orsacore.
All posts

June 19, 2026

Choosing business software through a KVKK lens: 6 questions to ask your vendor

Process software doesn't carry business data alone: employee records, customer communications, sometimes location and performance data all enter the system. Under Türkiye's data protection law (KVKK), the controller responsible for that data is you — not your vendor. That makes vendor selection a data-protection decision.

Six questions to put on the table

  • Where is the data hosted? Hosting abroad triggers KVKK's cross-border transfer rules (Article 9) — extra obligations
  • Is on-premise or in-Türkiye hosting available?
  • Who accesses what? Is there role-based authorisation with access logs?
  • Documentation support: does the vendor state in writing which data is processed for which purpose?
  • Data minimisation: is data your processes don't need (e.g. continuous location tracking) collected, and can it be switched off?
  • Contract: are the vendor's obligations as a data processor explicitly written into the agreement?

The orsacore approach

We design our products with KVKK and GDPR in mind: your data lives on-premise or in Türkiye — your choice — access is role-based, and only the data a process actually needs is handled. Integration-first architecture helps here too: your data stays in your own systems; the portal layer connects it instead of moving it.

This article is for general information and is not legal advice; consult your KVKK advisor for an assessment specific to your organisation.

Let's talk about your processes

Free intro call — a demo tailored to you within 1 day.

Contact us