Buaze home
INFORMATION SECURITY

Information Security Policy

SUMMARY

Administrative and technical security measures applied by the Buaze platform under KVKK Art.12.

1. Purpose and scope#

This policy documents the administrative and technical measures Buaze ("Buaze") applies to maintain confidentiality, integrity and availability of all data processed on the platform. It is based on Article 12 of the Turkish KVKK (Personal Data Protection Law) and the "Personal Data Security Guide" issued by the Personal Data Protection Authority (December 2018).

2. Governance and responsibilities#

  • Information Security Officer: An internal manager coordinates KVKK compliance, security measures and incident response.
  • Data Controller Representative: Person assigned for VERBIS (Turkish data controllers' registry) compliance.
  • Sub-processors: Bound by KVKK Art. 8 and the Data Processing Agreement (DPA).

3. Administrative measures#

  • Access policy: Staff access only data necessary for their role (least privilege). Access requests are justified and logged.
  • Training: All staff complete KVKK + security training at least once a year. New hires are trained before getting access.
  • Confidentiality: Staff and third parties sign confidentiality agreements; obligations survive termination.
  • Discipline: Policy violations face graded sanctions from written warning to termination.
  • Contractual controls: Every sub-processor signs a written DPA; periodic audits are conducted.
  • VERBIS: Registration is completed and maintained when statutory thresholds are exceeded.

4. Technical measures#

4.1 Access and authentication#

  • Password policy: min. 8 chars, alphanumeric required, stored as bcrypt hash (12 rounds).
  • Two-factor authentication (2FA): TOTP-based; mandatory for admin accounts, optional for end users.
  • Session management: JWT + httpOnly + secure cookie + 7-day TTL. Server-side revocation via the UserSession table; "Sign out other devices" exposed to users.
  • Brute-force protection: Rate limit (Upstash Redis) on login + password reset endpoints.
  • Role-based access (RBAC): superadmin / manager / restaurant_owner / team_member roles; IDOR checks on every API.

4.2 Data in transit#

  • TLS 1.2+ enforced; HSTS prevents downgrade attacks.
  • Certificates auto-renewed via Let's Encrypt or equivalent CA.
  • CORS rules applied as a whitelist.

4.3 Database and storage#

  • Database provider (Supabase / PostgreSQL): TLS, row-level security supported.
  • Backups: daily automated, 7-day retention, off-site replica.
  • Sensitive fields are encrypted or hashed (passwords, OAuth tokens, 2FA secrets).
  • Data-at-rest encryption: AES-256 at the cloud provider.

4.4 Application security#

  • OWASP Top 10: SQL injection (Prisma parameterised queries), XSS (React escaping), CSRF (SameSite cookie), SSRF (URL allowlist), server-side input validation.
  • reCAPTCHA Enterprise: Bot protection on signup, login and public forms.
  • Honeypot fields: Anti-bot decoy inputs.
  • Content Security Policy (CSP): inline script + eval blocked.
  • Dependency hygiene: `npm audit` periodic scans; high-severity issues patched within 7 days.

4.5 Logging and monitoring#

  • Sentry: error tracking + performance tracing (KVKK-compliant, send_default_pii=false).
  • Audit log: admin write operations (`admin_audit_logs` table).
  • IP retention: 90 days; anonymisation cron runs thereafter.
  • Access logs retained at least 6 months.

4.6 Backup and continuity#

  • RPO (Recovery Point Objective): max 24 hours of data loss.
  • RTO (Recovery Time Objective): max 4 hours to restore.
  • Annual drills: backup restore + disaster recovery scenarios are tested.

5. Data breach response#

Full procedure in the "Data Breach Response Policy". Summary:

  • Internal alert within 24 hours,
  • Notification to KVKK Authority within 72 hours (if threshold met),
  • Affected data subjects notified within a reasonable period.

6. Independent security audits#

Buaze is open to independent information security audits annually or on request. Corporate customers may request via legal@buaze.com:

  • Penetration test summary report (under NDA),
  • Architecture diagrams (under NDA),
  • ISO 27001 / 27701 certification readiness.

7. Policy review#

This policy is reviewed annually or upon material technology / regulatory change. Updates are published here; material changes are e-mailed to registered users.

8. Contact#

  • Security topics: support@buaze.com
  • Suspicious activity: legal@buaze.com
  • Vulnerability disclosure: support@buaze.com (90-day responsible disclosure)
Save this page as a PDF with Ctrl/Cmd + P