Security, by default.
SOC 2 Type II, ISO 27001, PCI-DSS L1, KVKK compliance. Card data never touches Karum, customer data stays in Turkey, every admin action goes to an append-only log.
Certified, audited, transparent security.
4 certifications
SOC 2 Type II, ISO 27001, PCI-DSS L1, KVKK — annual independent audits.
KVKK + data residency
Customer data stored in Turkey; even backups don't leave the country.
PCI-DSS L1 vault
Card data never touches Karum; tokenized at the provider.
Append-only audit log
Every admin action, login, role change, refund — recorded immutably.
How data access is governed.
SSO + 2FA
Office 365 / Google Workspace SSO + 2FA (TOTP / WebAuthn).
Role-based permissions
Fine-grained ability via CASL: subject + action + condition + tenant scope.
Audit
Every read/write + IP + user-agent recorded append-only.
Encryption
Disk-at-rest AES-256, transit TLS 1.3, sensitive fields encrypted at the application level.
Pen-test
Two independent pen-tests per year; 24/7 bug bounty program.
Incident response
PSIRT 24/7; KVKK requires breach notification within 72 hours.
In security, the details we care about.
Customer and order data only in Turkish regions; backups don't leave the country.
Card data tokenized; Karum service never sees card numbers.
Office 365, Google Workspace, Okta, Azure AD; 2FA TOTP/WebAuthn.
CASL ability check + tenant scope guard on every endpoint.
UPDATE+DELETE revoked at the DB role level; audit-ready.
AES-256 at-rest, TLS 1.3 transit, application-level envelope for sensitive fields.
PSIRT 24/7; KVKK 72-hour notification; bug bounty program open.
Security, protects which modules.
We went through a KVKK audit. Karum documented that our data is in Turkey, the auditors reviewed the audit log and approved. Zero open questions.
Available on
Your first sale this week. Setup in 5 minutes.
Our onboarding team runs the process. Data migration, product mapping, and channel connection included — first sale on average in 3–7 days.