KVKK Compliance for SaaS Companies and Cloud Service Providers in Turkey

Introduction

SaaS companies and cloud service providers play a central role in the modern digital economy. Businesses in Turkey increasingly rely on cloud platforms, CRM software, HR systems, accounting tools, customer support platforms, cybersecurity services, online collaboration tools, data analytics systems, artificial intelligence APIs, payment infrastructure, document management platforms, and cloud hosting services. These technologies make business operations faster and more scalable, but they also create serious personal data protection obligations under Turkish law.

Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The law applies to personal data processed wholly or partly by automated means, or by non-automated means forming part of a data filing system. It regulates the rights of individuals and the obligations of natural and legal persons that process personal data.

For SaaS providers and cloud service companies, KVKK compliance is not limited to publishing a privacy policy. These businesses often process large volumes of customer data, employee data, user logs, authentication records, support tickets, billing data, system metadata, API logs, device identifiers, IP addresses, uploaded files, and sometimes special categories of personal data such as health data, biometric data, or criminal record information. The compliance structure must therefore address role allocation, contracts, data security, cross-border transfers, sub-processors, breach notification, retention, deletion, user rights, and customer due diligence expectations.

Why SaaS and Cloud Services Create Specific KVKK Risks

SaaS and cloud models differ from traditional service relationships because data is often processed continuously, remotely, and at scale. A cloud provider may store data on servers located outside Turkey. A SaaS company may allow thousands of business users to upload customer, employee, financial, medical, or operational data into its platform. A software vendor may use sub-processors for hosting, support, analytics, infrastructure monitoring, email delivery, payment collection, and security logging.

This creates several legal questions. Who is the data controller? Who is the data processor? Where is the data stored? Which third parties can access it? Is data transferred abroad? Are standard contracts required? Are sub-processors disclosed? Is the platform secure enough? Can customer data be deleted after termination? Are breach notification procedures fast enough? Can the SaaS provider use customer data for product analytics, AI training, or service improvement?

A SaaS company that cannot answer these questions may lose enterprise customers, fail investor due diligence, face regulatory scrutiny, or become liable in the event of a data breach. In Turkey, many corporate customers now request KVKK-compliant data processing agreements, sub-processor lists, information security documents, data center location information, cross-border transfer mechanisms, and breach notification commitments before signing software contracts.

Data Controller and Data Processor Roles Under KVKK

The most important starting point for SaaS and cloud compliance is role classification. Under KVKK, a data controller is the person or entity that determines the purposes and means of processing personal data. A data processor processes personal data on behalf of the data controller based on authorization.

In a typical B2B SaaS relationship, the customer may be the data controller for the data it uploads into the platform. For example, an employer using an HR SaaS platform determines why employee data is uploaded, which employees are included, what records are stored, and how long those records are used for HR purposes. In this scenario, the SaaS provider may act as a data processor for the customer-uploaded HR data.

However, the same SaaS provider may also act as a data controller for its own processing activities. These may include its own employee data, customer account administration, billing, invoicing, sales communications, platform analytics, security monitoring, website visitor data, marketing records, support communications, and vendor management. Therefore, SaaS companies often have a dual role: processor for customer content and controller for their own business data.

This distinction should be documented clearly. The company’s privacy notice, data processing agreement, platform terms, internal data inventory, VERBIS assessment, and cross-border transfer documents should all reflect the correct role for each data flow.

SaaS as a Data Processor

When a SaaS provider acts as a data processor, it must process personal data only within the scope of the controller’s instructions. The provider should not use customer data for unrelated purposes unless a separate legal basis and role assessment exists. For example, using uploaded customer files for independent marketing, unrelated analytics, resale, or artificial intelligence training may exceed the processor role and create serious KVKK risk.

A processor-focused SaaS compliance model should include clear customer instructions, strict access controls, confidentiality obligations, secure infrastructure, sub-processor management, breach reporting duties, deletion or return mechanisms, and audit support. The SaaS provider should also maintain technical documentation showing how data is stored, encrypted, backed up, accessed, logged, and deleted.

