Security Policy
Last Updated: March 2026
This Security Policy explains the fundamental security principles implemented to protect the information assets of the zimmettakip.com service and to ensure the security of personal data in accordance with the Turkish Personal Data Protection Law (KVKK).
1. Purpose
This Policy has been prepared to protect the information assets of the zimmettakip.com cloud-based SaaS service and its operational processes, to ensure the confidentiality, integrity, and availability of personal data, and to establish the necessary technical and administrative measures in accordance with the security obligations set forth in Article 12 of the KVKK.
2. Scope
This policy covers all systems, applications, network components, databases, backups, log records, customer support channels, and all customer data processed within the scope of the Service managed by the Provider.
3. Roles and Responsibilities
3.1. Policy owner: Ragıp Aziz Şentürk (Provider).
3.2. Access authorization: Managed according to the principle of least privilege. The KVKK guidelines emphasize the approach that “everything is prohibited unless explicitly permitted.”
3.3. Subprocessor/vendor management: The security adequacy of subprocessors is evaluated and contractual security obligations are established.
4. Risk Management and Classification
4.1. Risk assessments are conducted periodically, taking into account data categories (types of personal data) and the potential impact of possible breaches. Risks are regularly evaluated and necessary preventive controls are implemented.
4.2. Processing of special categories of personal data is not intended; if such processing becomes necessary, additional safeguards will be applied.
5. Technical Controls
5.1. Network and application security: up-to-date software/patch management and secure configuration practices.
5.2. Encryption: TLS is used for communication security; critical data is stored in encrypted form.
5.3. Backup: regular backups are performed, backups are protected against unauthorized access, and restore procedures are periodically tested.
5.4. Logging and monitoring:
(a) Platform security/application logs are generally retained for a maximum of 90 days.
(b) Records related to deletion, destruction, or anonymization operations are retained for at least 3 years.
(c) If obligations under Law No. 5651 apply, hosting provider traffic data retention periods may be adjusted to 1–2 years.
5.5. Access Security: system access is restricted based on roles and authorization levels.
6. Administrative Controls
6.1. Training and awareness: The KVKK guidelines consider employee training and awareness programs critical.
6.2. Confidentiality commitments: confidentiality obligations are established for everyone who has access to the Service.
6.3. Vendor/subprocessor relationships: contractual, access, and security oversight mechanisms are applied.
7. Incident Management and Data Breach Response
7.1. In the event of a suspected data breach, isolation, evidence preservation, impact analysis, and root cause analysis procedures are carried out.
7.2. In accordance with Decision No. 2019/10 of the Turkish Data Protection Board, a 72-hour approach is adopted for notifications to the Authority by the data controller, while notifications to affected individuals are made as soon as reasonably possible. Data processors must notify the data controller without delay.
7.3. Incident records are documented in a manner that can be presented to the Authority during investigations.
8. Policy Review
This policy is reviewed at least once per year or after any significant change or incident.
Start now and speed up assignment processes
Make assignment management faster, easier, and error-free.
No credit card required
Free to use