Security Policy
1. Introduction
1.1. Purpose
This Security Policy describes the security measures and controls implemented by Evaste to protect customer data and ensure the confidentiality, integrity, and availability of our services.
1.2. Scope
This policy applies to:
- All Evaste systems and infrastructure
- All employee and contractor activities
- All customer data processed by Evaste
- All third-party service providers
1.3. Commitment
Evaste is committed to maintaining the highest security standards to protect your data. Security is not just a feature - it is fundamental to our operations.
2. Security Framework
2.1. Security Governance
- Executive Sponsorship: Security overseen at executive level with regular security reviews by leadership
- Security Team: Dedicated security personnel with 24/7 security monitoring
- Policies and Procedures: Comprehensive security policies with regular policy reviews and updates
2.2. Risk Management
(a) Risk Assessment
- Annual comprehensive risk assessment
- Continuous risk monitoring
- Risk treatment plans
(b) Risk Categories
- Technical risks
- Operational risks
- Compliance risks
- Third-party risks
2.3. Security Principles
- Defense in Depth - multiple security layers
- Least Privilege - minimal access rights
- Zero Trust - verify everything
- Security by Design - built into products
3. Technical Security Measures
3.1. Encryption
(a) Data in Transit
- TLS 1.2 minimum (TLS 1.3 preferred)
- HTTPS enforced on all endpoints
- Certificate management via AWS Certificate Manager
- HSTS enabled
(b) Data at Rest
- AES-256 encryption
- AWS KMS for key management
- Encrypted databases
- Encrypted backups
(c) Key Management
- Hardware Security Modules (HSM)
- Regular key rotation
- Strict access controls on keys
3.2. Network Security
(a) Perimeter Security
- Web Application Firewall (WAF)
- DDoS protection (Cloudflare)
- Network firewalls
- Intrusion Detection System (IDS)
(b) Network Segmentation
- VPC isolation
- Private subnets for sensitive systems
- Network access control lists
3.3. Application Security
(a) Secure Development
- Secure coding guidelines
- Code reviews
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
(b) Input Validation
- Server-side validation
- SQL injection prevention
- XSS prevention
- CSRF protection
4. Access Control
4.1. Authentication
(a) Password Requirements
- Minimum 12 characters
- Complexity requirements
- No password reuse (last 10)
- Maximum 90-day validity
(b) Multi-Factor Authentication
- Required for all administrative access
- Available for all customer accounts
- Support for TOTP and hardware keys
4.2. Authorization
(a) Role-Based Access Control (RBAC)
- Predefined roles
- Custom role creation
- Granular permissions
- Minimum necessary access
- Regular privilege reviews
4.3. Privileged Access Management
- Separate admin accounts
- Admin access logging
- Privileged session monitoring
- Time-limited admin access
5. Data Backup and Recovery
5.1. Backup Strategy
(a) Frequency
- Database: Real-time replication + daily snapshots
- Files: Daily incremental, weekly full
- Configuration: Version controlled
(b) Retention
- Daily backups: 30 days
- Weekly backups: 12 weeks
- Monthly backups: 12 months
(c) Geographic Redundancy
- Backups stored in multiple regions
- Cross-region replication
5.2. Backup Security
- Encrypted at rest (AES-256)
- Encrypted in transit
- Access restricted to authorized personnel
- Integrity verification
5.3. Recovery Procedures
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
- Regular recovery testing
- Documented recovery procedures
6. Security Incident Management
6.1. Incident Response Plan
- Preparation: Response team defined, communication channels established, tools and procedures documented
- Detection: 24/7 monitoring, automated alerting, user reporting mechanism
- Containment: Immediate containment steps, evidence preservation, impact assessment
- Eradication: Root cause analysis, threat removal, system hardening
- Recovery: Service restoration, monitoring for recurrence, customer communication
- Post-Incident: Lessons learned, procedure improvements, documentation updates
6.2. Incident Classification
| Severity | Description | Response Time |
|---|---|---|
| Critical | Active breach, data exfiltration | Immediate |
| High | System compromise, major vulnerability | 1 hour |
| Medium | Attempted attack, policy violation | 4 hours |
