D-CAT Technologies · Security & Compliance

Enterprise Data Security.
Not in Words — in Architecture.

The largest organizations in Turkey and EMEA entrust their sensitive data to us. For 20 years we have built that trust into our architecture and protected it in practice. KVKK, GDPR, corporate security standards, on-premise architectures and PII protection — these are the foundation of every D-CAT product.

Request the Security Document → Talk to Our Expert Team

Three Core Principles

Principle 01

Data Stays Within the Enterprise

On-premise deployment is the default in our architecture. Data does not leave the organization. AI never sees real customer data.

The Axoria Privacy agent runs as agent zero: PII detection + format-preserving transformation + synthetic data generation. All the AI sees is synthetic data — carrying no real identity information, but preserving statistical properties.

Principle 02

Every Step Auditable

We are not a black box. Every agent call, every model decision, every data access is logged.

To the question "why did this result come out this way?" an answer is produced in language the end user can understand. Model decisions are transparent, traceable and reproducible.

Principle 03

Enterprise Standards

KVKK, GDPR, corporate security policies — as regulation evolves, our architecture evolves with it.

Role-based access control (RBAC), row-level security, column-level masking, encryption (at rest + in transit) — they run at the core of every one of our products.

Independent Verification

Our Certifications

Three independent certifications. Each one verifies a different layer: information security, software process maturity and public-sector authorization.

ISO/IEC 27001

Information Security Management System

The international standard. An end-to-end audited information security framework covering data classification, access control, incident response and continuous improvement.

Scope: All D-CAT operations, products and customer data.

SPICE (ISO/IEC 15504)

Software Process Maturity

A maturity-level certification for the software development process. Requirement management, design discipline, test coverage and release governance — all assessed independently.

Verifies: Quality assurance of our 20-year delivery practice.

Public Sector IT Authorization

T.C. · Public Sector IT License

The Republic of Türkiye public sector IT authorization document. Validates D-CAT's competence and reliability in critical public-sector projects.

Required for: Tendering on public-sector IT projects.

Certifications are not slogans — each one binds a procedure and an audit cycle. Up-to-date copies of the documents are shared with enterprise customers on request.

KVKK Compliance · Architected for Turkish Institutions

The Personal Data Protection Law is the foundation of enterprise data projects in Turkey. D-CAT products are designed with an architecture compliant with it.

The Axoria Privacy agent automatically detects PII in the source database:

  • Turkish ID Number
  • IBAN, credit card number
  • First name, surname, phone, email
  • Address, date of birth
  • Sensitive health data

Detected data is transformed in a format-preserving way: original statistical properties are retained, identity is erased.

The KVKK compliance report is generated automatically and kept audit-ready.

Data-processing inventory, privacy-notice templates, VERBİS compliance documents — all part of the package we deliver to our customers.

GDPR and International Standards

GDPR Compliance

In Europe (via our Estonia EU office) and with our international customers, a GDPR-compliant architecture:

  • Right to data portability
  • Right to be forgotten
  • Explicit consent management
  • Data breach notification processes
  • Cross-border data transfer rules

Sector Standards

Healthcare (for HealthCat customers):

  • HBYS data transfer standards
  • Patient privacy rules
  • SGK communication protocols

For finance customers:

  • BDDK data security requirements
  • Interbank data sharing rules
  • Contractual audit reports

Technical Security Layer

Encryption

  • TLS 1.3 (transit)
  • AES-256 (at rest)
  • Key rotation
  • HSM integration support

Access Control

  • Role-based access (RBAC)
  • Row-level security (RLS)
  • Column-level masking
  • Single Sign-On (SSO)

Network Security

  • VPN / Private endpoints
  • IP whitelisting
  • Firewall policies
  • DDoS protection

Monitoring and Auditing

  • Comprehensive audit log
  • Anomaly detection
  • User activity report
  • Security incident response

Deployment Models

  • On-premise (full control)
  • Private cloud
  • Hybrid (data on-prem, compute in cloud)

Backup and Recovery

  • Automatic daily backup
  • Point-in-time recovery
  • Disaster recovery plan
  • RTO/RPO commitments

Artificial Intelligence · Responsible Use

Being an AI-native company means taking AI security especially seriously.

When building modern LLM and agentic architectures, we answer three questions:

Which data does the model access?

Source data never leaves the organization. Connections are established on-premise or via private cloud. Every data share is logged.

How does the model decide?

Every model decision is explainable — the question "why was this recommendation produced?" has an auditable answer.

How much resource does the model consume?

Every AI call is transparently tracked: which agent, which model, how many tokens, what cost — reported in real time.

AI is a powerful tool — but power carries responsibility. In D-CAT products, AI use is always open to — and must remain open to — human oversight.

Review Our Security Documents

Data-processing agreements, security protocols and audit reports signed with our enterprise customers — shared on request.

Security Document

Request the detailed product-specific security document.

Request →

Expert Consultation

Let's discuss our security architecture at a technical level.

Book a Meeting →

KVKK Compliance Project

A full PII scan of your enterprise database. Detection, classification, masking, transformation. An end-to-end compliance project.

Request Scan →