# KVKK / GDPR / BDDK compliance — Use case > An API and AI platform built where audit, encryption, and access control are non-negotiable. Evidence packets for KVKK, GDPR, BDDK, PSD2, PCI-DSS, ISO 27001 — generated, not assembled. *Executives · Compliance · For executives* ## Compliance as a saved query. Not a six-week project. Audit at the framework boundary, encryption at the persistence layer, three-tier access at the runtime — the regulator's checklist already lives inside the platform. [Request a demo](https://calendly.com/apinizer/15min) · [Read the docs](https://apinizer.com/developers/docs) --- ## The problem *The problem* ### Compliance teams shouldn't be the last to find out a system isn't auditable. Most platforms treat audit, encryption, and access as opt-in middleware. Compliance teams discover the gap in October, with November to fix it. Apinizer treats those controls as constitutional: they're enforced at the framework boundary, not by convention. The evidence packet auditors ask for ships out of the platform as a query, not a project. --- ## Capabilities ### Audit at the persistence layer Every change — config, secret, grant, deploy, view — captured immutably. Bypass is rejected at the framework, not by code review. ### Encrypted secret fields Tokens, keys, and credentials encrypted before persistence; decrypted only at runtime. They never appear in lists, exports, or backups. ### Three-tier access Platform, Project, Environment scopes federated to your AD / LDAP / OIDC. Segregation of duties enforced by the runtime, not by memo. ### Article 30 / record-of-processing Personal-data flows joined to consent, retention, and access logs. GDPR Article 30 / KVKK envanteri queries return in seconds. ### Sector-aligned controls BDDK, PSD2, SAMA, ACPR, AYM — every regulator's emphasis maps to a control already in the platform. We share the mapping packet. ### Continuous evidence Quarterly evidence packs generated automatically. Auditor requests close the same business day instead of the same quarter. --- ## Real-world examples ### Banking **Scenario:** Istanbul Tier-1 bank passes BDDK quarterly audit with a saved query **Outcome:** What used to be a three-week reconciliation project becomes a query and an export. Auditors stop asking, 'who has access to X'. **Metric:** 3 weeks → 1 day ### Insurance **Scenario:** Frankfurt insurer answers a GDPR Article 30 request in one afternoon **Outcome:** Article 30 record of processing joins personal-data flows to consent, retention, and access logs. The DPO ships a packet by 17:00. ### Banking **Scenario:** Riyadh bank meets SAMA Cyber Security Framework controls 4.2 + 4.3 **Outcome:** Audit, encryption, and segregation-of-duties mapped to SAMA paragraphs in the evidence packet. The regulator's review closes early. ### Healthcare **Scenario:** Lyon hospital network ships HDS (Hébergement de Données de Santé) evidence **Outcome:** Every PHI access logged; every retention window enforced. The HDS auditor signs off after one visit instead of three. ### Government **Scenario:** Rome ministry maps AgID-CAD controls to platform telemetry **Outcome:** CAD (Codice dell'Amministrazione Digitale) controls map one-to-one to platform features. Audit posture documented in one page. ### Telecom **Scenario:** Madrid carrier satisfies ENS (Esquema Nacional de Seguridad) high-level requirements **Outcome:** Audit retention, segregation of duties, and encryption-at-rest mapped. The ENS audit closes with no findings. ### Energy **Scenario:** Prague utility maps NIS2 essential-entity controls **Outcome:** Incident reporting, supply-chain audit, and access controls — all already covered by Apinizer's existing model. ### Banking **Scenario:** Caspian-region bank meets AYM standards with the same controls used for KVKK **Outcome:** Local AYM controls overlap heavily with KVKK. One platform, two regulators, one evidence pack. --- ## Recommended modules - [API Gateway](https://apinizer.com/products/api-gateway) — Audit, encryption, and three-tier access enforced at the framework boundary — not by convention. - [Identity Manager](https://apinizer.com/products/identity-manager) — Federate to your sovereign identity store; never carry a vendor user database. - [Analytics Engine](https://apinizer.com/products/analytics-engine) — Compliance evidence as queries — Article 30, segregation-of-duties, retention reports. - [AI Gateway](https://apinizer.com/products/ai-gateway) — Same audit and compliance model for the AI plane — LLM, MCP, agent traffic. --- ## Resources - [Compliance overview](https://docs.apinizer.com/en) — How Apinizer maps to KVKK, GDPR, BDDK, PSD2, PCI-DSS, ISO 27001 controls. - [Banking lane](https://apinizer.com/solutions/banking) — BDDK + PSD2 + PCI-DSS as a single posture. - [Government lane](https://apinizer.com/solutions/government) — Sovereign hosting, audit, and access for ministries and agencies. - [Three-tier permissions](https://apinizer.com/solutions/three-tier-permissions) — Segregation of duties enforced by the runtime. - [Customers](https://apinizer.com/company/customers) — Regulated customers running Apinizer in production. - [Architecture overview](https://docs.apinizer.com/en/concepts/architecture) — Where audit, encryption, and identity sit in the topology. --- ## Related use cases - [Legacy modernization](https://apinizer.com/solutions/legacy-modernization) — For executives - [Three-tier permissions](https://apinizer.com/solutions/three-tier-permissions) — For platform teams - [Observability & audit](https://apinizer.com/solutions/observability-audit) — For platform teams - [Prompt firewalls](https://apinizer.com/solutions/prompt-firewalls) — For AI teams --- ## Next step *Compliance built in* **Pass the audit without a project.** A 30-minute walkthrough — audit, encryption, three-tier access, and the evidence query — on a Kubernetes of your choice. [Book a Demo](https://calendly.com/apinizer/15min) · [Read the docs](https://apinizer.com/developers/docs) --- ## Links - Products: https://apinizer.com/products - AI Gateway: https://apinizer.com/products/ai-gateway - Solutions: https://apinizer.com/solutions - Pricing: https://apinizer.com/pricing - Developers: https://apinizer.com/developers - Documentation: https://docs.apinizer.com/index-en - Blog: https://apinizer.com/blog - Contact: https://apinizer.com/company/contact © 2026 Apinizer. All rights reserved.