ЭТОЧАТБОТ
Messengers
Telegram MAX Instagram* VK
AI agents Pricing
Product
About us Contact Help center Blog Legal
Start for free Sign in

Legal· Personal data security measures

Service documents

Personal data security measures

Technical and organizational measures protecting data inside ETOCHATBOT.

Updated April 29, 2026

In brief

This document describes the personal data protection measures we've implemented in line with Article 19 of Federal Law No. 152-FZ, Government Decree No. 1119 of November 1, 2012 "On the Approval of Requirements for the Protection of Personal Data in Information Systems", and FSTEC Order No. 21 of February 18, 2013.

1. Protection level

The ETOCHATBOT personal data information system processes data classified as "other personal data" and "publicly available personal data". Based on the criteria of Decree No. 1119 (relevant threats of type 3, other data categories, more than 100,000 subjects), we apply Level 3 of security (UZ-3).

2. Technical measures

2.1. Encryption

  • HTTPS/TLS 1.2+ for all connections; HSTS with a preloaded policy.
  • User password hashing with bcrypt (cost factor ≥ 12).
  • Application-level encryption of sensitive fields (bot tokens, messaging API keys) using algorithms approved by the Federal Security Service of Russia (FSB).
  • Encrypted database backups with limited retention.

2.2. Access control

  • Principle of least privilege.
  • Individual employee accounts; shared logins are not allowed.
  • Multi-factor authentication for administrative accounts.
  • Logging of all actions on personal data; database access only through a bastion host with SSH session recording.
  • Regular access reviews (offboarding within 24 hours of an employee leaving).

2.3. Perimeter and network security

  • Network firewall at the perimeter.
  • Network segmentation: production, staging, and office networks are physically isolated.
  • Production database access is blocked from the public internet.
  • DDoS protection at the infrastructure provider level.
  • Regular OS and application updates, with CVE vulnerability tracking.

2.4. Audit and monitoring

  • Centralized logging of security events.
  • Automated alerts on suspicious activity (multiple failed logins, abnormal traffic).
  • Regular backup integrity checks.
  • Internal audits at least once a year.

2.5. Anti-malware

  • Restricted file upload types; executable extensions (.exe, .bat, .sh, .php, etc.) are blocked in attachments.
  • Strict limits on upload file size.
  • Antivirus protection on administrator workstations.

3. Organizational measures

  • A person responsible for organizing personal data processing has been appointed (Article 22.1 of 152-FZ): sole proprietor D. Yu. Kiselev (contact — info@etochat.bot).
  • Approved internal documents: personal data processing regulation, employee instructions, password policy, incident response procedure.
  • Non-disclosure agreements (NDAs) with all employees and contractors who have access to personal data.
  • Information security and 152-FZ training for new hires; annual refresher afterwards.
  • Data removal procedure when an employee leaves or a contractor finishes work.

4. Incident response

If we detect a violation that has resulted in unlawful or accidental disclosure of personal data (a breach), the Operator:

  1. Immediately conducts an investigation, contains the incident, and fixes the vulnerability.
  2. Notifies Roskomnadzor of the incident within 24 hours of detection (Part 3.1, Article 21 of 152-FZ).
  3. Submits the results of the internal investigation to Roskomnadzor within 72 hours of detection.
  4. Notifies affected data subjects of the incident and the actions taken.
  5. Logs the incident internally, runs a post-mortem, and updates processes accordingly.

5. Data localization

The service's server infrastructure is hosted in data centers located in the Russian Federation, which meets the requirement in Part 5, Article 18 of 152-FZ for localizing the initial collection and subsequent storage of personal data of Russian citizens.

6. Certifications and compliance

  • The Operator is registered in the Roskomnadzor Register of Personal Data Operators under number 16-25-027399.
  • The service is built in line with Article 19 of 152-FZ and FSTEC Order No. 21.
  • Secure SDLC principles: code review, static analysis, manual testing.

7. Backups and continuity

  • Daily encrypted backups of the database and file storage.
  • Backup retention — up to 30 calendar days.
  • Regular disaster recovery drills with RTO/RPO measurements.
  • Target availability — 99.9% per month (see the Public offer, "Availability" section).

8. Report a vulnerability

If you've found a vulnerability or suspicious behavior, please let us know at info@etochat.bot with "Security" in the subject line. We follow responsible disclosure:

  • Don't use the vulnerability to cause harm.
  • Don't publish details until we've fixed it.
  • Give us a reasonable window (90 days) to release a fix.

We thank researchers and, by mutual agreement, can pay a bug bounty or list a name in the Hall of Fame.

9. Related documents