company’s established infrastructure, leads to additional investments in business and operational processes, and imposes regular expenses on infrastructure maintenance for businesses operating in the region.

Why the Russian Federal Law on Personal Data matters

InCountry helps you localize and distribute regulated data in 90+ countries in full compliance with local data regulations. This makes the whole platform unique, as you don’t need to worry about data compliance requirements and infrastructure support since InCountry handles all these things. At InCountry, we heavily invest in developing infrastructure, fortifying its security, and meeting all the requirements of compliance legislation in countries of data residency service provision.

The Russian Federation is one of the most rapidly growing markets, so InCountry seeks to continually meet the most rigorous technical, availability, and security standards in the region. Our compliance with 152-FZ verifies that the InCountry platform operates in accordance with the Federal Law On Personal Data and encompasses all the best practices for localizing and distributing the personal data of Russian citizens.

How InCountry verified compliance with 152-FZ

Card Security LLC performed the 152-FZ compliance audit of InCountry in August 2021. The conducted audit verified that the InCountry platform provides the 1st level of data protection that enables it to store special categories of personal data of an unlimited number of data subjects.

The InCountry platform was assessed against 70 compliance criteria and was proven to be compliant with the requirements of:

  1. Federal Law No. 152 “On Personal Data,” dated July 27, 2006.
  2. “Requirements for Protection of Personal Data Processed in Personal Data Information Systems” approved by the Resolution of the Government of the Russian Federation No. 1119, dated November 1, 2012.
  3. “Scope and Contents of Technical and Organizational Measures for Ensuring the Security of Personal Data Processed in Personal Data Information Systems” approved by Order of FSTEC No. 21, dated February 18, 2013.

InCountry takes all the necessary measures and precautions to neutralize relevant threats to personal data, making the InCountry platform secure and reliable for storing the personal data of Russian citizens. Dmitry Nikiforov from the aforementioned CardSecurity, a security and compliance audit firm specializing in the Russian market, says,

InCountry provides a working mechanism for interacting with different types of IT systems as well as a secure and local platform for applying the mechanism. And it also takes over most of the legal routines with a contractor chain”.

You can get your free copy of the detailed audit report on our website.

How InCountry helps you with the localization and distribution of regulated data within the Russian Federation

“We continue to respond to new requests and challenges coming from our customers, like the retention of medical data in compliance with 152-FZ. For this purpose, we have completed a great scope of tasks that allowed us to upgrade our data protection level to the highest level. Our compliance with the requirements of the Russian Federal Law on Personal Data (No. 152-FZ) was audited and verified by Card Security LLC.” – Alexandr Garaga, Compliance Engineering Team Lead at InCountry

The InCountry platform provides data residency services for storing and localizing personal data in the country of its origin. When running a business in Russia without InCountry, your company will have to set up a datastore within Russian Federation territory and save all the personal data of Russian citizens there. Only then could you transfer this data somewhere else for further processing. This imposes additional restrictions on your information systems and requires significant customization of your existing data communication workflows and infrastructure deployment pipelines.

With InCountry, you get a data store compliant with local data regulations in the Russian Federation. You have a ready-to-use solution secured against any potential personal data threats. You need only to transfer the personal data of your Russian customers from your application to the InCountry platform and ensure that this personal data is first saved to the InCountry platform. Then you can copy this customer data to any other country.

This means your business no longer needs to deal with security assessments, compliance audits, or worry about security threats. If you simply outsource these responsibilities to InCountry by choosing the solution that fits your business best, your company is compliant and ready to process the data of Russian citizens. A comprehensive set of powerful tools provided by the InCountry platform enables you to fulfill the most demanding data management requirements within your applications or data communication pipelines. Are you using a SaaS service, like Salesforce or ServiceNow? Not a problem. InCountry provides a set of native integrations with the most popular cloud platforms in addition to our compliance certifications.

How to get started with the InCountry platform

Are you ready to take advantage of the InCountry platform’s capabilities? To get started, follow these three simple steps:

  1. Create your free account on the InCountry Portal.
  2. Create a new client or integration to communicate personal data between your application and the InCountry platform.
  3. Configure your application to transfer personal data to InCountry.

In addition, you get one free month of the service, so you can check how well it fits your needs. Need a consultation? Book your free personalized demo at our website to go over your company’s data residency needs.