The processor role does not eliminate legal responsibility. KVKK Article 12 provides that where personal data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for taking necessary data security measures. This is why Turkish customers often require detailed data processing agreements and security commitments from SaaS vendors.

SaaS as a Data Controller

A SaaS company is usually a data controller for its own operational data. For example, when it collects contact information of a customer’s authorized representative for contracting and billing, it determines the purpose and method of that processing. When it processes website visitor data, sales lead data, newsletter subscriptions, support ticket records, or employee records, it generally acts as a controller.

As a controller, the SaaS provider must identify legal bases, provide privacy notices, respect data subject rights, implement retention periods, ensure data security, manage transfers, and assess VERBIS registration where applicable. It should not assume that because it is a processor for customer content, all of its data activities are processor activities.

This distinction is particularly important for platform analytics. If the SaaS provider collects usage data for platform security, performance monitoring, billing, or service delivery, this may be connected to the SaaS service. However, if it uses customer data or end-user behavior for independent commercial analytics, product training, benchmarking, advertising, or AI model improvement, the role and legal basis must be reviewed carefully.

Data Processing Agreements for SaaS and Cloud Services

A Data Processing Agreement, often called a DPA, is essential in SaaS and cloud relationships. Although KVKK does not contain a fully detailed clause list identical to the GDPR, a DPA is practically necessary because Article 12 imposes security obligations and recognizes responsibility where data is processed by another person on behalf of the controller.

A strong SaaS DPA should include the following clauses:

1. Identity and roles of the parties.
2. Description of services.
3. Categories of personal data processed.
4. Categories of data subjects.
5. Processing purposes.
6. Processing duration.
7. Processor’s obligation to act only on documented instructions.
8. Confidentiality obligations.
9. Technical and organizational security measures.
10. Sub-processor authorization rules.
11. Data breach notification duties.
12. Assistance with data subject requests.
13. Deletion or return of data after termination.
14. Audit and compliance support.
15. Cross-border transfer restrictions.
16. Liability and indemnity provisions.

For SaaS providers, a well-drafted DPA also improves commercial credibility. Enterprise customers frequently request it during procurement. Investors may review it during due diligence. Foreign customers may ask whether it aligns with Turkish data protection requirements.

Sub-Processor Management

Most SaaS companies rely on sub-processors. These may include cloud infrastructure providers, database hosting providers, email delivery services, payment processors, monitoring tools, customer support systems, error logging tools, analytics platforms, cybersecurity providers, AI API providers, and backup service providers.

A Turkish KVKK-compliant structure should not allow unrestricted sub-processing. The SaaS provider should disclose sub-processors, define their roles, identify where they are located, determine whether they process personal data, and ensure that they are bound by obligations similar to those in the main DPA. The customer should be informed of material changes where appropriate, especially if a new sub-processor will access personal data or transfer it abroad.

Sub-processor management is also important for data breach response. If a cloud provider or monitoring tool suffers a breach, the SaaS provider must receive prompt notice so that it can inform the customer and enable the customer to assess its own notification obligations.

Cloud Hosting and Data Localization Considerations

KVKK does not impose a general data localization obligation for all personal data. However, data storage location is legally important because storing or making data accessible outside Turkey may constitute a cross-border transfer. SaaS providers should therefore know where customer data is hosted, where backups are stored, where support teams are located, and whether foreign sub-processors can remotely access the data.

Cloud architecture should be documented. A SaaS provider should be able to explain whether data is stored in Turkey, the European Union, the United States, or another region; whether logs are stored separately; whether backups are replicated across regions; whether disaster recovery involves foreign systems; and whether technical support personnel outside Turkey may access customer data.

This information is critical for Article 9 transfer analysis, customer contractual commitments, privacy notices, VERBIS entries, and due diligence responses.

Cross-Border Data Transfers Under Article 9

Cross-border data transfers are one of the most important KVKK compliance issues for SaaS and cloud companies. Article 9 of KVKK was amended by Law No. 7499, and the Turkish Personal Data Protection Authority announced English translations of the By-Law on the procedures and principles for transfers abroad and standard contract texts in August 2024.

