Personal Data and the Law: What You Need to Know
If your service processes personal data of Russian users, there are legal requirements that cannot be ignored. Steforge is built with these requirements in mind from the very beginning.
Key Requirements
Data Storage in Russia
Federal Law 152-FZ mandates that the primary recording and systematization of personal data of Russian citizens must occur on servers located in Russia.
For Steforge, this means:
- PostgreSQL is hosted on a VPS in a Russian data center
- The main user database is in Russia
- Backups are stored on Russian infrastructure
Notification to Roskomnadzor
The personal data operator is required to notify Roskomnadzor. The notification includes:
- Purposes of data processing
- Categories of processed data
- Protection measures
- Location of the database
- Retention periods
Cross-Border Transfer
If data is transferred to another country (for example, when calling an external API), this is considered a cross-border transfer. Additional grounds are required for this.
How This Is Addressed in Steforge
Proxy Layer
The API Proxy is not just a convenient architecture — it is a mechanism for controlling cross-border transfers. Before sending data to an external API:
- The payload is checked for personal data
- PII is masked or removed
- The fact of transmission is logged
Legal Documents
Before launch, the following will be prepared:
- Personal Data Processing Policy
- Privacy Policy
- User Agreement
- Consent for Data Processing
Provider Registry
Each external API provider will be recorded with details about the country, type of data, and risk class. This allows for informed decisions regarding the permissibility of data transfers.
Conclusion
Legal requirements are not an obstacle, but a framework. If they are integrated into the architecture from the very beginning, they do not create overhead later on.