Security · Compliance · Transparency

Your data, secure by default.

4 independent certifications, field-level encryption, immutable audit log, 24/7 SOC, bug bounty program and 4 penetration tests per year. Security is a foundation of Karum, not an add-on.

Certifications

Availability guarantee

99.99%

Pentests / year

Active monitoring

24/7

Certifications

Independent audits,

Download every certification and audit report in real time from the customer portal. NDA-required ones live in the enterprise portal.

Information security management

ISO 27001

TÜRKAK-accredited certification. Covers all production infrastructure and team processes.

IS-0421-2025

Independent audit report

SOC 2 Type II

12-month process validation by Ernst & Young. Security, availability and confidentiality criteria.

2025 · Ernst & Young

Card data handling standard

PCI-DSS L1

Annual audit by Verizon QSA. Card data tokenised, key management via HSM.

QSA · Verizon

Full Türkiye compliance

KVKK · VERBİS

VERBİS registry, KVKK auditor sign-off, data subject requests resolved within 7 days.

VERBİS · 38400

Three pillars

Infrastructure,

The Karum security model rests on three pillars — each pillar is validated by an independent audit and evidence.

Infrastructure

Data centresIstanbul + Ankara
Cloud providerAWS eu-tr-1
Disk encryptionAES-256-GCM
In transitTLS 1.3 only
Backup3× / 4 hours
Disaster recoveryRTO < 12 min

Access

SSOSAML 2.0 / OIDC
Two-factorTOTP / WebAuthn
RBACGranular + IP fence
AuditFull · immutable
Data export48 hours
SCIM 2.0Active

Contract

Availability guarantee99.99%
availability guarantee creditAutomatic
Data ownershipCustomer
DPAStandard included
Response time< 15 min
MSATurkish / English

Security team

Karum SOC,

14-person security engineering team in Istanbul and Berlin. We file incident reports with the CSIRT network we belong to within 30 minutes.

Security operations centre

24/7 SIEM + SOAR. EDR feed from every endpoint. Mean time to detect 4 minutes.

Incident response

15-minute first response on P0, 60-minute customer notification. KVKK 72-hour reporting automated.

Red team

Internal red team runs quarterly penetration tests; findings close in 30 days.

Employee training

Monthly phishing simulation + biannual security refresher. Mandatory 2FA + device encryption.

Bug bounty

Find it,

Open program on HackerOne. The Karum panel, API, storefront and mobile apps are all in scope. 142 reports were closed in 2024.

Critical

₺40,000 — ₺120,000

RCE · auth bypass · tenant isolation breach

High

₺15,000 — ₺40,000

Privilege escalation · data leak

Medium

₺5,000 — ₺15,000

XSS · CSRF · IDOR

Low

₺1,000 — ₺5,000

Information disclosure · misconfig

Active researchers

640

Reports closed / 12 mo

142

Average response

9 h

Rewarded / 12 mo

₺2.8M

Open the HackerOne programme

Penetration test

4 independent

Penetra Security and Synack Red Team alternate quarterly penetration tests across panel, API, storefront and mobile. Findings close in 30 days, the executive summary lives in the customer portal.

ScopePanel · API · Storefront · iOS · Android
MethodologyOWASP ASVS L3 · NIST SP 800-115
Last test2026-03-14
Findings0 critical · 1 high · 4 medium
Time to closeAvg 12 days
Next test2026-06-15

Download the executive summary

FAQ

Questions your

The 8 questions we receive most often in RFPs. For deeper technical detail the security team responds within 24 hours.

All production data is stored in Türkiye — Istanbul and Ankara data centres. KVKK and data residency requirements can be configured with extra regional pinning.

Getting started

Your first sale this week. Setup in 5 minutes.

Our onboarding team runs the process. Data migration, product mapping, and channel connection included — first sale on average in 3–7 days.

Create free account Request demo [email protected] · +90 850 244 51 10

LET'SGO