KVKK Disclosure Notice
Data Controller: Doğanay Siber Emniyet Teknolojileri ("DSET") — Hacettepe Teknokent, Üniversiteler Mah. 1596. Cad. 6. AR-GE Blokları C Blok No:6C Ground Floor, Beytepe — Çankaya / Ankara.
Pursuant to the Personal Data Protection Law No. 6698 ("KVKK"), your personal data is processed by DSET in its capacity as data controller within the scope explained below.
1. Categories of Personal Data Processed
| Category | Data Type | Related Service |
|---|---|---|
| Identity | First name, last name, Turkish ID number (when required) | Digital forensics, KVKK compliance |
| Contact | Email, phone, address | All services |
| Customer Transaction | Request detail, service scope, price quote | All services |
| Device / Data | Content of the storage media processed (HDD, SSD, phone) | Data recovery, digital forensics |
| Transaction Security | IP address, user agent (User-Agent), access logs | Contact form, DSET AI |
| Marketing (optional) | Newsletter sign-up (only with explicit consent) | Blog / academy announcements |
2. Purposes of Personal Data Processing
- Establishment and performance of a contract (KVKK Art. 5/2-c)
- Fulfilment of legal obligations (KVKK Art. 5/2-ç)
- Legitimate interest, provided it does not harm the fundamental rights and freedoms of the data subject (KVKK Art. 5/2-f) — for example information security and fraud prevention
- Specific purposes where explicit consent has been obtained (marketing, profiling) (KVKK Art. 5/1)
3. Service-Specific Explanations
3.1 Data Recovery
The storage media you submit is processed in DSET's clean room environment. A forensic image of the device is taken and logical/physical recovery techniques are applied. Throughout the process:
- Only authorized technical personnel can access the data
- Recovered data is destroyed by secure erasure to the DOD 5220.22-M standard no later than 30 days after delivery to the customer (unless the customer specifically requests otherwise)
- The device is returned physically; a handover record is signed
3.2 Digital Forensics
In examination processes carried out for submission to a court, the chain of custody and integrity (SHA-256 hash) are recorded in a report. Evidence is shared with third parties only under a judicial order. Unless the customer gives specific instructions, post-examination data destruction is carried out within 90 days.
3.3 Pentest (Penetration Testing)
Security vulnerabilities, credentials and system configurations obtained during a penetration testing service are destroyed within 60 days of report delivery at the latest, under a mutually signed NDA. Findings are not shared by DSET with any other customer.
3.4 DSET AI (Artificial Intelligence Assistant)
Conversations held with the AI Chat tool on our website are logged on a session basis to improve service quality. These logs:
- are not matched to individual users (the IP is hashed as an hourly segment)
- are not shared with third-party AI providers
- are automatically deleted after 30 days
- are deleted immediately upon your request ([email protected])
4. Transfer of Data
Your personal data is not shared with third parties except in the following cases:
- Legal obligation (court decision, prosecutor's request)
- With explicit consent (e.g. a partner training institution)
- Contracted service providers such as an accountant or legal advisor (under a KVKK-compliant agreement)
Data is not transferred abroad. All of our infrastructure is within the borders of Türkiye/the EU.
5. Retention Periods
- Contact form records: 2 years (tax + commercial legislation)
- Service contract and annexes: 10 years (Turkish Code of Obligations Art. 146)
- Recovered / examined data: 30-90 days after service delivery
- Access logs: 12 months (Information and Communication Technologies Authority regulation)
- DSET AI chat log: 30 days
6. Rights of the Data Subject (KVKK Art. 11)
As a personal data subject, you have the following rights:
- To learn whether your personal data is being processed
- To request information if it has been processed
- To learn the purpose of processing and whether the data is used in line with that purpose
- To know the third parties to whom the data has been transferred domestically or abroad
- To request correction if it has been processed incompletely or incorrectly
- To request its deletion / destruction within the scope of KVKK Art. 7
- To request that correction or deletion operations be notified to the third parties to whom the data was transferred
- To object to a result against you being reached through analysis by automated systems
- To claim compensation for damage you suffer due to unlawful processing
7. Application Method
To exercise your data subject rights, you can send an email to [email protected] or apply in writing to the address stated above. Your applications are answered free of charge within 30 days at the latest (KVKK Art. 13).
If you are not satisfied with the response given to your application, you reserve the right to file a complaint with the Personal Data Protection Board (KVKK).