Data Governance Policy
Last updated: April 2026
At Kyros Digital, data governance is not a compliance checkbox. It is an engineering discipline embedded in every system we build, every server we operate, and every engagement we accept.
Data Collection & Scope
Contact form submissions (name, email, project scope, brief) are transmitted directly to our internal communication channel via encrypted API. No intermediary storage.
No cookies are set for tracking purposes. No third-party analytics scripts are loaded.
Server access logs are retained for security monitoring and automatically purged after 90 days.
No personal data is sold, shared with, or exposed to third parties under any circumstance.
Infrastructure Security
All client applications run in isolated container environments with no cross-service data access.
Server access is restricted to SSH key-based authentication only. Password-based access is permanently disabled.
All traffic is encrypted end-to-end via TLS 1.3. SSL certificates rotate automatically.
Intrusion detection systems monitor all entry points 24/7 with automatic blocking of suspicious activity.
Database backups are encrypted at rest and stored in geographically separate locations.
Client Data Handling
Client project data is stored exclusively on our dedicated server infrastructure. No shared hosting, no third-party cloud storage.
Each client environment is network-isolated. A breach in one service cannot propagate to another.
Data retention follows the principle of minimum necessary. When an engagement concludes, client data is either transferred to the client or securely destroyed upon request.
All team members with data access operate under strict NDA agreements.
Compliance & Standards
Our practices align with KVKK (Turkish Personal Data Protection Law) and GDPR principles.
We implement privacy by design: data protection is built into system architecture, not bolted on after deployment.
Regular security audits and penetration testing validate our defensive posture.
Incident response protocols are documented and tested. Mean time to containment target: under 15 minutes.
Your Rights
You may request access to, correction of, or deletion of any personal data we hold.
You may withdraw consent for data processing at any time.
All requests are processed within 72 hours.
Contact: [email protected]
This policy reflects our operational reality, not aspirational language. Every statement above is enforced in production.