Kaspersky’s approach toward data processing
Kaspersky’s approach to processing user data is based on respecting and protecting people’s privacy, as well as a commitment to transparency and accountability.
The data sent to Kaspersky by users is not attributed to a specific individual or organization and is anonymized wherever possible. Actions to achieve this include deleting account details from transmitted URLs, obtaining hash sums of threats instead of the exact files, obscuring user IP addresses, etc.
Users of Kaspersky products can choose if they want to provide data, and how much they want to provide, based on the functionality of the product or service they want to use, and the respective agreements accepted.
Kaspersky always provides information concerning data processing - in particular, the complete list of data that will undergo processing to ensure that customers can make informed decisions. Every six months in our Transparency report, we publicly share information on how many data requests we have received and processed from our users.
All data processed and/or transferred is robustly secured through encryption, digital certificates, segregated storage, strict data access policies, and by other methods. The company also applies the Secure Software Development Framework (SSDF) and implements supply chain risk management controls to secure its infrastructure and systems for data processing.
Kaspersky constantly reviews the type of data processed by its solutions to protect our customers’ privacy and comply with the very latest legal requirements, such as the GDPR in Europe.
Do you process personal data?
In accordance with some legal frameworks (like the GDPR), information processed by Kaspersky may contain data that could be considered as personal or personally identifiable. Kaspersky never processes “sensitive” personal data such as religion, political views, sexual preferences, health or other special categories of personal data.
Kaspersky always provides information concerning data processing – in particular, the complete list of data that will undergo processing to ensure that customers are kept in the know and can make informed decisions. Details of the data processed can be found in the End-User License Agreement (EULA), the Kaspersky Security Network (KSN) statement and in other agreements, which differ depending on the product. The data sent to Kaspersky by users is used in the form of aggregated statistics and is not attributed to a specific individual, being anonymized wherever possible.
What data is processed?
Kaspersky may process cyberthreat-related data and statistics. The cyberthreat-related data includes suspicious and malicious files as well as so-called statistics. The statistics stands for the meta information — supplementary technical information about events that happened on a customer’s machine, which our products might send depending on various factors: e.g. user activities, Kaspersky product settings, the configuration of the operating system on which a Kaspersky product is installed, and other software installed on the system. Details of all the data processed can be found in the End-User License Agreement (EULA), the Kaspersky Security Network (KSN) statement and other documentation, which differ depending on the product.
How do you protect user data?
We are committed to protecting our customers’ data at all times. In order to do this, we use best-in-class technologies. The security measures and processes undertaken by Kaspersky include:
- Security Development Lifecycle – aimed at the secure development of solutions and patching of all potential vulnerabilities as soon as possible;
- Strong encryption to protect data streams exchanged between user devices and the cloud;
- Encryption of user information in services such as Kaspersky Password Manager and Kaspersky Safe Kids. Users have a main key, which means no one other than that specific user has access to their information;
- Digital certificates to ensure legitimate and secure server authentication and product updates;
- Segregated storage, meaning different data is stored in different servers with restricted access rights and strict data access policies;
- Data is anonymized wherever possible by various methods, such as deleting account details from transmitted URLs, obtaining hash sums of threats instead of the exact files, obscuring user IP addresses etc.
How do you anonymize the data you process?
Kaspersky takes user privacy very seriously. The company implements the following measures to anonymize obtained data:
- The information is analyzed in the form of aggregated or anonymized statistics and is not attributed to specific persons;
- Logins and passwords are filtered out from transmitted URLs, even if they are mentioned in the initial browser request from the user;
- When we process possible threat data, we get a hash sum, which is a one-way math function that provides a unique file identifier;
- Where possible, we obscure IP addresses and device information from the data received;
- The data is stored on separate servers with strict policies regarding access rights, and all the information transferred between the user and the cloud is securely encrypted.
Where does Kaspersky store data?
Kaspersky is a global company and our infrastructure for data processing is distributed across the globe (e.g., in Switzerland, Germany, Russia, Canada, etc.), enabling faster processing of information and guaranteeing server availability should one of them fail for any reason. The detailed list of countries where personal data provided can be processed is here: https://www.kaspersky.com/products-and-services-privacy-policy.
As part of our Global Transparency Initiative (GTI), Kaspersky relocated part of its data processing infrastructure: malicious and suspicious files voluntarily shared by users of Kaspersky products in Europe, North and Latin America, the Middle East, and several countries in Asia-Pacific, are processed in two data centers in Zurich, Switzerland. These centers provide world-class facilities in compliance with leading security standards. In addition, Switzerland is among the few countries that have an adequacy decision with the EU, meaning that it was recognized by the European Commission for providing adequate protection of personal data.
What is Kaspersky Security Network?
Kaspersky Security Network (KSN) is one of Kaspersky’s main cloud systems that was created to maximize the effectiveness of discovering new and unknown cyberthreats, thereby ensuring the quickest and most effective protection for users. KSN automatically processes cyberthreat-related data received from millions of devices owned by Kaspersky users, who made the decision to use this system. This cloud-based system approach is now the industry standard, applied by many global cybersecurity vendors.
What is a ‘cloud’-based system’?
This is a system that runs on a company’s servers, rather than on individual devices, which can be used over the internet from anywhere in the world. Examples of cloud systems include email, file sharing and file hosting. Kaspersky Security Network’s services are located in different countries around the world (Canada, Germany, Switzerland, Russia, etc.), enabling faster processing of information and guaranteeing server availability should any one of them fail.
What is the purpose of cloud-based protection?
Most cybersecurity vendors use the cloud to improve protection levels, and a hybrid protection model (antivirus databases + proactive defense + the cloud) is the most effective.
The high performance of the security cloud enables us to analyze cyberthreats faster and more accurately. While the traditional cycle of updating antivirus and anti-phishing databases usually takes several hours, the cloud can provide users with protection against a new threat in minutes.
Using the cloud can also make a security product ‘lighter’, keeping it from taking up too much memory and resources on the user device.
Can data processing be limited?
Our customers can choose if and how much data they want to provide, based on the functionality of the product or service they want to use and the respective accepted agreements. Kaspersky always provides information concerning data processing – in particular, the complete list of data that will undergo processing, to ensure that customers can make informed decisions. Also, on a regular basis Kaspersky publicly discloses information on how many data requests have been received and processed from our users in its Transparency report. The latest report is available here.
Our customers can configure their solutions so that no data is shared at all, as well as exercise the right to access their processed personal data by contacting us directly at https://support.kaspersky.com/general/privacy.
Do you share personal data, processed by Kaspersky solutions, with third parties?
We never provide any third party or any government organization with access to the company’s infrastructure, including user data infrastructure.
Kaspersky may share data with its vendors through data processing agreements with them. Such vendors provide services and include Amazon cloud, Microsoft Azure etc.
Have you certified your data-processing methods?
To confirm that the company applies the highest security for our users, Kaspersky's data services periodically pass third-party security audits and assessments. In particular, the company’s data services have been certified for ISO 27001 as well as re-certified in 2022 with extended scope, so that data services for processing both cyberthreat-related data and statistics are covered by the certification. The certification is valid for the company’s data services located in data centers in Zurich, Frankfurt, Toronto, Moscow, and Beijing. Conformity with ISO/IEC 27001:2013 – internationally recognized as the best practice industry and applicable security standard – lies at the core of Kaspersky’s approach to implementing and managing information security. The certification, granted by the third-party accredited certification body, demonstrates our commitment to strong information security and that Kaspersky’s Data Service is in compliance with industry leading best practices. The final report of the re-certification is provided to our customers and partners upon request.