MitosSoft is committed to building products that meet the highest security and compliance standards. While we are not yet formally certified, our engineering practices, infrastructure, and processes are designed in alignment with industry-leading frameworks.
Compliance-Ready, Certification in Progress
We currently operate in alignment with these frameworks and are actively working toward formal certifications. Our goal is to provide the same level of trust and transparency as certified organizations while we complete the audit process.
Our products and processes are designed in line with the following standards.
We follow SOC 2 principles across our infrastructure — security controls, access management, encryption, and monitoring are designed in line with Trust Service Criteria.
Our information security management practices follow ISO 27001 guidelines — including risk assessment, access controls, incident response, and continuous improvement processes.
We design our products with GDPR principles in mind — data minimization, purpose limitation, consent management, and right to erasure capabilities are built into our architecture.
Our healthcare-facing products are built with HIPAA-compatible safeguards — data encryption at rest and in transit, audit logging, and role-based access controls.
We operate in accordance with Turkey's Personal Data Protection Law — data processing principles, cross-border transfer safeguards, and data subject rights are integrated into our workflows.
MitCart's payment flows are designed following PCI DSS best practices — tokenized card handling, encrypted transmission, and secure payment gateway integrations.
Regardless of certification status, these practices are embedded in every product we build.
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database-level encryption for sensitive fields.
Role-based access with least-privilege principle. Multi-factor authentication support. Session management and audit logging.
Multi-tenant architecture with strict tenant isolation. Row-level and column-level security policies prevent cross-tenant data access.
Documented incident response procedures. Real-time monitoring and alerting. Post-incident review and continuous improvement.
Configurable data retention policies. Automated data purge workflows. Right to erasure support across all products.
Third-party services are evaluated for security posture. Sub-processor agreements maintained for data handling transparency.
We are actively working toward formal certifications for the following standards.
We're happy to walk you through our security practices, share our compliance documentation, or discuss how we can meet your organization's requirements.
Contact Compliance Team