Compliance, engineered as proof
5651 tamper-evident logging, KVKK data protection and ISO 27001 information-security controls — built into the platform, not bolted on.
Why it matters
What is Law 5651 and why does it apply to you?
Law 5651 ("Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publications") requires every organisation that provides internet access — cafés, hotels, hospitals, universities, offices — to log who accessed what, when, and from which IP. Logs must be retained for at least 1–2 years (depending on provider class) and produced on demand for BTK audits or judicial requests. Non-compliance carries administrative fines and, in serious cases, criminal liability for the legal representative.
Who is obligated?
Any legal entity that offers internet access to guests, employees or the public — from a 20-seat café to a 10,000-employee campus.
What must be logged?
Source IP, destination, timestamp, user identity (MAC, login, TCKN). In inline mode: HTTP Host, TLS SNI and DNS queries.
How long?
Access providers: minimum 1 year. Content/hosting providers: minimum 2 years. Anchor supports up to 10-year retention.
What if you don't?
BTK can issue fines of ₺10,000–₺100,000 per violation. Court orders may hold the legal representative personally liable.
Chain of evidence
A record's tamper-evident journey
Four layers of sealing, from each event to a signed evidence pack.
- 1
Hash chain
Each event is chained to the previous with SHA-256; append-only.
- 2
Daily Merkle root
Each day's records are gathered into a single root hash.
- 3
RFC 3161 TSA
The daily root is signed by the TÜBİTAK Kamu SM timestamp authority.
- 4
Signed export
An independently verifiable evidence pack is produced.
Signed export
One click in an audit produces an independently verifiable evidence pack.
web_access.csv
Who accessed what destination, when, and from which IP.
manifest.json
Hash-chain roots and TSA timestamp references.
verify.sh
A script that lets a third party verify the evidence independently.
Two modes
Correlation and Inline
Correlation mode (Lite / Standard)
Firewall syslog + NAC session table are merged into an enriched access record.
Inline mode (Pro / On-Prem)
The Edge N100 bridges traffic and captures the destination (HTTP Host, TLS SNI, DNS) directly, without MitM.
Why it's stronger
Beyond log-only tools
Tools like FortiLogger collect logs; Anchor turns those logs into legally defensible evidence.
Hash chain (SHA-256)
Append-only; the smallest change is detected instantly.
RFC 3161 TSA anchoring
The daily root is signed by TÜBİTAK Kamu SM — not alterable retroactively.
cosign verification
Supply-chain signing for update packages and evidence artefacts.
Independent verification
The signed export pack can be verified by a third party.
Data protection
KVKK (Law 6698) — built-in privacy controls
Turkey's Personal Data Protection Law requires lawful processing, purpose limitation and data-subject rights. Anchor products are designed with privacy by default.
Data minimisation
Only the data required for 5651 compliance and network security is collected. No unnecessary profiling or analytics beyond what the operator configures.
Encrypted storage
Logs and personal data are stored with LUKS full-disk encryption at rest. In-transit data uses TLS 1.3.
Retention & deletion
Configurable retention periods (1–10 years). Automated, auditable deletion when the retention window expires — meeting KVKK Art. 7 obligations.
Access control & audit trail
Role-based access, TACACS+ admin AAA and a tamper-evident audit trail ensure that personal data is accessed only by authorised personnel.
Data residency
On-premises and Sovereign deployments keep all data in Türkiye. Cloud deployments use Türkiye/EU regions — no data leaves the configured jurisdiction.
Data-subject requests
The export and deletion APIs support responding to KVKK Art. 11 data-subject requests within the 30-day statutory window.
Information security
ISO 27001 — controls your auditor expects
Anchor products map directly to key Annex A controls of ISO/IEC 27001:2022, helping your organisation demonstrate compliance during certification audits.
A.8.5 — Secure authentication
802.1X (TEAP/TLS), RADIUS, certificate-based BYOD and multi-factor guest login satisfy identity and authentication controls.
A.8.22 — Network segmentation
Dynamic VLAN assignment separates guest, corporate and IoT traffic — a core network-security control.
A.8.15 — Logging & monitoring
Hash-chained, TSA-signed logs with real-time dashboards provide tamper-evident event recording.
A.8.8 — Vulnerability & patch management
Posture assessment checks disk encryption, antivirus and patch state; non-compliant devices are quarantined and auto-remediated.
A.5.15 — Access control policy
YAML policy engine with explainable decisions, what-if simulation and full audit trail.
A.8.10 — Data deletion
Configurable retention, automated deletion and verifiable audit trails support secure data lifecycle management.
Certification path
RFC 3161 TSA & Common Criteria EAL2
Our tamper-evidence infrastructure is built on internationally recognised standards and is on a formal certification path with TSE (Turkish Standards Institute).
RFC 3161 — Trusted timestamps
IETF RFC 3161 defines how a trusted third party (TSA) issues a cryptographic proof that a datum existed at a given time. Each daily Merkle root is submitted to TÜBİTAK Kamu SM — the Turkish government's qualified TSA.
TÜBİTAK Kamu SM
Turkey's national scientific council operates the public-sector timestamp authority. Its certificates are accepted by BTK, courts and the e-Government Gateway (e-Devlet). Using a state-operated TSA removes reliance on commercial providers.
Common Criteria EAL2
EAL2 (Evaluation Assurance Level 2) provides independent verification that the product was structurally tested and its security functions match the security target. Our security target document covers all TOE components — from the hash-chain engine to the RADIUS proxy.
TSE evaluation path
TSE (Türk Standartları Enstitüsü) is the designated national body for Common Criteria evaluations in Turkey. The Anchor product family is on the TSE evaluation track, targeting EAL2 certification with a Yerli Malı designation.
Standards referenced
Let us take compliance off your plate
Let's discuss how to deploy 5651, KVKK and 27001-ready infrastructure in your organisation.