What is the minimum security baseline for custom software?

Authentication, role-based access, TLS in transit, encryption for sensitive fields, audit logs, and tested backups — planned in architecture, not after launch.

Do GDPR and KVKK affect product design?

Yes. Consent, data minimization, deletion requests, and processing records must be supported in user flows — especially for customer and financial data.

How often should backups be tested?

Automate daily backups, keep an off-site copy, and run a restore test at least yearly. Define RPO/RTO targets in writing with your vendor.

← Back to blog

Technology · February 10, 2026 · 8 min read

Security in custom software: privacy, backups, and access control

Customer data, financial records, supplier info — minimum security standard. A checklist for non-technical leaders.

Security is not bolted on later

Authentication, role-based access (RBAC), encryption (TLS in transit, at rest for sensitive fields), and audit logs belong in architecture. «We launched, we'll secure later» risks breach and reputation damage.

GDPR and KVKK require consent, data minimization, deletion requests, and processing records. Product flows must support them.

Backup and disaster recovery

Daily automated backup, geographically separate copy, and restore test (at least yearly) are baseline. Define RPO/RTO targets (how much data loss and downtime you accept) in writing.

Cloud provider choice (AWS, GCP, Azure, or TR hosting) should match data residency needs.

Vendor and integration security

API keys for payment, SMS, and analytics live in secure vaults — not embedded in code. Penetration testing and dependency updates (CVE) should be planned for enterprise projects.

Kryonit Labs lists security requirements in discovery and reflects them in architecture.

Frequently asked questions

What is the minimum security baseline for custom software?: Authentication, role-based access, TLS in transit, encryption for sensitive fields, audit logs, and tested backups — planned in architecture, not after launch.
Do GDPR and KVKK affect product design?: Yes. Consent, data minimization, deletion requests, and processing records must be supported in user flows — especially for customer and financial data.
How often should backups be tested?: Automate daily backups, keep an off-site copy, and run a restore test at least yearly. Define RPO/RTO targets in writing with your vendor.

Share security needs in the discovery form — we'll keep security line items transparent in the proposal.

Let's talk about your project

Want to apply these steps to your own product? Submit the discovery form — we aim to respond within 24 hours.

Contact

security
GDPR
KVKK
backup
access control