Compliance and frameworks
A summary of the standards, regulations and frameworks we align our operations to. Alignment is a deliberate target — not a substitute for an audited certification.
Alignment is not certification. Where we hold an external attestation, it is named explicitly. Where we align to a framework without an attestation, this page says so.
NIST CSF 2.0
The NIST Cybersecurity Framework 2.0 organizes security work into Govern, Identify, Protect, Detect, Respond and Recover.
Our security overview, incident response and resilience practices are organized around these functions. We do not hold an external CSF attestation.
OWASP ASVS
OWASP Application Security Verification Standard defines verification requirements for modern web applications.
We target OWASP ASVS Level 2 for the platform surface and conduct external penetration testing before major releases. Pentest summaries are shared under DPA on request.
WCAG 2.2 AA
The W3C Web Content Accessibility Guidelines 2.2 set the current accessibility benchmark for public-facing web surfaces.
WCAG 2.2 Level AA is the documented target for the corporate site, with the product surface aligning route by route. Our accessibility statement describes scope and known limitations.
GDPR
The European General Data Protection Regulation governs the processing of personal data of individuals in the EEA.
Our Data Processing Addendum, standard contractual clauses, subprocessor list, and data subject request handling are designed to meet controller-to-processor requirements under the GDPR.
KVKK
Türkiye's Kişisel Verileri Koruma Kanunu (Law No. 6698) governs the processing of personal data of individuals in Türkiye.
Our privacy notice, data subject request channel, retention and destruction practices, and cross-border transfer commitments are aligned with KVKK obligations as set out by the Personal Data Protection Authority.