Data residency — does my data leave Turkey?
Short answer:
- Tax-advisor plan — never. All data stays in Turkey (TTK § 82 + VUK).
- Personal / SME plan with hosted storage — never. Data stays on PratikYedek VDS in Turkey.
- Personal / SME plan with BYOS — yes, if you connect Google Drive (US/EU) or OneDrive (EU). Always with your explicit KVKK § 9 consent.
Where PratikYedek hosted infrastructure lives
- VDS — 5.133.102.80 (Turkey datacenter, Istanbul region)
- Backups — WAL + PITR within the same Turkey datacenter; off-site copy encrypted, also in Turkey
- CDN — Cloudflare (multi-region; but Cloudflare only serves static assets like logos and CSS, never your personal data)
- Email — Mailcow self-hosted on Turkey VDS
- SMS — Turkish providers only (NetGSM, İletimerkezi, Twilio TR routing)
What stays in Turkey unconditionally
Regardless of plan:
- Encrypted chunks of your snapshots (for hosted plans)
- Master KDF salt and sealed recovery keys
- Audit logs and KVKK consent records
- Invoice and payment records (VUK 10-year)
- Magic-link tokens and OTP secrets
What can cross borders (only with consent)
Only when you connect BYOS:
- Encrypted chunks to Google Drive (US/EU multi-region) or OneDrive (EU primary)
- Even then, the data is opaque encrypted blobs — Google/Microsoft cannot decrypt them
- Master keys never leave your device
Subprocessors (KVKK § 8 disclosure)
The full list:
| Subprocessor | Purpose | Region | Personal data? |
|---|---|---|---|
| PaynKolay | Payment processing | Turkey | Card BIN + transaction amount only |
| Foriba | e-Archive invoice (GIB integration) | Turkey | Invoice line items |
| NetGSM | SMS OTP | Turkey | Phone number + OTP code |
| İletimerkezi | SMS OTP failover | Turkey | Phone number + OTP code |
| Cloudflare | Static asset CDN | Multi-region | None (no PII passes Cloudflare) |
| Sentry / GlitchTip | Crash reporting | Turkey self-hosted (GlitchTip) | Scrubbed (no PII, see KVKK PII scrub in apps/api/src/lib/sentry-scrub.ts) |
KVKK § 9 consent flow
When you opt into BYOS:
- A modal lists target regions (US/EU)
- You explicitly accept the cross-border transfer
- Consent is logged with timestamp + IP (KVKK § 12 evidence)
- You can revoke anytime by disconnecting BYOS in Settings → Storage
Disabling cross-border transfer entirely
If your compliance posture forbids any cross-border transfer:
- Stay on hosted storage (the default)
- Do not connect BYOS
- We will never proactively transfer your data abroad without your explicit BYOS opt-in
Foreign clients of Turkish tax advisors
If a Turkish tax advisor serves a foreign-resident client whose data is also subject to GDPR or other regulations:
- The advisor's tax-advisor plan stays in Turkey (KVKK § 9 hard rule)
- The client's own personal account, if any, can be in their region
- For bespoke deployments with EU-region data, contact us
See also: