Skip to main content

Kaspersky’s approach toward data processing

Kaspersky’s approach to processing user data is based on respecting and protecting people’s privacy, as well as a commitment to transparency and accountability.

The main goal of data processing in our company is to provide our customers with the best cybersecurity solutions. To achieve this goal, generally we process data with three main purposes in mind: (a) supporting key product functionality, (b) increasing the performance and effectiveness of the protection components, and (c) offering improved, more suitable solutions to customers and providing them with appropriate content. More details can be found in our Products and Services Privacy Policy.

To achieve these goals, data does not always have to be linked to a specific individual and may be anonymized wherever possible. Actions to achieve this by Kaspersky include deleting account details from transmitted URLs, obtaining hash sums of threats instead of the exact files, obscuring user IP addresses, etc.

In most cases users of Kaspersky products can choose if they want to provide personal data to the company or they can choose how much they want to provide, based on the functionality of the products, services, and websites. They may also refrain from submitting information directly to Kaspersky. 

Kaspersky always provides clear information concerning data processing — in particular, the complete list of data that will undergo processing to ensure that customers can make informed decisions. Kaspersky constantly reviews the type of data processed by its solutions to protect its customers’ privacy and to comply with the very latest legal requirements.

All data processed and/or transferred is robustly secured through encryption, digital certificates, segregated storage, strict data access policies, and by other methods. The company also applies the Secure Software Development Framework (SSDF) and implements supply chain risk management controls to secure its infrastructure and systems for data processing.

Every six months in our Transparency report, we publicly share information on how many data requests we have received and processed from our users.




Do you process personal data?

In accordance with some legal frameworks (like the GDPR), information processed by Kaspersky may contain data that could be considered as personal or personally identifiable. Kaspersky products never process “sensitive” personal data of the customers such as religion, political views, sexual preferences, health or other special categories of personal data.

If the processing of personal data is necessary to achieve the objectives of the products or services, Kaspersky carefully analyses the purposes, composition and legal basis for processing the personal data in relation to the applicable law. The set of personal data processed always corresponds to the purposes of processing; our products or services do not collect or process excessive personal data. In addition, Kaspersky always provides all related information concerning data processing — in particular, the complete list of data that will undergo processing to ensure that customers are kept in the know and can make informed decisions. Details of the data processed can be found in the End-User License Agreement (EULA), the Kaspersky Security Network (KSN) statement, Kaspersky Privacy Policy for Websites and Webservices and in other provided documents, which differ depending on the product or service. The data, that we collect and process, is used in the form of aggregated statistics and is not attributed to a specific individual, being anonymized wherever possible.

What data is processed?

Any modern IT service requires processing large amounts of data to operate efficiently. The composition of the processed data depends on the specific product or service. As a global cybersecurity leader Kaspersky may process various cyberthreat-related data and statistics. The cyberthreat-related data includes suspicious and malicious files as well as statistics which allow for the identification of both already known IS threats and new malware and methods of attackers. These statistics are also known as meta information — supplementary technical information about events that happened on a user’s machine, which our products might send depending on various factors: e.g., user activities, Kaspersky product settings, the configuration of the operating system on which a Kaspersky product is installed, and other software installed on the system. Details of all the data processed can be found in the End-User License Agreement (EULA), the Kaspersky Security Network (KSN) statement and other documentation, which differ depending on the product or service.

How do you protect user data?

The security and safety of user data is a priority for Kaspersky and the company follows a multi-faceted approach to mitigate any potential risks. Kaspersky has a mature security management policy in place, executed by a dedicated Information Security Department that is responsible for implementing the company’s security policy and strategy and carries out ongoing monitoring of security performance and evaluation of security processes’ effectiveness.

The user data is protected using modern protection algorithms, with the company ensuring network and access security to prevent unauthorized access to user data and tightly controlling physical access to its data infrastructure, which is secured with surveillance and alarm systems. The overall security of the company’s networks and systems is underpinned by such measures as continuous asset management, a holistic risk and vulnerability management process, regular compliance checks, and ongoing employee training, but isn’t limited to them. For more details on how we protect your privacy and data, please check Kaspersky’s Products and Services Privacy Policy.

How do you anonymize the data you process?

Kaspersky takes user privacy very seriously. The company implements the following measures to anonymize processed data:

  • A layered approach that enhances protection and reduces re-identification risks: combining techniques like generalization, randomization and differential privacy;
  • Removing all direct identifiers (e.g., names, ID numbers) from processed data (e.g., URLs, files etc.);
  • The information is processed in the form of anonymized and aggregated statistics and is not attributed to specific persons;
  • Preventing linkage anonymized data with other datasets that could re-identify individuals, the data is stored on separate servers with strict policies regarding access rights;
  • When we process possible threat data, we are using the hash sums, which are one-way math functions that provide a unique file identifier.
  • Documenting and regularly auditing the anonymization processes.

