KVKK Compliance Guide
How SiperOne supports your obligations under the Turkish Personal Data Protection Law (KVKK).
Data Minimisation
AnchorSpot and AnchorNAC collect only the personal data required for the stated purpose — authentication and legal compliance. Phone numbers are collected for OTP verification, MAC addresses for session binding and TC Kimlik numbers only when explicitly required by Law 5651. No browsing history, payload content or location data beyond the site name is stored.
Encrypted Storage
All personal data at rest is encrypted with AES-256 — LUKS on the Edge appliance and application-level encryption in the cloud deployment. Data in transit is protected by TLS 1.3 between all components. Encryption keys are rotated annually and stored in a hardware-backed key store (TPM on Edge, HSM in cloud).
Retention & Deletion
Retention periods are configured per data category and purpose. When the retention period expires, personal data is irrecoverably deleted by destroying the encryption key for the affected segment. Deletion events are logged in the audit trail. Manual deletion can be triggered ahead of schedule via the console or API to fulfil data-subject erasure requests.
Access Control & Audit Trail
Console access is role-based with least-privilege defaults. Every action — login, policy change, data export, deletion — is recorded in an immutable audit trail with the operator identity, timestamp and source IP. The audit trail itself is protected by AnchorLog's hash chain to prevent tampering by administrators.
Data Residency
Cloud deployments process and store personal data exclusively in data centres located in Türkiye and the EU. On-premises and Edge deployments keep all data within the customer's own infrastructure. No personal data is transferred to third countries. The RFC 3161 TSA request contains only a SHA-256 hash — never personal data.
Data Subject Rights
Data subjects can exercise their KVKK rights — access, rectification, erasure, restriction and portability — by contacting the data controller. The SiperOne console provides export and deletion tools that allow operators to fulfil these requests within the 30-day statutory deadline. Request and fulfilment records are retained in the audit trail.
Ready to get started?
Deploy AnchorSpot, AnchorNAC or AnchorLog in minutes with a free trial — no credit card required.