Kaspersky

TRANSPARENCY CENTERS

Transparency Centers serve as facilities for trusted partners to access reviews of the company’s code, software updates and threat detection rules, along with other activities. Through them, we provide governments and partners with information on our products and their security, including essential and important technical documentation, for external evaluation in a secure environment. They also serve as a briefing center where trusted stakeholders can learn more about the company’s portfolio, engineering and data processing practices.

Kaspersky Transparency Centers are operating in Zurich, Madrid, Kuala Lumpur, and São Paulo.

At all of Kaspersky’s Transparency Centers, the company provides the opportunity to compile the company’s software from its source code and compare it with the publicly available one.

No other cybersecurity provider has done anything as far reaching as this. In opening its Transparency Centers, Kaspersky makes a significant step towards becoming completely transparent about its protection technologies, infrastructure and data processing practices.

The Transparency Centers’ services are also available for remote access. To request access to the Transparency Center, please contact [email protected] or visit the website.

• Access policy

  The security and protection of our customers is our top priority; therefore, we follow the strictest access-policy practices and reserve the right to turn down a request if it could potentially cause a security breach.

  The Transparency Center welcomes:

  • ⚬ State agencies and regulators responsible for national cybersecurity and the protection of information systems (decreed as such by the respective local legislation);
  • ⚬ Prospective and existing enterprise partners and customers of Kaspersky anywhere in the world.

  Academia, media and information security community experts are being considered as potential invitees to the Transparency Center in the future

  Under no circumstances whatsoever will Kaspersky provide intelligence or law enforcement agencies that have a mandate and/or capability for cyber-offensive operations with access to the Transparency Center. The security information and infrastructure in the Transparency Center are provided by Kaspersky strictly for consultation purposes only. Any actions to modify the company’s source code, software updates, or threat detection rules are forbidden and will be prevented by the TC Steering team; any abuse will be reported to the local law enforcement agency.

INDEPENDENT AUDIT

Kaspersky continuously undertakes third-party assessments to verify the integrity of its solutions and processes. The company successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit, conducted by one of the Big Four accounting firms.

The final report confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases) are protected from unauthorized changes by strong security controls. To learn more and to request the Kaspersky SOC 2 Type 1 Report, please visit the website.

Kaspersky has also attained ISO27001 certification for its data services.

TRANSPARENCY REPORT

Kaspersky publicly shares its approach in responding to requests from global government and law enforcement agencies for two categories: user data and technical expertise. We also disclose information about the number of such requests by country.

Law enforcement and government requests reports:

• Download Law enforcement and government requests report for 2020 and H1 2021.
• Download Law enforcement and government requests report for H2 2021.

Reports with requests received from users:

• Download the latest information about requests received from users for 2020 and H1 2021.
• Download the latest information about requests received from users for H2 2021.

Latest news on the Global Transparency Initiative

To keep you up-to-date with news on the relocation to Switzerland and the other activities that form part of our Global Transparency Initiative, we’ll be posting regular updates and progress reports in this section.

• Update May 2022

  Kaspersky has successfully renewed a Service Organization Control for Service Organizations (SOC 2) Type 1 audit, which the company first completed in 2019. The independent assessment has been carried out by an international Big Four accounting firm and confirmed that the development and release process of Kaspersky’s antivirus bases are protected against unauthorized changes by security controls. The scope of the 2022 audit has been expanded compared to the 2019 assessment, as Kaspersky has since introduced new security tools and controls. The full report can be provided to our customers upon request.

• Update April 2022

  • ⚬ Kaspersky has expanded the scope of its cyberthreat-related data relocation, which now covers users in Latin America and the Middle East.
    . Completed in March, the effort ensured that malicious and suspicious files received from users in Latin America and the Middle East were stored and processed in data-centers in Zurich, Switzerland. The user data processing and storage relocation was also finalized for the entire North America. Prior to that, the relocation of such data storage had been completed for Europe, the United States, Canada, and a number of Asia-Pacific countries.
    
    
  • ⚬ The company’s data services were again successfully certified against the ISO 27001* international standard.
    In addition to the audit passed in 2020, the scope of the certification conducted by TUV Austria was even extended and covered not only the company’s data system for processing cyberthreat-related files, but also Kaspersky’s data system for processing statistics. The document can be found in the TÜV AUSTRIA Certificate Directory and is also publicly available on the Kaspersky website here.
    