Where does Kaspersky store data?

Kaspersky is a global company and our infrastructure for data processing is distributed across the globe (e.g., in Switzerland, Germany, Russia, Canada, etc.), enabling faster processing of information and guaranteeing server availability should one of them fail for any reason. The detailed list of countries where personal data may be processed can be found in Kaspersky’s official policies, including the Products and Services Privacy Policy.

As part of our Global Transparency Initiative (GTI), Kaspersky relocated part of its data processing infrastructure. Malicious and suspicious files voluntarily shared by users of Kaspersky products in Europe, North and Latin America, the Middle East, and several countries in Asia-Pacific, are processed in two data centers in Zurich, Switzerland. These centers provide world-class facilities in compliance with leading security standards. In addition, Switzerland is among the few countries that have an adequacy decision with the EU, meaning that the country was recognized by the European Commission for providing adequate protection of personal data.

What is Kaspersky Security Network?

Kaspersky Security Network (KSN) is one of Kaspersky’s main cloud systems that was created to maximize the effectiveness of discovering new and unknown cyberthreats, thereby ensuring the quickest and most effective protection for users. KSN automatically processes cyberthreat-related data received from millions of devices owned by Kaspersky users, who made the decision to use this system. This cloud-based system approach is now the industry standard, applied by many global cybersecurity vendors.

What is a ‘cloud’-based system’?

This is a system that runs on a company’s servers, rather than on individual devices, which can be used over the internet from anywhere in the world. Examples of cloud systems include email, file sharing and file hosting. Kaspersky Security Network’s services are located in different countries around the world (Canada, Germany, Switzerland, Russia, etc.), enabling faster processing of information and guaranteeing server availability should any one of them fail.

What is the purpose of cloud-based protection?

Kaspersky considers a hybrid protection model (antivirus databases + proactive defense + the cloud) to be the most effective one.

The high performance of the security cloud enables us to analyze cyberthreats faster and more accurately. While the traditional cycle of updating antivirus and anti-phishing databases usually takes several hours, the cloud can provide users with protection against a new threat in minutes.

Using the cloud can also make a security product ‘lighter’, keeping it from taking up too much memory and resources on the user device.

Can data processing be limited?

Our customers can choose if and how much data they want to provide, based on the functionality of the product or service they want to use and the respective accepted agreements. Kaspersky always provides information concerning data processing — in particular, the complete list of data that will undergo processing, to ensure that customers can make informed decisions. Also, on a regular basis Kaspersky publicly discloses information on how many data requests have been received and processed from our users in its Transparency report. The latest report is available here.

For some of the corporate products, our customers can configure their solutions so that no data is shared at all, as well as exercise the right to access their processed personal data by contacting us directly at https://support.kaspersky.com/general/privacy.

Do you share personal data, processed by Kaspersky solutions, with third parties?

We never provide any third party or any government organization with access to the company’s infrastructure, including user data infrastructure.

Kaspersky may share data with its vendors through data processing agreements with them. When selecting such vendors, we carefully control compliance with legal requirements and our approaches to data processing. These vendors provide us, for example, with cloud storage and other relevant services.

Kaspersky also works with international law enforcement agencies and shares with them information needed for the investigation of cyber offenses.  The company has been open about these contacts, releasing data on incoming law enforcement requests for user data and technical expertise in its Transparency Reports.

These reports also outline the company’s core principles in responding to requests from global government and law enforcement agencies and demonstrate our multi-step procedure for assessing each received request.  Thus, all incoming requests for user data go through a mandatory legal verification, during which we make sure that requests are legally justified, issued in accordance with applicable laws and can be implemented in a way that does not compromise the security or privacy of Kaspersky users. 

Have you certified your data-processing methods?

To confirm that the company applies the highest security for our users, Kaspersky's data services periodically pass third-party security audits and assessments. In particular, the company’s data services have been certified for ISO 27001 as well as re-certified in 2022 with extended scope, so that data services for processing both cyberthreat-related data and statistics are covered by the certification. The certification is valid for the company’s data services located in data centers in Zurich, Frankfurt, Toronto, Moscow, and Beijing. Conformity with ISO/IEC 27001:2013 — internationally recognized as the best practice industry and applicable security standard — lies at the core of Kaspersky’s approach to implementing and managing information security. The certification, granted by the third-party accredited certification body, demonstrates our commitment to strong information security and that Kaspersky’s Data Service is in compliance with industry leading best practices. The final report of the re-certification is provided to our corporate customers and partners upon request.