KVKK Compliance Support
Technical and administrative measures as a data processor under the Personal Data Protection Law No. 6698.
KVKK
6698 Sayılı Kanun
Data Controller and Data Processor
Roles and responsibilities are clearly defined under KVKK.
Data Controller (Customer)
The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data registry system.
Data Processor (VeriTeknik)
The natural or legal person who processes personal data on behalf of the data controller based on the authority given. Responsible for technical infrastructure and security measures.
KVKK Core Principles
Fundamental principles to be followed in personal data processing activities.
Lawfulness
Personal data can only be processed in accordance with the procedures and principles prescribed by law.
Purpose Limitation
Data is collected for specific, explicit and legitimate purposes; cannot be processed in ways incompatible with these purposes.
Data Minimization
Collected data must be relevant, adequate and necessary for the processing purpose.
Accuracy
Personal data must be accurate and up-to-date; corrected when necessary.
Storage Limitation
Data is stored for as long as the processing purpose requires; deleted or anonymized when the period expires.
Security
Appropriate measures are taken to protect personal data against unauthorized access, loss or damage.
Security Measures
Technical and administrative measures taken under KVKK.
Technical Measures
- Data encryption (at-rest and in-transit)
- Access control and authorization
- Firewall and IDS/IPS
- Log management and monitoring
- Backup and disaster recovery
- Vulnerability scanning and penetration testing
Administrative Measures
- Data processing policies
- Employee confidentiality agreements
- Data processor contracts
- Regular training programs
- Internal audit procedures
- Incident response plans
Physical Measures
- Data center security
- Biometric access control
- 24/7 security monitoring
- Fire and water protection
- Backup power systems
- Environmental controls
International Data Transfer
Transfer of personal data abroad is subject to special conditions under KVKK.
- Obtaining explicit consent or legal exception
- Transfer to countries with adequate protection
- Providing assurance through undertaking
- Obtaining Board permission (when required)
Transfer Conditions
CogMem-AI Cognitive Memory System
CogMem-AI, the cognitive memory component of Morpheus AI Operations Assistant, irreversibly anonymizes operational patterns learned from interactions and adds them to a collective knowledge base.
Processing Stages
Pattern Extraction
Operational patterns are identified during service delivery. Data is processed under the service agreement (KVKK Art. 5/2-c).
Multi-Layer Anonymization
Personal identifiers are removed, statistical generalization (k-anonymity, k≥5), differential privacy (ε≤1.0), and micro-aggregation are applied. Anonymization completes within 30 days.
Collective Knowledge Base
Anonymized patterns are added to the knowledge base serving all users. At this stage, data qualifies as anonymous under KVKK Art. 28/1-b.
Legal Basis
- Service delivery: KVKK Art. 5/2-c (Contract performance)
- Pattern extraction: KVKK Art. 5/2-f (Legitimate interest + balancing test)
- Collective knowledge base: KVKK Art. 28/1-b (Anonymous data — outside scope)
Opt-Out from Collective Learning
You can disable CogMem-AI collective learning from the Morpheus management panel or by written notice to kvkk@veriteknik.com.tr. Opt-out requests are processed within 7 business days without affecting your Morpheus service.