Безопасность и соответствие 152-ФЗ
LogTrace: compliance-ready log management for Russian business
All personal data stored exclusively in certified Tier-III data centers located in the Russian Federation. TLS 1.3 in transit, AES-256 at rest, full RBAC, and an immutable audit trail — so your legal department can sleep at night.
Request a compliance demo Read the security whitepaperCompliance at a glance
LogTrace was built from day one to satisfy the requirements of Federal Law No. 152-FZ "On Personal Data" and Order No. 21 of the FSTEC Russia. Every control is documented, tested quarterly by an independent auditor, and available in your admin console.
Data residency — Moscow & St. Petersburg
Primary cluster runs in DataLink M1 (Moscow, 10 km south of MKAD); active-active replica is in Selectel SPB-1. Both facilities hold FSTEC certification for processing personal data of categories 2 and 3. Cross-border data transfer is disabled by default and cannot be enabled without a written request to LogTrace Legal.
TLS 1.3 + AES-256 encryption
Every API call, WebSocket stream, and dashboard request is wrapped in TLS 1.3 with forward secrecy (ECDHE-SECP256R1). At rest, log shards are encrypted with AES-256-GCM; keys are rotated every 90 days via Hashicorp Vault running inside the same VPC. Certificate transparency logs are monitored by our security operations team.
Role-based access control (RBAC)
Six built-in roles — Owner, SecurityAdmin, Analyst, Viewer, Auditor, and IntegrationsServiceAccount — map directly to the principle of least privilege. Custom policies are written in a declarative YAML syntax and validated by a schema linter before deployment. SSO via SAML 2.0 is supported for Okta, Keycloak, and Yandex 365.
Immutable audit log
Every user action — query execution, export, role change, filter modification — is recorded with a SHA-256 HMAC chain. Audit entries are written to a write-once S3-compatible bucket within 500 ms and retained for 7 years. Export to PDF or CSV includes a QR code that verifies integrity against LogTrace's public signing key.
152-FZ data-processing agreement
LogTrace provides a standardized DPA template aligned with Article 18 of 152-FZ, including sub-processor disclosure (DataLink, Selectel, Hashicorp), incident notification SLA (4 hours), and the right to audit. Your DPO can sign electronically via DocuSign or wet ink; the executed copy is stored in your tenant's compliance vault.
Quarterly penetration testing
Independent assessments are performed by InfoWatch Security Lab (Moscow) and Kaspersky ICS CERT. The latest report (Q4 2024) identified zero critical and one low-severity finding — both remediated within 14 days. Executive summaries are published in the customer portal; full reports are shared under NDA.
Data retention & deletion
Retention policies are configured per data source and enforced by the LogTrace scheduler. When a record reaches its TTL, it is cryptographically shredded — the AES-256 key is deleted, the shard file is overwritten with random data (DoD 5220.22-M standard), and a deletion receipt is appended to the audit log.
Default retention windows
Web-application logs: 90 days hot, 1 year cold. Authentication & authorization events: 3 years (mandatory under 152-FZ Art. 5). Network flow records: 6 months. Custom TTLs can be set between 1 day and 10 years; the system rejects any value that violates statutory minimums for your declared data categories.
Right to be forgotten
When a data subject submits a deletion request under Article 14 of 152-FZ, LogTrace's compliance API scans all indexed fields across every shard, matches PII against the subject's identifiers, and redacts or deletes the matching records within 30 calendar days. A confirmation report — including the number of records affected and the storage nodes touched — is generated automatically.
Disaster recovery & RPO/RTO
Continuous replication to the St. Petersburg site ensures an RPO of < 30 seconds and an RTO of < 15 minutes. Quarterly failover drills are logged in the audit trail. In the event of a sustained outage, read-only access to the replica is available within 10 minutes via a secondary DNS CNAME; writes resume automatically when the primary cluster recovers.
Need a dedicated compliance engineer to walk you through the architecture? Schedule a 152-FZ readiness call