| Low | Minor security event | 24 hours |
6.3. Breach Notification
In case of a personal data breach:
(a) Supervisory Authority
- Notification within 72 hours (GDPR)
- As required by KVKK
(b) Affected Individuals
- Without undue delay (high risk breaches)
- Clear description of breach and remediation
7. Vulnerability Management
7.1. Vulnerability Scanning
- Internal Scanning: Weekly automated scans covering all systems
- External Scanning: Weekly perimeter scans by third-party scanning services
- Application Scanning: Pre-deployment SAST/DAST and regular production scans
7.2. Penetration Testing
- Annual third-party penetration testing
- Scope includes all production systems
- Results reviewed and remediated
- Re-testing after remediation
7.3. Patch Management
| Severity | Patch Timeline |
|---|---|
| Critical | 24-48 hours |
| High | 7 days |
| Medium | 30 days |
| Low | 90 days |
7.4. Responsible Disclosure
We welcome security researchers to report vulnerabilities:
Email: security@evaste.co PGP Key: Available at /.well-known/security.txt
We commit to:
- Acknowledge receipt within 24 hours
- Provide updates on progress
- Not pursue legal action for good-faith reporting
- Recognition (with permission) in our hall of fame
8. Compliance and Certifications
8.1. Regulatory Compliance
- GDPR (EU General Data Protection Regulation)
- KVKK (Turkish Data Protection Law)
- CCPA (California Consumer Privacy Act)
8.2. Certifications (Current and Planned)
| Certification | Status | Target Date |
|---|---|---|
| ISO 27001 | In Progress | Q2 2026 |
| SOC 2 Type II | Planned | Q4 2026 |
| CSA STAR | Under Review | TBD |
8.3. Audits
- Internal audits: Quarterly
- External audits: Annual
- Customer audit rights: Per DPA
9. Contact Information
Security Team
Email: security@evaste.co PGP Key: https://evaste.co/.well-known/security.txt
For urgent security matters: Emergency: +90 532 494 42 64
General Contact: Evaste (Group Taiga) Address: Levent, Istanbul, Turkey Web: https://evaste.co
This Security Policy became effective on January 12, 2026.
Evaste reserves the right to update this policy as security requirements evolve. Material changes will be communicated to customers.
Security Policy
1. Introduction
1.1. Purpose
This Security Policy describes the security measures and controls implemented by Evaste to protect customer data and ensure the confidentiality, integrity, and availability of our services.
1.2. Scope
This policy applies to:
- All Evaste systems and infrastructure
- All employee and contractor activities
- All customer data processed by Evaste
- All third-party service providers
1.3. Commitment
Evaste is committed to maintaining the highest security standards to protect your data. Security is not just a feature - it is fundamental to our operations.
2. Security Framework
2.1. Security Governance
- Executive Sponsorship: Security overseen at executive level with regular security reviews by leadership
- Security Team: Dedicated security personnel with 24/7 security monitoring
- Policies and Procedures: Comprehensive security policies with regular policy reviews and updates
2.2. Risk Management
(a) Risk Assessment
- Annual comprehensive risk assessment
- Continuous risk monitoring
- Risk treatment plans
(b) Risk Categories
- Technical risks
- Operational risks
- Compliance risks
- Third-party risks
2.3. Security Principles
- Defense in Depth - multiple security layers
- Least Privilege - minimal access rights
- Zero Trust - verify everything
- Security by Design - built into products
3. Technical Security Measures
3.1. Encryption
(a) Data in Transit
- TLS 1.2 minimum (TLS 1.3 preferred)
- HTTPS enforced on all endpoints
- Certificate management via AWS Certificate Manager
- HSTS enabled
(b) Data at Rest
- AES-256 encryption
- AWS KMS for key management
- Encrypted databases
- Encrypted backups
(c) Key Management
- Hardware Security Modules (HSM)
- Regular key rotation
- Strict access controls on keys
3.2. Network Security
(a) Perimeter Security
- Web Application Firewall (WAF)
- DDoS protection (Cloudflare)
- Network firewalls
- Intrusion Detection System (IDS)
(b) Network Segmentation
- VPC isolation
- Private subnets for sensitive systems
- Network access control lists
3.3. Application Security
(a) Secure Development
- Secure coding guidelines
- Code reviews
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