    
  • ⚬ Release of Transparency report for H2 2021.
    The latest report uncovered data on the requests in two categories — user data and technical expertise — received during the second half of 2021. During the second half of 2021, Kaspersky received 109 requests from governments and law enforcement agencies (LEAs) from 12 countries. At least 36% of those were rejected due to an absence of data or to not meeting legal verification requirements. In total, 92 of the requests received during the second half of the last year were for technical expertise.
    In total, throughout 2021, Kaspersky received 214 requests, (compared to 160 requests in 2020), from governments and LEAs from 17 countries. A total of 181 of those were for technical expertise (compared to 132 in 2020). At the same time, the number of user requests for details on what and where user data is stored and its provision or removal increased, reaching 2,252 in total.
    
    
  • ⚬ Cyber Capacity Building Program (CCBP) available online
    Kaspersky has launched the digital version of the “Cyber Capacity Building Program” that aims to help organizations worldwide develop practical tools and knowledge for security assessments. The online training, available for an even greater audience, will ensure that more organizations and individuals will have a chance to boost their cyber-resilience by learning how to properly carry out product security evaluations to protect themselves against ICT supply chain risks.
    
    

• Update March 2022

  Kaspersky’s Transparency Center in New Brunswick, Canada, temporarily ceased operations, after CyberNB, which hosted the Center in its cybersecurity ecosystem, shut down as it wasn’t able to meet its financial obligations. While we are looking for a new place for our Transparency Center, we invite our partners and customers in North America to take a virtual visit to our Transparency Center with full access to its services or request access to other Transparency Centers in Zurich, Madrid, São Paulo or Kuala Lumpur. To request a remote or physical access to Kaspersky Transparency Centers, please follow this link .

• Update October 2021

  Committed to greater transparency, Kaspersky has publicly shared information on requests received from government and law enforcement agencies, and users for data and technical expertise in 2020 and H1 2021. The company has issued its first Transparency Report, including Law enforcement and government requests report, as well as User data request report, to help its users understand how the company responds to such requests and its approach to users’ data security and privacy.

• Update November 2020

  • ⚬ The relocation of data processing and data storage, announced in November 2018, has been fully completed. In addition to Europe, the United States and Canada, Kaspersky has also relocated data storage and processing for a number of Asia-Pacific countries. The list of Asia-Pacific countries which have become the part of the GTI relocation plans includes Australia, New Zealand, Japan, Bangladesh, Brunei, Cambodia, India, Indonesia, South Korea, Laos, Malaysia, Nepal, Pakistan, Philippines, Singapore, Sri Lanka, Thailand and Vietnam.
    The customer threat-related data shared by users who are based in these locations is now processed in two data centers in Zurich, Switzerland, and includes suspicious or previously unknown malicious files that the company’s products send to the Kaspersky Security Network (KSN) for automated malware analysis.
    
    
  • ⚬ Kaspersky announces the opening of its North American Transparency Center in partnership with the CyberNB Association in New Brunswick, Canada.
    The facility will start operating in early 2021 and become the company’s fifth location where Kaspersky partners will be provided with the opportunity to review its source code and to learn more about engineering and data-processing practices, as well as its product portfolio. The CyberNB Association is a non-profit organization, based in Fredericton, New Brunswick, Canada, that takes an ecosystem approach to improving cybersecurity outcomes through engagement and collaboration with private sector, government, academia, knowledge and skills-building, and talent acquisition and workforce development stakeholders.
    Earlier in 2020, Transparency Centers in São Paulo and Kuala Lumpur became fully operational. Kaspersky has also relaunched its first Transparency Center in Zurich that has been relocated to the Interxion data center. Moving forward, the company will provide unique access to its customers and trusted partners to experience data security controls and to directly access the company’s data management practices for external review and examination.
    Given the challenging travel and visitor restrictions, customers and partners now also have an opportunity to review the source code remotely. To request remote access to Kaspersky Transparency Centers, please follow this link.
    
    
  • ⚬ The Cyber Capacity Building Program, announced in May 2020, has been successfully launched alongside Vietnam’s Authority of Information Security (AI), which includes the country’s national CERT and National Cyber Security Centre (NCSC). The Program has been extended to now include an additional section on code fuzzing, conducted together with Kaspersky’s ICS CERT Team. In 2021, the Program will be available to business partners and other companies to enhance their readiness as well as to gauge the resilience of their systems and networks against supply chain risks. To request access, please follow this.
    
    
  • ⚬ Product scope for Kaspersky’s Bug Bounty Program has been extended to include Kaspersky VPN Secure Connection. Researchers can now submit vulnerability reports relating to Kaspersky VPN Secure Connection, including third-party software modules that are a part of the VPN solution. Overall, since March 2018, 76 bugs have been resolved, and 37 reports rewarded with total bounties equating to $57,750.
    