Under amended Article 9, personal data may be transferred abroad by data controllers and data processors if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision regarding the recipient country, sector, or international organization. If there is no adequacy decision, transfers may still be possible if data subjects have enforceable rights and effective legal remedies in the recipient country and appropriate safeguards are provided. These safeguards include standard contracts, binding corporate rules, or written commitments approved by the Board.

For SaaS and cloud providers, the most practical tool will often be the standard contract mechanism. The Authority has published different standard contract modules, including role-based modules such as controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller. These contracts are intended to provide appropriate safeguards for transfers abroad, including enforceable data subject rights and effective legal remedies in the receiving country.

A SaaS provider must choose the correct module according to the actual transfer structure. A Turkish customer transferring data to a foreign SaaS provider may require a controller-to-processor standard contract. A Turkish processor using a foreign cloud sub-processor may require processor-to-processor analysis. A foreign SaaS provider returning data to a controller abroad may require a different module depending on the roles.

Five-Business-Day Standard Contract Notification

The standard contract mechanism includes an important procedural requirement. Article 9 provides that standard contracts must be notified to the Turkish Personal Data Protection Authority within five business days after signature.

This deadline is highly important for SaaS providers and cloud customers. Signing the standard contract is not enough; the notification obligation must also be managed. Companies should create an internal workflow identifying who signs standard contracts, who prepares annexes, who files the notification, who stores proof of notification, and who monitors changes to transfer arrangements.

For SaaS vendors that serve many Turkish customers, contract operations can become complex. A scalable process is needed to track signed standard contracts, transfer modules, customer identities, sub-processor changes, and notification deadlines.

Data Security Obligations for SaaS and Cloud Providers

Data security is central to SaaS and cloud compliance. KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access, and ensure protection of personal data.

The Turkish Personal Data Protection Authority emphasizes that appropriate security measures should be determined according to the structure, activity, and risk of each data controller, and that a single model cannot be imposed on all organizations. The nature of the business, the personal data protected, the size of the company, and similar factors may affect the required measures.

For SaaS and cloud companies, technical measures should include encryption in transit and at rest, role-based access control, multi-factor authentication for administrative access, secure API design, vulnerability management, penetration testing, secure backup architecture, log monitoring, incident detection, malware protection, patch management, database segregation, rate limiting, and secure software development practices.

Organizational measures should include employee confidentiality undertakings, information security policies, access authorization procedures, vendor due diligence, sub-processor governance, breach response plans, security training, internal audits, disciplinary procedures, and documented risk assessments.

Access Control and Tenant Segregation

One of the most important technical issues for SaaS providers is tenant segregation. Multi-tenant SaaS platforms must ensure that one customer cannot access another customer’s data. Errors in authorization logic, API design, database queries, or storage bucket configuration can cause serious data breaches.

Access control should be designed at multiple levels: user role, customer account, administrator privilege, database access, support access, API access, and internal employee access. Administrative access should be strictly limited and logged. Customer support personnel should access customer environments only where necessary and preferably through controlled, temporary, auditable access.

A SaaS provider should also have procedures for employee offboarding. Former employees, contractors, outsourced developers, and support agents should lose access immediately when their role ends. Failure to revoke access is a common data security weakness.

Logging, Monitoring, and Auditability

SaaS and cloud providers should maintain logs showing access, changes, authentication attempts, administrative actions, data exports, deletion actions, and security events. Logs are necessary for security monitoring, incident response, customer investigations, and regulatory defense.

However, logs may themselves contain personal data. IP addresses, user IDs, device identifiers, email addresses, session IDs, and activity records may be personal data under KVKK. Therefore, logs should be retained for a defined period, protected against unauthorized access, and deleted or anonymized when no longer necessary.

Auditability is commercially important. Enterprise customers often ask whether the SaaS provider can provide audit reports, security certifications, penetration test summaries, incident logs, or compliance documentation. A provider that can demonstrate security maturity is more likely to succeed in regulated sectors such as finance, healthcare, insurance, education, and public-sector procurement.

Data Breach Notification Duties

Data breach notification is a critical part of SaaS compliance. Under KVKK Article 12, if processed personal data is obtained by others through unlawful means, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.

