Security, Backup and System Continuity

Three lines of defence

• Edge: 3 Gbps DDoS protection, closed-port policy, default-deny SSH.
• Application: Imunify360 WAF + malware scanner, real-time threat feed, brute-force throttle.
• Data: Automatic weekly or daily backups (plan-dependent), retention up to 30 days, restore drills.

A backup is restore-insurance — not a substitute for owner-side backup

Our server-side backups cover most ordinary cases: an accidentally deleted file, a failed update, a simple DB table error. For truly critical data we always recommend the customer keep an independent off-server backup as well; that eliminates single-point dependency risk. We're honest about this because we've seen years-long single-backup strategies fall short.

When an incident happens: who does what, when

On a suspected outage or breach, the on-call engineer engages within 5 minutes; status is published in the customer portal within 15 minutes and an impact assessment is e-mailed. AIOR-attributable outages over 4 hours earn proportional service-credit extension. A root-cause summary is published within 24 hours afterwards.

Legal and Turkish KVKK

User rights under Turkish KVKK Art. 11, server location, log retention windows and third-party sharing are explicitly listed on the privacy policy page. Without an independent audit we don't carry ISO 27001 / SOC 2 badges; instead we publish what we actually do. Every operation we run is compliant with Turkish Personal Data Protection Law (KVKK 6698).

A real case: malware cleanup + restore

A customer's WordPress install was injected with a cryptominer through an outdated plugin. Imunify360 caught the anomaly, the file was quarantined and the customer was emailed. We restored a 3-hour-old JetBackup snapshot; in the same hour the plugin was patched and an Imunify rule was written for the offending AS. Total impact: 22 minutes downtime + 0 data loss + no paid redesign.