    

• Update May 2020

  • ⚬ Kaspersky developed a Cyber Capacity Building Program which includes dedicated training on product security evaluation. Available in online and offline formats, it is designed to help companies, government organizations and academia develop practical tools and knowledge for security assessments. The training will provide an introduction to product security evaluation and threat modeling, as well as source code review and vulnerability management. Taking part in the program will be free of charge, with a pilot project to be launched first for government organizations and academia in Q3, 2020. Later this year the training will be available for business organizations. Interested parties can learn more and request information here.
    
    
  • ⚬ Kaspersky has enabled remote access to Transparency Center services,by providing a ‘blue-piste’ assessment option – to become acquainted with both the company’s engineering practices and unparalleled data protection standards. Kaspersky’s security experts are ready to answer any questions regarding the company’s data processing practices and the functioning of its solutions, as well as provide a live demonstration of a source-code review. To request a remote blue-piste assessment option, please visit the website.
    
    
  • ⚬ As one of the pioneers in the industry, Kaspersky published its ethical principles for Responsible Vulnerability Disclosure (RVD), for greater transparency and efficiency in vulnerability handling and mitigating harm and risks to users. These principles are based on the company’s vast cybersecurity experience and have been aligned with guidelines provided by FIRST.
    
    
  • ⚬ Kaspersky has been continuously working on its Bug Bounty Program. Since March 2018, the company has been notified of 66 bugs. In total, 26 of those reported were rewarded with combined bounties totaling $49,250.
    
    
  • ⚬ Earlier this year the Paris Call officially launched its new website. Kaspersky has been among the early supporters of its nine principles for keeping cyberspace secure, open and cooperative. Kaspersky’s Global Transparency Initiative is listed as a particular example of the sixth principle implementation, by promoting higher transparency and accountability in cybersecurity
    
    
  • ⚬ Kaspersky’s Global Transparency Initiative has also been featured as an example of best practice for greater transparency and trust in a number of international documents, such as the UN Institute for Disarmament Research (UNIDIR) report on supply-chain security, and the Industrial Internet Consortium’s (IIC) best practices for trustworthy software development.
    
    

• Update November 2019

  • ⚬ Kaspersky relocates data from its U.S. and Canadian customers to Switzerland.. This follows the relocation of data processing for the company’s European users. The data is shared voluntarily with the Kaspersky Security Network (KSN) – an advanced, cloud-based system that automatically processes cyberthreat-related data, and includes suspicious or previously unknown malicious files that the company’s products send to KSN for automated malware analysis. Kaspersky plans to finalize the relocation by the end of 2020.
    
    
  • ⚬ Kaspersky to open a Transparency Center in São Paulo, Brazil, that will serve as a dedicated security facility for trusted partners in Latin America, to review the company’s source code, as well as learn more about engineering and data-processing practices and the company’s product portfolio. Earlier this year, the company opened one more European Transparency Center in Madrid and announced the opening of its APAC Transparency Center in Malaysia. At all of Kaspersky’s Transparency Centers, the company provides the opportunity to compile the company’s software from its source code and compare it with the publicly available one. This move assures an unprecedented level of confidence in Kaspersky’s products, allowing them to run a compilation process with the assistance of the company’s experts.
    
    

• Update July 2019

  • ⚬ Kaspersky has successfully completed the Service Organization Control for Service Organizations (SOC 2) Type 1 audit. The final report, issued by one of the Big Four accounting firms, confirms that the development and release of Kaspersky’s threat detection rules databases (AV databases), created and distributed for company’s products operating on Windows and Unix Servers, are protected from unauthorized changes by strong security controls. Kaspersky can disclose the principal information about its abovementioned commitments and requirements in the SOC 2 Type 1 report upon request.
    
    
  • ⚬ Kaspersky has been working continuously on the development of its Bug Bounty Program. Recently the company paid a $23,000 bounty – the biggest reward in the history of the program to date – to researchers from the Imaginary team for the discovery of a security issue in Kaspersky that could potentially allow third-parties to remotely execute arbitrary code on a user's PC with system privileges. The bug was promptly fixed. Kaspersky thanks the Imaginary team for the report and their assistance in improving the company’s products. Since March 2018, we resolved 66 bugs reported by security researchers through the program, with bounty rewards totaling almost $45,000.
    