The Board’s Decision No. 2019/10 interprets this requirement as requiring notification to the Board without delay and no later than 72 hours after the data controller becomes aware of the breach. If notification cannot be made within 72 hours, the reasons for delay must be attached to the later notification, and missing information may be provided gradually without delay.

In a SaaS relationship, the processor may detect the breach first. Therefore, SaaS DPAs should require the processor to notify the customer immediately after becoming aware of a suspected or confirmed personal data breach. The contract should not merely say “within a reasonable time.” The controller needs prompt information to meet its own 72-hour notification analysis.

A SaaS breach response plan should include incident detection, containment, forensic investigation, legal assessment, customer notification, sub-processor coordination, evidence preservation, public communication, and remediation. It should also define who has authority to communicate with customers and regulators.

Data Retention and Deletion in SaaS Platforms

SaaS providers must define how long customer data, account data, logs, support tickets, backups, billing records, API records, and user-generated content are retained. KVKK requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist, even if the data was originally processed lawfully.

For SaaS platforms, deletion is complex because data may exist in active databases, file storage, backups, logs, analytics systems, caches, search indexes, support tools, and sub-processor systems. The provider should define what happens when a customer deletes a user, closes an account, terminates the contract, or requests export and deletion.

A strong SaaS deletion clause should explain whether data will be returned or deleted after termination, how long backups will retain deleted data, whether logs are retained separately for security, whether legal retention obligations apply, and whether deletion certificates can be provided. Customers in regulated sectors often require specific deletion commitments.

Data Subject Rights and SaaS Responsibilities

Data subjects have rights under KVKK Article 11, including the rights to learn whether personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction, object to adverse results from automated analysis, and claim compensation for unlawful processing.

In a B2B SaaS model, the customer as controller is usually responsible for responding to its own data subjects. However, the SaaS provider as processor must assist the controller where necessary. For example, the provider may need to help export data, correct data, delete data, retrieve logs, or identify whether data was transferred to a sub-processor.

The DPA should define how the SaaS provider will support data subject requests and within what timeframe. It should also state that if the provider receives a request directly from a data subject concerning customer-controlled data, it will promptly forward the request to the customer unless legally prohibited.

VERBIS Considerations for SaaS and Cloud Providers

VERBIS is the Turkish Data Controllers’ Registry Information System. The By-Law on the Data Controllers Registry states that the Registry is publicly available and that data controllers under registration obligation must register before starting data processing. It also requires updates through VERBIS within seven days if there is any change in registry records.

A SaaS provider must assess whether it is required to register as a data controller for its own processing activities. If it is only a processor for customer content, that specific processing may not create a controller registration duty for the provider. However, the provider may still be a controller for its own HR, sales, billing, website, marketing, support, and platform administration data.

Foreign SaaS companies not established in Turkey should also assess whether they have VERBIS obligations through a representative if they act as controllers in relation to individuals in Turkey. The analysis depends on the business model, data subjects, processing activities, and applicable exemptions.

SaaS Compliance for Special Categories of Personal Data

Some SaaS providers process special categories of personal data. Examples include health-tech platforms, HR systems storing health reports or criminal records, biometric identity verification providers, clinical research platforms, insurance technology tools, and platforms used by hospitals or clinics.

Special categories under KVKK include health data, biometric data, genetic data, criminal conviction and security measure data, union membership data, religious belief data, political opinion data, and other sensitive categories. These categories are subject to stricter processing conditions under Article 6.

If a SaaS provider processes special category data, security and contractual safeguards must be stronger. The platform should use encryption, strict access controls, separate authorization levels, detailed logs, limited retention periods, confidentiality undertakings, enhanced incident response, and sub-processor restrictions. It should also ensure that cross-border transfers of sensitive data are specifically assessed and documented.

SaaS Providers and Artificial Intelligence

Many SaaS companies now integrate artificial intelligence into their platforms. AI features may include automated summaries, chatbots, recommendations, fraud scoring, document analysis, HR screening, customer segmentation, predictive analytics, or generative AI assistance.

