Information Security Policy

Purpose

The purpose of this document is to define the information assets owned by COORBİZ DANIŞMANLIK A.Ş. (“Company”) and the principles for their proper use, and to prevent potential information security risks and problems.

Implementation

As COORBİZ DANIŞMANLIK A.Ş., within the scope of the policies we apply for evaluating, selecting, and managing sales teams, we commit to:

  • Ensuring that all activities are carried out effectively, accurately, promptly, and securely,
  • Complying with all customer requirements and legal obligations,
  • Being aware of and managing risks to the confidentiality, availability, and integrity of all information assets belonging to our company, clients, suppliers, and business partners
  • Creating full company-wide participation and raising high awareness of information security through continuous training and consultancy,
  • Approaching information security systematically to build a structure that continuously improves, develops, and prevents the emergence of new risks

Internet Usage

Confidential and proprietary Company information must not be shared on messaging sites, social media platforms, mailing lists, or newsgroups on the Internet.

  • Unless explicitly authorized by the Company, no statements may be made to media organizations or members of the press about the Company..
  • In accordance with Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications, the Company stores internet access information related to the services it provides for no less than six months and no more than two years, and ensures the accuracy, integrity, and confidentiality of this information.

Monitoring, Retention, and Filtering

All users acknowledge that e-mails and all communications and their usage are the property of the Company and may be retained, recorded, and reviewed at any time by authorized Company personnel to ensure and monitor compliance with Company security policies.

Computer Usage

  • Users are responsible for exercising due care with the computer equipment and software provided by the Company. Employees must also ensure that this equipment remains in good condition and available upon request. Users must not upload any personal data and/or sensitive personal data, or information and/or documents of such nature, to computers assigned to them for business purposes only.

  • Users must not use uncontrolled internet connections that may expose systems to viruses or other malicious software. Any damages arising from the use of public free/paid connections outside the workplace are the full responsibility of the employee.

Password Usage

  • All access to data on personal computers is protected by individual passwords assigned to users under the Company’s authorization.
  • The user agrees not to disclose their password to any person inside or outside the Company and not to attempt to obtain other users’ personal passwords. The user must immediately report any security breach, suspicious activity, or similar risk to the relevant units.

  • The user is fully responsible for all actions performed using their assigned passwords, and any resulting damages shall be covered by the user without objection.

Software Installation

Users must avoid installing any software that is unlicensed, unrelated to business purposes, or suspected in functionality.

Printer Usage

Company users may print only the documents required to complete their work.

Fixed and Mobile Phone Usage

Company users must never leave confidential company information on another person’s answering machine or voicemail. They must also ensure the security of mobile devices.

Intellectual Property

Whether for business or personal use, making unauthorized and unapproved copies of proprietary or internally developed software, uploading externally obtained software onto company systems without written authorization (even with access rights), or using any non-standard software constitutes a violation of Company policies.

Licensed hardware, software, versions, upgrades, renewals, and all related materials owned by or leased to the Company must be used in accordance with Company policies and licensing agreements. Otherwise, the user shall be responsible for all damages incurred or to be incurred by the Company and the licensors.

Access to and Protection of Personal and Sensitive Personal Data

The user acknowledges that, in accordance with the Turkish Personal Data Protection Law (KVKK), any personal or sensitive personal data processed on behalf of the Company, or accessible within their authority, shall be processed, stored, shared, and transferred strictly in line with KVKK requirements and Company authorizations (general or specific). The user must not share such personal data with any third party for any reason, except with authorized Company personnel.

The user is responsible for protecting the personal data they process in accordance with its nature and by applying the protection methods established by Company management. They must take all necessary administrative and technical measures to prevent unlawful processing of personal data, unauthorized access, and to ensure its preservation. The user understands that all administrative, legal, and criminal liability arising from failure to take such measures, as well as any sanctions imposed on the Company under KVKK and any claims made against the Company by other employees, authorities, or third parties, will be their personal responsibility.

The user further acknowledges that they will keep all personal and sensitive personal data of data subjects, as well as any information obtained during their employment, confidential even after termination of their employment. They agree not to disclose such information to anyone, and that in case of breach, all legal remedies will be pursued against them.

Obligations

  • Avoid actions that would prevent or hinder other Company users from effectively utilizing existing resources, particularly avoiding unnecessary network traffic,
  • Refrain from sending mass messages unrelated to business purposes,
  • Comply with security rules established to protect computer systems against viruses, malicious software, and hacker attacks, and not interfere with the operation of Anti-Virus or similar protective software installed on systems,
  • Respect the rules of other networks accessible through the Company’s existing connections,
  • Comply with the license agreements of software used within the Company,
  • Adhere to applicable laws, regulations, and statutes regarding communication,
  • Avoid wasting other technological resources of the Company,
  • Delete/archive unnecessary messages to prevent exceeding individual message quotas,
  • Not disclose their passwords to any person inside or outside the Company, and not attempt to obtain the personal passwords of other Company users or the passwords of shared servers,
  • Not use or bring into Company offices any hardware or software that is not owned by the Company without authorization,
  • Keep information stored on portable devices (laptops, handheld terminals, tablets, external drives, etc.) confidential in accordance with relevant policies and protect it from unauthorized access,
  • Return all equipment assigned to them for business use during employment—including personal computers, monitors, keyboards, laptops, handheld devices, portable drives, phones, etc.—to the relevant process owners upon termination or conclusion of employment for any reason,
  • After completing printer use, check whether any documents remain in the machine, thereby ensuring the security of personal data belonging to customers or other third parties