Azalt Frequently Asked Questions

We rely on OpenID Connect and OAuth 2.0, with built-in integrations for Azure AD, Google Workspace, and Okta. Users can also sign in through one-time "Magic Link" emails.

Access to the platform does not require passwords. API keys for services like OpenAI and Anthropic that must stay retrievable are encrypted with AES-256-GCM, while dashboard passwords that never need to be read again are stored with bcrypt.

Yes, multi-factor authentication is supported.

Yes, detailed audit logs are kept across the application.

Users access the platform at app.azalt.co with authenticated sessions. Single sign-on is supported and we currently do not enforce IP restrictions.

Yes. We operate with Web Application Firewall rules and bot protection policies to prevent brute-force attempts.

Only users granted permissions inside the customer's organization and Erguvan staff members who are explicitly authorized can access customer data.

Data at rest: corporate OpenAI and Anthropic keys are encrypted with AES-256-GCM, and optional dashboard passwords are hashed with bcrypt since they never need to be decrypted. Data in transit: the application communicates with external services via official SDKs over TLS.

Primary hosting is in Frankfurt data centers with regular backups maintained in London and New York.

We provide point-in-time recovery for the last seven days and maintain daily backups for earlier periods.

Yes. Login events are logged and monitored with alerting systems to surface anomalies promptly.

Yes, we maintain a written Data Breach Response Procedure.

Penetration tests are conducted annually. During development we use both SAST and DAST tooling to run automated vulnerability scans.

We follow a formal vulnerability management process.

We maintain detailed integration security documentation and standardized review workflows, which can be provided to your team upon request.

We operate KVKK-compliant processes and controls. The platform does not require sensitive personal data—work email addresses are sufficient. Optional data such as name, surname, phone number, and profile photo are processed under the legal bases in KVKK articles 5 and 6. We inform users about purposes, legal grounds, recipients, and retention, implement the required technical and administrative safeguards, and follow notification procedures if an incident occurs.

We are certified for ISO 27001.