🔒 Trust Center

Your trust is the foundation of our engineering.

Where we store your data, who accesses it, which standards we meet, and what we do when you find a vulnerability — all transparent.

Compliance Roadmap

We are in pre-launch; KVKK + GDPR compliance is live, SOC 2 and ISO 27001 are the next milestones.

KVKK LIVE

Turkish PDPL. Data on Türkiye-EU border, DPA provided.

GDPR LIVE

EU data protection. Hetzner Germany data center, Article 28 DPA ready.

SOC 2 Type 1 2026 Q4

Gap analysis complete (score 5.0/10). 90-day hardening + auditor scheduling.

SOC 2 Type 2 2027 Q4

12-month observation window after Type 1.

ISO 27001 2028

Parallel effort after SOC 2 Type 2.

ISO 27701 UNDER REVIEW

Privacy information management — extension of KVKK.

Security engineering

Where we are strong, where we are improving — clearly.

Logical Access7/10

Password hash + 2FA (super admin) + brute force lockout + API scope. SSO PoC (Entra ID), prod-ready 2026 Q3.

Availability7/10

Multi-layer backup (master + tenant + integrity + off-site). Restore otomasyon (5 dk). HA cluster 2027 Q1.

Change Management5/10

Git versioning + RFC süreç + versioned DB migrations + CI lint/test/OpenAPI validate. 2-eyes review zorunluluğu sıradaki.

Encryption6/10

TLS 1.2+ in transit. AES-256 at-rest (PDKS credentials). Column-level PII encrypt 2026 Q3.

Monitoring6/10

Structured logger (JSON) + Sentry + audit log + cron monitor + health.php. SIEM (Datadog/Splunk) sıradaki.

Vendor Management3/10

Hetzner + Groq + Sentry + iyzico. Formal vendor register + DPA inventory 2026 Q3.

Downloadable resources

For compliance / vendor risk teams answering a security questionnaire.

Architecture and data location

Where your data lives and how it is protected.

Data Location
Hetzner Online, Falkenstein, Germany 🇩🇪

Within EU borders under GDPR. Türkiye DC option on the Enterprise plan.

Tenant Isolation
DB-per-tenant 🏰

Each customer has its own MySQL DB. Cross-tenant reads are technically impossible.

Backup Strategy
Multi-layer 🛡️

Daily full backup + weekly integrity check + offsite GPG AES256.

RPO / RTO
≤24h / ≤4h

Single-tenant restore: ~5 minutes (automated). Master DB restore: ~30 minutes.

Have a compliance or security questionnaire?

48-hour response for vendor risk assessments.

Get in touch →