Our Security Approach

We process personal data only where a valid legal basis exists under the EU General Data Protection Regulation (GDPR) and, for data subjects in Türkiye, the Law on Protection of Personal Data (KVKK). Purposes are defined up front (purpose limitation); data categories are minimized to what is necessary (data minimization); and retention is tied to service delivery, legal obligation, or documented legitimate interest, after which data is securely deleted or irreversibly anonymized where appropriate.

Data Processing Agreements (DPAs) describe roles (controller/processor where applicable), subprocessors, categories of processing, cross-border transfer mechanisms when needed, and technical and organizational measures. Data subjects can exercise rights of access, rectification, erasure, restriction, objection, and data portability through designated channels; we acknowledge and respond within applicable statutory timelines.

Our breach-notification playbook defines internal escalation, evidence preservation, containment, and communication to regulators and affected individuals where the law requires. Training and runbooks help ensure that privacy and security incidents are handled consistently rather than ad hoc, including GTFS data security and cloud-based transit analytics safety scenarios.

Sensitive information at rest is protected using AES-256 (or equivalent industry-standard algorithms) in environments configured for encryption by default, including managed storage and backups where encryption is supported by the platform. Data in transit is protected with TLS 1.2 or higher and modern cipher suites, reducing exposure on public networks.

Access to production-adjacent systems, administrative consoles, and repositories that could affect customer trust is granted on a least-privilege basis through role-based access control (RBAC). Multi-factor authentication is required for privileged roles where the underlying identity provider supports it. Joiners, movers, and leavers are processed through documented workflows so that dormant accounts do not accumulate.

We maintain tamper-evident audit trails for security-relevant events—including sign-ins, permission changes, and privileged operations—with retention suited to investigation and compliance review. Periodic access reviews reconcile entitlements with actual job responsibilities, closing gaps before they become incidents.

Our marketing site and related web experiences are deployed on Vercel’s globally distributed edge platform. Traffic benefits from TLS termination at the edge, built-in DDoS mitigation, and continuous platform hardening maintained by Vercel’s security engineering teams. Vercel publishes SOC 2 Type II and related assurance reports for its cloud operations; we inherit a significant portion of physical and network controls through that relationship.

Application builds run in isolated CI environments; secrets are never committed to source control and are injected at build and runtime via protected environment variables. Preview and production projects are separated to reduce the risk of experimental changes affecting live users.

This model trades self-managed server sprawl for a smaller, well-documented attack surface—while preserving fast, cache-friendly delivery worldwide. We complement platform controls with our own secure development practices, dependency awareness, and monitoring appropriate to a public-facing corporate presence.