Toloka is ISO certified to handle personally identifiable information

These days, we're all having to get wise about personally identifiable information, also known as PII. Enterprises have to think about how their internal processes could put PII at risk. They also have to think about how to vet external suppliers that might process PII.

At Toloka, we've worked hard to make that vetting process easier with transparent privacy practices, and we have great news! Toloka has been certified for compliance with ISO/IEC 27701, an extension to ISO/IEC 27001 for privacy information management.

ISO certification? Make ours a double

We've had the ISO/IEC 27001 certification for a year now. We've just renewed it again. This certification confirms that we have a robust Information Security Management System: a set of policies, procedures, risk assessments, and training programs to keep confidential information secure.

Now we're ISO/IEC 27701 certified as well. We've implemented a Privacy Information Management System, which covers the collection, handling, storage, and destruction of PII. Our new certifications have been audited and issued by TÜV Austria.

For our customers, this means that Toloka securely processes data to help businesses stay compliant with GDPR, CCPA, LGPD, PDPL, and other local privacy regulations in the countries where our users reside. We are committed to full transparency regarding how we process personal data, including precise data processing agreements. Rest assured that we never sell or disclose the personal data of our customers.

Privacy by design, privacy by default

Maintaining these management systems involves a whole raft of procedures, reports, and reviews. Ultimately, they all aim at three things:

• We don't collect PII we don't need.
• We only use PII for its declared purpose.
• We don't store PII for longer than we need it.

We have strict policies regarding employee access to personal data and rigorous employee training for handling PII.

Small changes that make a difference

Along the way, we've improved how we communicate privacy on our website, in our user agreements, and in our product. It matters to us that our users can actually understand what happens with their data. For example:

• Our privacy notice now uses clearer wording and is available in 15 languages for Tolokers.
• Our new cookie banner offers full control over which cookies are stored on your browser.

We also developed a safer solution for automatic face blurring directly in the Toloker app. This prevents photos of random people from ever reaching our platform and offers much better privacy than alternative blurring processes.

What's ahead

Privacy comes first at Toloka and we continually look for ways to strengthen our security and privacy policies. We're working toward compliance with HIPAA privacy rules for handling medical data — stay tuned.

For a more detailed look at how we do privacy and security, please refer to our security center.