Security & Compliance

Enterprise-grade security for your company data

Birasyo runs on Microsoft Azure, uses Anthropic under Zero Data Retention, and is compliant with KVKK and GDPR — inheriting the certifications trusted by banks and the public sector.

Microsoft Azure Infrastructure

Birasyo runs on Microsoft Azure Europe (Netherlands/Ireland). Azure Türkiye (Istanbul) regions or private deployment are available on request. The infrastructure inherits Azure's ISO 27001, ISO 27018, SOC 2 Type II, PCI DSS and HIPAA certifications.

Azure EuropeAzure Türkiye (opsiyonel)ISO 27001 (Azure)SOC 2 Type II (Azure)

End-to-End Encryption

Traffic is encrypted in transit via TLS 1.3; data at rest uses AES-256. Sensitive fields (national ID, IBAN, SGK records) are column-level encrypted. Keys are stored in Azure Key Vault with HSM backing, using separation of duties between database and blob storage keys.

TLS 1.3AES-256Azure Key VaultColumn-level encryption

KVKK & GDPR Compliance

Birasyo Software Solutions is registered with the Turkish Data Protection Authority (VERBİS) as data controller. Privacy notice, consent management, data-subject request forms and deletion/anonymisation flows are built in. A KVKK inventory module lets customers maintain their own records. A GDPR Data Processing Agreement (DPA) is provided to EU customers.

VERBİS kayıtlıKVKKGDPRDPA available

AI & Privacy

Birasyo AI uses Anthropic Claude under an enterprise API agreement. Under Anthropic's Zero Data Retention policy, prompts are not used for training, not logged, and discarded after response. Sensitive fields (national ID, IBAN, phone, e-mail, SGK number) are auto-masked before being sent to the model. Every AI interaction is captured in the audit log and can be disabled by the customer at any time.

Anthropic ZDRPII maskingAudit logKill switch

Backup & Disaster Recovery

Databases are backed up every 15 min (point-in-time), daily full, weekly archive. Retention is 35 days minimum, 7 years for compliance customers. Geo-replication to a secondary region for disaster recovery: RPO ≤ 15 min, RTO ≤ 4 hrs. DR drills are run annually.

RPO ≤ 15 dkRTO ≤ 4 saatGeo-redundant backup35 gün / 7 yıl retention

Access Control & Audit

RBAC applies to every module. Two-factor authentication (TOTP, SMS, trusted device), SSO/SAML 2.0 and Microsoft Entra ID (Azure AD) are standard. Every mutation is written to an immutable audit log — who, when, which field, from which IP. Suspicious logins raise real-time alerts.

RBAC2FASSO / SAML 2.0Audit log (immutable)

Data Residency

Data residency is configurable: Azure Europe (default, EU DPF), Azure Türkiye (Istanbul) or private cloud. Residency is recorded in the customer DPA; migration is completed within 5 business days.

ABTürkiyePrivate cloud

Incident Management & SLA

24/7 monitoring; security incidents: first response within 15 min, status report within 4 hrs, root-cause analysis within 72 hrs. KVKK's 72-hour breach notification obligation is met via automated process. Platform SLA: 99.9% monthly uptime.

7/24 SOC15 dk ilk müdahale72 saat KVKK bildirimSLA %99.9

Certifications & partnerships

We inherit infrastructure and AI certifications; we run our own processes for KVKK and GDPR.

Microsoft Azure

ISO 27001 · SOC 2 · PCI DSS (devralınan)

Anthropic Enterprise

Zero Data Retention

KVKK

VERBİS kayıtlı · DPIA

GDPR

DPA · AB DPF

ISO 27001

Azure devralınan

SOC 2 Type II

Azure devralınan

Request a security report or DPA

For your board or legal review, request a security architecture summary, Azure SOC 2 summaries, penetration test results and Data Processing Agreement templates.

Talk to our security team security@birasyo.com