Security
Security
We carry patient data; security is not a marketing slogan for us, it is an engineering decision. Below are the measures we take.
Data Storage
- Local data center: All patient data is stored in data centers located in Türkiye.
- Encryption at rest: AES-256 encryption at the database layer.
- Encryption in transit: All traffic over TLS 1.3; HSTS enforced.
- Backups: Automatic daily backups + hourly incremental snapshots. 30-day rollback window.
Access Control
- Role-based access (RBAC): Fine-grained permissions for dentist, assistant, reception, and admin roles.
- Two-factor authentication (2FA): Optional for all accounts, required for admin accounts.
- Session management: View active sessions and remotely terminate them.
- Audit logging: Every sensitive operation (image, file, payment) is written to an audit log.
Application Security
- Continuous testing against OWASP Top 10 (XSS, SQLi, CSRF, IDOR…).
- CSRF tokens on every form and API call.
- Brute-force and abuse prevention: rate limiting and suspicious-activity detection.
- Strict Content Security Policy and cookie security flags (HttpOnly, Secure, SameSite).
Compliance & Certifications
KVKK
Data controller and processor agreements ready under Türkiye's Personal Data Protection Law.
GDPR
GDPR-compliant processing flows for clinics serving EU citizens.
PCI-DSS
Payment data is handled directly by iyzico; card information never touches our servers.
ISO 27001 (roadmap)
Our ISO 27001 certification process is underway, targeting completion by end of 2026.
Reporting a Security Vulnerability
If you discover a security vulnerability, please contact us before public disclosure. We support responsible disclosure and offer rewards to researchers under a bug bounty program.
Security Contact
Email: guvenlik@planoral.com
PGP key: available on request at the same address.