(b) Input Validation
- Server-side validation
- SQL injection prevention
- XSS prevention
- CSRF protection
4. Access Control
4.1. Authentication
(a) Password Requirements
- Minimum 12 characters
- Complexity requirements
- No password reuse (last 10)
- Maximum 90-day validity
(b) Multi-Factor Authentication
- Required for all administrative access
- Available for all customer accounts
- Support for TOTP and hardware keys
4.2. Authorization
(a) Role-Based Access Control (RBAC)
- Predefined roles
- Custom role creation
- Granular permissions
- Minimum necessary access
- Regular privilege reviews
4.3. Privileged Access Management
- Separate admin accounts
- Admin access logging
- Privileged session monitoring
- Time-limited admin access
5. Data Backup and Recovery
5.1. Backup Strategy
(a) Frequency
- Database: Real-time replication + daily snapshots
- Files: Daily incremental, weekly full
- Configuration: Version controlled
(b) Retention
- Daily backups: 30 days
- Weekly backups: 12 weeks
- Monthly backups: 12 months
(c) Geographic Redundancy
- Backups stored in multiple regions
- Cross-region replication
5.2. Backup Security
- Encrypted at rest (AES-256)
- Encrypted in transit
- Access restricted to authorized personnel
- Integrity verification
5.3. Recovery Procedures
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
- Regular recovery testing
- Documented recovery procedures
6. Security Incident Management
6.1. Incident Response Plan
- Preparation: Response team defined, communication channels established, tools and procedures documented
- Detection: 24/7 monitoring, automated alerting, user reporting mechanism
- Containment: Immediate containment steps, evidence preservation, impact assessment
- Eradication: Root cause analysis, threat removal, system hardening
- Recovery: Service restoration, monitoring for recurrence, customer communication
- Post-Incident: Lessons learned, procedure improvements, documentation updates
6.2. Incident Classification
| Severity | Description | Response Time |
|---|---|---|
| Critical | Active breach, data exfiltration | Immediate |
| High | System compromise, major vulnerability | 1 hour |
| Medium | Attempted attack, policy violation | 4 hours |
| Low | Minor security event | 24 hours |
6.3. Breach Notification
In case of a personal data breach:
(a) Supervisory Authority
- Notification within 72 hours (GDPR)
- As required by KVKK
(b) Affected Individuals
- Without undue delay (high risk breaches)
- Clear description of breach and remediation
7. Vulnerability Management
7.1. Vulnerability Scanning
- Internal Scanning: Weekly automated scans covering all systems
- External Scanning: Weekly perimeter scans by third-party scanning services
- Application Scanning: Pre-deployment SAST/DAST and regular production scans
7.2. Penetration Testing
- Annual third-party penetration testing
- Scope includes all production systems
- Results reviewed and remediated
- Re-testing after remediation
7.3. Patch Management
| Severity | Patch Timeline |
|---|---|
| Critical | 24-48 hours |
| High | 7 days |
| Medium | 30 days |
| Low | 90 days |
7.4. Responsible Disclosure
We welcome security researchers to report vulnerabilities:
Email: security@evaste.co PGP Key: Available at /.well-known/security.txt
We commit to:
- Acknowledge receipt within 24 hours
- Provide updates on progress
- Not pursue legal action for good-faith reporting
- Recognition (with permission) in our hall of fame
8. Compliance and Certifications
8.1. Regulatory Compliance
- GDPR (EU General Data Protection Regulation)
- KVKK (Turkish Data Protection Law)
- CCPA (California Consumer Privacy Act)
8.2. Certifications (Current and Planned)
| Certification | Status | Target Date |
|---|---|---|
| ISO 27001 | In Progress | Q2 2026 |
| SOC 2 Type II | Planned | Q4 2026 |
| CSA STAR | Under Review | TBD |
8.3. Audits
- Internal audits: Quarterly
- External audits: Annual
- Customer audit rights: Per DPA
9. Contact Information
Security Team
Email: security@evaste.co PGP Key: https://evaste.co/.well-known/security.txt
For urgent security matters: Emergency: +90 532 494 42 64
General Contact: Evaste (Group Taiga) Address: Levent, Istanbul, Turkey Web: https://evaste.co
This Security Policy became effective on January 12, 2026.
Evaste reserves the right to update this policy as security requirements evolve. Material changes will be communicated to customers.