Security in practice
Data Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are rotated regularly and managed through a hardened key management service. Backups are encrypted with the same standards.
Infrastructure
HeyVisa runs on reputable cloud providers that follow industry best practices (ISO 27001, SOC 2). Production environments are isolated from development, infrastructure is provisioned as code, and changes go through peer review and automated checks.
Access Control
Internal access follows the principle of least privilege. Staff access to production data requires multi-factor authentication, is approved on a per-task basis, and is fully audit-logged. We review access rights on a recurring schedule.
Compliance
We align our processes with the EU GDPR and Türkiye's KVKK (Law No. 6698). Data subject requests, retention policies, and processor agreements are reviewed regularly by our team and external advisors.
Incident Response
We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-mortem review. If an incident affects you, we will notify you in line with applicable legal timelines.
Responsible Disclosure
If you believe you have found a security vulnerability, please email us at security@heyvisa.com with a clear description and reproduction steps. We commit to acknowledging reports promptly and working with you in good faith to address valid issues.
Bug Bounty
A formal bug bounty program is on our roadmap. Until it launches, we recognise valid security reports through our responsible disclosure process and may offer discretionary rewards for high-impact findings.
Found a security issue?
We take every report seriously. Send a clear write-up to our security team and we will respond as quickly as possible.
security@heyvisa.com