Robust data 
security & privacy

Your data is our priority. Our no-compromise approach ensures 
data protection, security, and privacy by design.

Industry compliance

We are dedicated to best practices in information security to meet and exceed industry standards.

  • ISO 27001
    Toloka implements an information security management system (ISMS) that was audited and certified in compliance with the ISO/IEC 27001 standard. The international standard provides a framework for information risk management to guarantee confidentiality, integrity and availability of data.
  • ISO 27701
    Toloka's privacy information management system (PIMS) is certified for compliance with ISO/IEC 27701, an extension to ISO/IEC 27001. This standard ensures the secure collection, handling, storage, and destruction of personally identifiable information (PII) on the Toloka platform.
  • GDPR
    The Toloka platform strives to comply with key requirements of the General Data Protection Regulation (GDPR). We prioritize the privacy of our users and make every effort to protect personal data by following established internal processes.

Our approach to data security

We take security seriously, from designing the architecture of our platform to protecting the rights of our users.
Read our blog post to learn more about our approach to information security.

  • Committed to best practices
    We use a secure software development lifecycle process that includes:
    • Security review of the platform architecture and design
    • Manual security testing (white box penetration testing)
    • Regular codebase scanning using several SAST tools
    • Continuous DAST scanning
    • Automatic security checks on third-party components with known vulnerabilities
    • Continuous security analysis of images used in cloud platforms
    • Continuous scanning of the codebase, configurations, and specifications for secrets (tokens, passwords, private keys, and so on)
    • Security Development Lifecycle (SDL) applied to all stages of platform development
  • Anonymity
    We reserve the right of our users to remain anonymous and not share their personal information. Customers may choose to upload tasks under their real brand name or use a nickname. Performers’ real names are not shown on the platform when they are completing tasks.

Flexible data storage options

We take full responsibility for the privacy of our users’ data. Our multi-tenant storage architecture is convenient for our customers and complies with local laws.
Customers have 3 options for storing datasets:

  • Default data storage
    For world-class protection, data is hosted in a Microsoft Azure cloud split into multi-tenant tiers by region (US customer data is stored in the US, and EU customer data stays in the EU).
  • Dedicated storage
    A dedicated and isolated single-tenant cluster of storages is available by request for large customers based on their geography.
  • On-premise data storage
    The Toloka API allows the customer to host data in their own cloud or on their own premises.
  • Data ownership

    The owner of data hosted on Toloka is always the customer who is requesting labeling services.

    Toloka only uses customer data in aggregated or anonymized form for product development, internal training, or marketing efforts that analyze overall usage of the platform.

    For responsible vulnerability disclosures and other inquiries please contact our security team.

  • Legal

    Toloka is a public crowd platform where customers can have data of any type labeled. The purpose of the platform is to create efficient labeling pipelines for artificial intelligence and machine learning projects and to provide convenient tools for handling data.

    Customers sign standard service agreements or individual agreements approved by our Legal department. Performers sign agreements for data labeling services. 

Take advantage of Toloka technologies