Standards & Regulation
      Back to home
      1. Approov Mobile Security Knowledge Base
      2. General
      3. Standards & Regulation

      Is Approov in Compliance with the KVKK?

      Does the personal data of Turkish mobile app users remain private in Turkey? How is our end-users' data protected?

      Introduction to KVKK (Personal Data Protection Law)

      KVKK, the Kişisel Verileri Koruma Kanunu (Personal Data Protection Law), enacted in Turkey, is a comprehensive legal framework designed to protect the personal data of individuals. It governs the collection, processing, and storage of personal data, ensuring organizations implement strict security and privacy measures. The law, which came into effect on April 7, 2016, is regulated by the Personal Data Protection Authority (KVKK) and is inspired by the European Union's General Data Protection Regulation (GDPR). 

      Key principles of the KVKK include:

      • Lawfulness and fairness: Personal data must be processed in accordance with the law and in a transparent manner.
      • Purpose limitation: Data should be collected for specified, explicit, and legitimate purposes.
      • Data minimization: Only the necessary amount of data should be processed.
      • Accuracy: Personal data must be accurate and kept up to date.
      • Storage limitation: Data should be retained only for as long as necessary.
      • Integrity and confidentiality: Data must be processed securely to prevent unauthorized access, loss, or damage.

      The KVKK applies to all organizations that process personal data in Turkey or target Turkish residents, regardless of where the organization is based.

      How KVKK Impacts Mobile App Security

      Under KVKK, businesses that develop mobile applications or use APIs to process personal data must implement robust security measures to protect user information. This includes:

      • Preventing unauthorized access through encryption and authentication mechanisms.
      • Ensuring secure API communications to prevent data breaches.
      • Regularly auditing and monitoring security controls.

      Is Approov in Compliance with the KVKK?

      Approov, a leading mobile app security solution, is committed to ensuring compliance with global data protection regulations, including the KVKK. While Approov's primary focus is on securing mobile applications and APIs, it also adheres to strict data protection standards to safeguard user data.

      How Approov Aligns with KVKK Principles

      1. Data Minimization and Purpose Limitation:

      KVKK mandates that organizations minimize the data they collect and ensure proper safeguards are in place. Approov does not store or process personally identifiable information (PII) from mobile app users. It only collects minimal metadata necessary for security functions, ensuring compliance with KVKK’s data minimization and purpose limitation.

      2. Data Security and Confidentiality:

      KVKK requires organizations to implement encryption and other protective measures to prevent unauthorized access to personal data. 

      Approov employs state-of-the-art encryption and security measures to protect data from unauthorized access, breaches, or misuse. This ensures compliance with the KVKK's requirement for data integrity and confidentiality. Approov’s dynamic certificate pinning and runtime application attestation secure data in transit, protecting it from man-in-the-middle (MitM) attacks and other cybersecurity threats.

      3. Transparency and Accountability:

      Approov provides clear documentation and transparency about how data is processed, stored, and protected. This helps organizations using Approov to meet their transparency obligations under the KVKK.

      4. Data Subject Rights:

      Approov supports organizations in fulfilling data subject rights, such as access, rectification, and deletion of personal data, as mandated by the KVKK.

      5. Cross-Border Data Transfers:

      Approov ensures that any cross-border data transfers comply with the KVKK's requirements, including obtaining necessary consents and implementing adequate safeguards.

      6. Secure API Communications

      A major risk under KVKK is unauthorized access to APIs that process personal data. Approov ensures secure API communications by verifying that only legitimate, untampered mobile applications can interact with backend services. This prevents API abuse, credential theft, and unauthorized data access, helping organizations meet KVKK’s security mandates.

      Approov's Commitment to Global Data Protection Standards

      Approov's compliance with the KVKK is part of its broader commitment to adhering to global data protection regulations, such as the GDPR and the CCPA. By implementing robust security and privacy measures, Approov helps organizations meet their regulatory obligations while protecting user data.

      For more information on Approov's compliance with various data protection regulations, including but not limited to GDPR, CCPA, China’s PIPL, Germany’s TTDSG, and Brazil’s LGPD, visit: Approov Security & Compliance.

      Conclusion

      KVKK mandates strict data protection requirements for businesses handling personal data in Turkey. Approov is fully committed to complying with the KVKK's principles and requirements, ensuring that its solutions not only enhance mobile app security but also protect user data in accordance with the law. By integrating Approov’s security framework, organizations can strengthen their data protection strategy while meeting KVKK’s legal obligations.

      For further details about the KVKK, visit the official website: https://www.kvkk.gov.tr.