Security, built into the design
from day zero.
Woppy builds its decision infrastructure on four pillars: information security, operational controls, personal data protection, and standard agreements. Below is our current status and commitment for each pillar.
ISO 27001
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). All of Woppy's infrastructure, code, customer data, and operational processes are designed in accordance with this framework.
Codebase, production infrastructure, customer data management, developer access, and physical office security.
Risk assessment complete, ISMS documentation underway, audit targeted for end of 2026.
87 of Annex A's 114 controls currently active (RBAC, log management, change management, vendor risk).
Full transparency for customers · auditable evidence chain · internal audit reports available on request.
For details: [email protected]
SOC 2 · Type II
SOC 2 is the Trust Services Criteria (TSC) framework defined by the AICPA. A Type II audit demonstrates not only that controls exist, but that they operated effectively over a defined period of time.
Security, Availability, Processing Integrity, Confidentiality, Privacy.
Readiness assessment complete, Type I audit planned for Q4 2026, Type II targeted for Q3 2027.
All systems where customer data is collected, processed, and stored; decision infrastructure core takes priority.
Post-independent-audit report (executive summary) available to customers under NDA.
For details: [email protected]
KVKK
Personal Data Protection Law No. 6698 (KVKK) is the legal framework governing personal data processing in Turkey. Woppy, as a data controller, fulfills all obligations in full.
Data collection purposes, legal bases, retention periods, and data subject rights are clearly documented.
Registered in the Data Controllers Registry (within the obligation scope).
Separate, revocable explicit consent management for marketing and optional data use.
Access, correction, deletion, objection, and portability requests via [email protected].
NDA
A bilateral (mutual) NDA is signed before any client engagement begins. All information shared by the customer, as well as Woppy's methodology, IP, and pricing, is protected under mutual confidentiality.
Standard NDA template compliant with Turkish Bar Association guidelines, bilingual (TR/EN).
5-year protection period (industry standard), continuing even after the business relationship ends.
Ready for electronic signature (KEP or qualified signature) within 24 hours of the initial meeting request.
Customer legal team redlines are accepted; revisions made through mutual agreement.
One point of contact
for all security questions.
For vendor risk assessments, audit report requests, custom contract terms, and data processing agreements (DPA) — reach out directly.
[email protected]