WT

Security is a feature, not a department.

Buyers trust us with payment credentials. Suppliers trust us with commercial data. We treat both as non-negotiable. This page describes how — concretely.

Technical controls

Six practices we can point to on any audit.

Encryption everywhere

All traffic is TLS 1.2+ with modern ciphers and HSTS preload. Customer data at rest is AES-256 encrypted. Keys rotated quarterly and managed through a hardware-backed KMS.

Authentication & access

Argon2id password hashing, email verification, and optional TOTP multi-factor. Staff access is SSO + mandatory MFA, granted per-request through a just-in-time workflow — no standing production access.

Hardened infrastructure

Hosted in Tier-III data centres in the EU, with firewalls, WAF, and DDoS protection at the edge. No administrative ports exposed to the public internet; all admin traffic tunnels through audited bastions.

Monitoring & logging

Centralised logs with 1-year retention, anomaly detection on authentication flows, and 24/7 alerting on security events. Immutable audit trail for every fund movement and privileged action.

Incident response

Runbooks tested quarterly. Customer notification within 72 hours of a confirmed breach affecting personal data, as required by GDPR and KVKK — and sooner when we reasonably can.

Third-party review

Annual penetration test by an independent firm, continuous automated vulnerability scanning, and supplier-risk reviews for every third party handling customer data.

Compliance

Frameworks we align to.

GDPR (EU)

Full compliance, including DPA, subject-rights workflows, and EU-based data residency.

KVKK (Türkiye)

Registered data controller with the Turkish Data Protection Authority. DPO appointed.

PCI-DSS (cards)

Card data handled exclusively by PCI-DSS Level 1 certified payment processors. We never store PANs.

SOC 2 — in progress

Type I observation window open; Type II report planned for Q4 2026.

Enterprise buyers: request our security package (DPA, subprocessor list, pen-test summary) at security@wholesaleturkey.org.

Your rights

What you can do with your data.

GDPR and KVKK give you these rights. We do not ask you to justify them, and we do not charge fees for honouring them.

  • Access your data — export everything we hold about you.
  • Correct inaccurate information — self-serve in settings or via email.
  • Erase your account — irreversible removal within 30 days.
  • Object to automated processing — human review on request.
  • Port your data — machine-readable export, standard formats.

Exercise any right by writing to privacy@wholesaleturkey.org or reading our full privacy policy.

Responsible disclosure

Found a vulnerability? Please report it privately so we can fix it before anyone is harmed. We do not pursue legal action against researchers who follow this policy, act in good faith, and do not access data beyond what is necessary to demonstrate the issue.

  • Email security@wholesaleturkey.org — PGP available on request.
  • Give us a reasonable window (minimum 90 days) before public disclosure.
  • Do not access or modify other users' data.
  • Do not perform denial-of-service, physical, or social-engineering attacks.
  • We respond within 72 hours. Qualifying reports receive public credit and a thank-you reward.