AI creates additional KVKK risks. If customer data is used for AI training, model improvement, prompt processing, embeddings, output generation, or automated decision-making, the provider must assess its role, legal basis, transparency obligations, retention rules, and transfer mechanisms. A processor cannot simply use controller data for its own AI model training unless this is expressly authorized and legally structured.

If AI outputs significantly affect individuals, Article 11 rights concerning adverse results arising from analysis exclusively through automated systems may become relevant. SaaS providers should therefore build human review, explainability, and customer control mechanisms into high-impact AI features.

Customer Due Diligence and Enterprise Sales

KVKK compliance is increasingly important in SaaS sales. Turkish enterprise customers may request:

Data processing agreement.
Sub-processor list.
Data center location.
Cross-border transfer documentation.
Security measures list.
Penetration test summary.
ISO or security certification information.
Breach notification commitment.
Deletion and export procedure.
Retention policy.
Business continuity plan.
Information on AI or analytics use.
Support access procedure.

A SaaS company that prepares these materials in advance can shorten procurement cycles and build trust. Privacy and security maturity is not only a legal requirement; it is also a commercial advantage.

Common KVKK Mistakes Made by SaaS and Cloud Providers

One common mistake is assuming that the SaaS provider is always a processor. In reality, the provider may be a controller for many activities.

Another mistake is using customer data for analytics, benchmarking, product improvement, or AI training without contractual authorization and legal assessment.

A third mistake is failing to map sub-processors. Many SaaS companies use multiple infrastructure and support tools but cannot clearly explain who accesses personal data.

A fourth mistake is ignoring cross-border transfers. Foreign hosting, foreign support access, global analytics tools, and cloud backups may all trigger Article 9.

A fifth mistake is using generic DPAs copied from foreign templates without adapting them to KVKK.

A sixth mistake is failing to define deletion procedures after contract termination.

A seventh mistake is promising customers that data is stored in Turkey while logs, backups, analytics, or support access occur abroad.

An eighth mistake is weak access control for internal support teams. Excessive administrator access creates serious security risk.

Practical KVKK Compliance Checklist for SaaS and Cloud Providers

A SaaS or cloud provider operating in Turkey should follow this checklist:

1. Map all personal data processed through the platform.
2. Identify controller and processor roles for each data flow.
3. Prepare a customer-facing data processing agreement.
4. Prepare privacy notices for controller activities.
5. Maintain a sub-processor list.
6. Identify data center and backup locations.
7. Map all cross-border transfers.
8. Implement Article 9 transfer mechanisms where required.
9. Track five-business-day standard contract notifications.
10. Define technical and organizational security measures.
11. Implement encryption, MFA, logging, and role-based access.
12. Establish tenant segregation controls.
13. Prepare a breach response plan.
14. Include immediate breach reporting clauses in DPAs.
15. Define retention and deletion procedures.
16. Support customer data subject request workflows.
17. Review AI and analytics use of customer data.
18. Assess VERBIS obligations.
19. Train employees and support teams.
20. Review compliance when new features, vendors, or regions are added.

Conclusion

KVKK compliance for SaaS companies and cloud service providers in Turkey requires a structured, technical, and contract-based approach. These businesses often process personal data continuously, remotely, and through complex vendor ecosystems. They may act as processors for customer data and controllers for their own operational data. This dual role must be understood and documented.

The most important compliance areas include controller-processor classification, data processing agreements, sub-processor management, data security, access control, tenant segregation, breach notification, data retention, deletion, data subject rights, VERBIS assessment, special category data safeguards, AI governance, and cross-border transfer compliance.

The 2024 amendments to KVKK Article 9 are especially important for SaaS and cloud businesses because many platforms rely on foreign infrastructure, foreign support teams, global sub-processors, and international software tools. Transfers abroad must be mapped and supported by adequacy decisions, standard contracts, binding corporate rules, written commitments, or other lawful mechanisms where applicable. Standard contracts must also be notified to the Authority within five business days after signature.

For SaaS and cloud providers, KVKK compliance is not merely a regulatory burden. It is a business trust mechanism. Companies that can demonstrate strong privacy governance, secure infrastructure, clear contracts, transparent transfers, and reliable breach response will be better positioned in enterprise sales, investor due diligence, and long-term customer relationships in Turkey.