June 19, 2026
Choosing business software through a KVKK lens: 6 questions to ask your vendor
Process software doesn't carry business data alone: employee records, customer communications, sometimes location and performance data all enter the system. Under Türkiye's data protection law (KVKK), the controller responsible for that data is you — not your vendor. That makes vendor selection a data-protection decision.
Six questions to put on the table
- Where is the data hosted? Hosting abroad triggers KVKK's cross-border transfer rules (Article 9) — extra obligations
- Is on-premise or in-Türkiye hosting available?
- Who accesses what? Is there role-based authorisation with access logs?
- Documentation support: does the vendor state in writing which data is processed for which purpose?
- Data minimisation: is data your processes don't need (e.g. continuous location tracking) collected, and can it be switched off?
- Contract: are the vendor's obligations as a data processor explicitly written into the agreement?
The orsacore approach
We design our products with KVKK and GDPR in mind: your data lives on-premise or in Türkiye — your choice — access is role-based, and only the data a process actually needs is handled. Integration-first architecture helps here too: your data stays in your own systems; the portal layer connects it instead of moving it.
This article is for general information and is not legal advice; consult your KVKK advisor for an assessment specific to your organisation.