    
  • ⚬ Safe Harbor for vulnerability researchers: The company now supports the Disclose.io framework which provides Safe Harbor for vulnerability researchers concerned about negative legal consequences of their discoveries. Kaspersky understands that external experts provide valuable assistance by finding and reporting vulnerabilities in its products and is ready to provide additional guarantees for fair treatment of vulnerability reports.
    
    
  • ⚬ Transparency Center in Madrid has officially been open to Kaspersky’s customers and partners, as well as government stakeholders, since June. As is the case at the Zurich facility, the company offers source-code reviews and tailored security briefings on the company’s data processing practices and functioning of its products.
    
    
  • ⚬ Threat intelligence support for law enforcement agencies: Kaspersky, the first among cybersecurity vendors, announced an advanced free service for Law Enforcement Agencies (LEAs). A unique and tailored approach developed to maximize their efforts in tackling borderless cybercrime, it consists of three components: Threat Intelligence Reporting, Threat Data Feeds and an Automated Security Awareness Platform (Kaspersky ASAP).

• Update April 2019

  • ⚬ Kaspersky opens Transparency Center in Madrid. In addition to a similar center in Zurich, opened in 2018, it will serve as a trusted facility for the company’s partners and government stakeholders. They will be able to come and check the company’s product source code and learn about Kaspersky’s engineering and data processing practices, as well as the company’s portfolio. The center will be open to visitors from June. Previously announced plans for Transparency Centers to be open in Asia and North America by 2020 are still ongoing.
    
    
  • ⚬ Transparency Center review system developed. This offers multiple review options according to the area of interest – from a general non-technical overview of the company’s engineering practices and data protection standards, through to the deepest and most comprehensive review of the critical parts of the company’s source code. More information about the available options can be found on the Transparency Centers website.
    
    
  • ⚬ Kaspersky publishes results of a voluntary third-party legal assessment, aimed at providing independent evaluation of the company’s obligations to Russian legislation. The analysis was conducted by prominent legal expert, Dr. Kaj Hober – Professor of International Investment and Trade Law at Uppsala University in Sweden and expert on the Russian legal system – and covers three Russian laws related to data processing and storage. These were widely reported as the ones Kaspersky was obliged to comply with, being a Russian-based company. Results of the analysis are freely available online.
    
    
  • ⚬ Bug Bounty program was improved by extending the scope of products for review. Security researchers can now investigate Kaspersky Password Manager and Kaspersky Endpoint Security for Linux, among others. Within a year of the extension being announced, we resolved more than 50 bugs reported by security researchers through the program, with bounty rewards totaling more than $17,000.

• Update November 2018

  First Transparency Center opens and data processing for European users in Zurich begins, plus news of an independent engineering audit and a thriving bug bounty program

  On November 13, 2018, malicious and suspicious files shared voluntarily with Kaspersky by users of the company’s products in Europe started to be processed in two data centers in Zurich. The data, which includes suspicious or previously unknown malicious files and corresponding meta-data that the company’s products send to Kaspersky Security Network (KSN) for automated malware analysis, is being processed in data centers that provide world-class facilities in compliance with industry standards to ensure the highest levels of security.

  The move reflects Kaspersky’s determination to assure the integrity and trustworthiness of its products.  It is accompanied by the opening of the company’s first Transparency Center, also in Zurich. Through the Transparency Center, Kaspersky will provide governments and partners with information on its products and their security, including essential and important technical documentation, for external evaluation in a secure environment.

  Other activities in progress include the engagement of a Big Four professional services firm to audit the company's engineering practices around the creation and distribution of threat detection rule databases, with the aim of independently confirming their accordance with the highest industry security practices.

  Alongside this, Kaspersky continues to support an active bug bounty program. Within one year, it has resolved more than 50 bugs reported by security researchers, of which several were especially valuable.

• Update August 2018

  • ⚬ Kaspersky has signed contracts with two leading data center providers in Zurich, Interxion and NTS, for world-class facilities where, from late 2018, we will start to securely store and process data shared by users of Kaspersky products in Europe. Other countries, including the U.S., Canada, Australia, Japan, South Korea and Singapore, will follow. Full relocation for European countries is expected to be finalized by the fourth quarter of 2019. For more information, see here: www.kaspersky.com/blog/transparency-status-updates
    
    
  • ⚬ Kaspersky’s first Transparency Center, also located in Zurich, will achieve initial operating capability by the end of 2018. The center will eventually provide responsible stakeholders with full visibility of the source code of our products and software updates.
    
    
  • ⚬ The other pillars of our new plans, such as the relocation of software code assembly, including products, product updates and threat detection rule databases (AV databases), and the appointment of an independent, third-party to manage and review everything, will take place during the second phase of the project, after 2018.