Target model
The new RESTART site should be designed as a secure enterprise platform:
L0 — Infrastructure Security L1 — Site Defense / Application Security L2 — Federal Law No. 152-FZ Compliance L3 — AI Governance L4 — Incident Investigation Operational — Monitoring, backup, self-healing, auditL0 - infrastructure
TLS 1.2/1.3, auto-renew certificates, HSTS preload, WAF with OWASP CRS, firewall default deny, SSH key-only, Fail2Ban/CrowdSec, event logging, availability monitoring, vulnerability scanning, file integrity monitoring, encrypted backup, restore drill, production/staging/development isolation, storing secrets outside the repository.
L1 - web application protection
Nonce-based CSP, HSTS, X-Content-Type-Options, X-Frame-Options or frame-ancestors, Referrer-Policy, Permissions-Policy, CSRF, per-endpoint rate limiting, anti-bot, schema validation, sanitize input/file names, secure upload, CORS whitelist, safe redirect, no personal data in logs, MFA/RBAC for the administrative interface.
L2 - Federal Law No. 152-FZ Compliance
PD policy, consent to PD, Policy of absence of cookies and trackers, DSAR form, register of processing purposes, consent-log, log of checking the absence of cookies and trackers, storage periods, deletion/depersonalization mechanism, audit log of PD operations, checking the notification of the RKN, regular Federal Law No. 152-FZ check, regulations for responding to incidents 24/72 hours.
L3 — AI Governance
For AI functions: a registry of AI systems, a description of goals, an indication of the use of personal data, a ban on the transfer of personal data to external AI models without justification, protection of prompts from data leakage, RAG privacy control, AI logs with masking, DPIA and human participation in significant decisions.
L4 - incident investigation
Detect → Triage → Classify → Contain → Notify → Investigate → Report → RemediateIt is necessary to provide severity scoring, classification “yes/no PD”, preparation of a notification to the RKN within 24 hours, an internal investigation report within 72 hours, an evidence trail, post-incident remediation and updating the risk register.
Frontend components
/components/legal/PrivacyPolicyLink.tsx /components/legal/ConsentCheckbox.tsx /components/legal/NoCookieNotice.tsx /components/security/NoThirdPartyTrackerGate.tsx /components/forms/SecureLeadForm.tsx /components/forms/SecureVacancyForm.tsx /components/forms/SecurePartnerForm.tsx /components/dsar/DsarRequestForm.tsx /components/company/ItAccreditationInfo.tsx /components/company/TechnologyDisclosure.tsx /components/company/PricingPrinciples.tsxBackend modules
services/legal-documents services/forms services/consents services/no-cookie-audit services/dsar services/processing-registry services/audit-events services/incidents services/ai-governance services/notifications services/rkn-checkMinimum database structure
legal_documents consent_events no_cookie_audit form_submissions dsar_requests processing_registry audit_events incident_events ai_system_registry external_processors retention_rulesAcceptance criteria
| Block | Readiness criterion |
|---|---|
| Legal | All documents are published and available without registration |
| Consent | All forms have a separate checkbox and consent-log |
| Cookie | Cookies, analytics, marketing and pixels are not available on the site |
| DSAR | The PD subject request form is working |
| Security | CSP/HSTS/rate-limit/CSRF/schema validation enabled |
| Logs | There are no open phone numbers, e-mails, full names in the logs |
| Encryption | PD in the database is encrypted or protected by equivalent measures |
| RKN | A register of targets has been prepared for notification of the RKN |
| Incident | There is a 24/72 hour schedule |
| IT accreditation | There is an open information page about the IT organization |
| AI | All AI functions are included in the AI System Registry |
Footer
LLC "RESTART" OGRN 5157746164703 · INN 9705056320 · KPP 770501001 115054, Moscow, vn.ter.g. municipal district Zamoskvorechye, st. Bolshaya Pionerskaya, 40, building 1, premises. 1N E-mail: info@restart.re · Tel.: Personal data processing policy · Consent to the processing of personal data · Without cookies and trackers · Application from the subject of personal data · Information about the IT accredited organization · Information about the technologies used · Information about the cost of servicesRegulatory framework and sources
The document has been prepared taking into account:
- Federal Law of July 27, 2006 No. Federal Law No. 152-FZ “On Personal Data”;
- Art. 18.1 Federal Law No. 152-FZ - publication of the Policy for the processing of personal data and information about the implemented requirements for the protection of personal data;
- Art. 22 Federal Law No. 152-FZ - notification of Roskomnadzor on the processing of personal data;
- Art. 21 Federal Law No. 152-FZ - notification of Roskomnadzor about an incident with PD within 24/72 hours;
- Order of the Ministry of Digital Development of Russia dated 06/02/2025 No. 511 on additional requirements for the official website of a Russian IT organization;
- current extract from the Unified State Register of Legal Entities of LLC "RESTART" dated May 16, 2026 No. YuE9965-26-89588541;
- internal model for regular site checking, consent-log, checking for absence of cookies and trackers, DSAR and AI Governance.
The document must be kept up to date and verified with the actual processes for processing personal data, the services used, hosting, CRM, analytics, mail and AI tools.
Let's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
