KVKK-Compliant Data Architecture: A Practical Guide for Enterprise Software
In most organizations KVKK compliance is treated as 'the legal team's job', yet real compliance begins in software architecture. This guide offers a practical framework for getting KVKK right from day one while building an enterprise product.
Data Inventory: What Do We Collect, Where Is It Stored?
Step one is mapping every piece of personal data flowing through the system. Which API endpoint receives what, processes it where and writes it where? Visualize with a data flow diagram. The documented version of this map is already required for VERBİS registration.
Categorize: identity, contact, financial, health, biometric, child data. Each category is subject to different processing and retention rules and must be reflected in the architecture from the start.
Encryption: In Transit and At Rest
In transit: TLS 1.3 minimum, mTLS for microservice traffic. At rest: AES-256-GCM for field-level or column-level encryption. Central key management via KMS (AWS KMS, Azure Key Vault, HashiCorp Vault).
For sensitive fields (national ID, bank account, health data) apply application-level encryption plus tokenization. Even a database administrator should not access raw data. Envelope encryption — encrypting keys with a key — leaves an auditable trail.
Access Control: RBAC and Audit Log
Role-based access control (RBAC) is the baseline; more advanced scenarios use ABAC (attribute-based) with rules like 'only the assigned account manager can view this customer's data'. Every read/write operation must land in the audit log: who, when, which record.
The audit log itself must be immutable (append-only); WORM storage or a Merkle tree structure is recommended. In internal audits this log is critical evidence for both legal accountability and incident response.
Retention Periods and Automatic Deletion
Each data category has different legal and business retention periods: commercial records 10 years, marketing consent 2 years, cookie logs 6 months. Scheduled jobs enforce these automatically; expiry triggers anonymization or deletion.
Deletion must be true hard-delete, and backup policy must reflect this. Systems that manage backup retention per data category make compliance straightforward.
Data Subject Request Process
Under KVKK article 11, individuals can request access, correction, deletion and portability. These requests must be answered within 30 days; consider a self-service panel inside the product (JSON/CSV export, deletion request).
The VefaSec KVKK advisory package: VERBİS registration, privacy notice, explicit consent mechanism, DPIA (Data Protection Impact Assessment) and technical control mapping. Engineering and legal teams work at the same table to achieve compliance.
Talk to VefaSec about your project or audit needs.
Our Diyarbakır-based team delivers end-to-end software development, penetration testing and cybersecurity advisory to enterprise clients. The discovery call is free and non-binding.