İçeriğe atla
Start free

BDDK + KVKK and WCAG 2.2 for banking, in one package.

KVKK cookie management on local hosting for the Turkish banking sector, support for configuration aligned with BDDK requirements and a WCAG 2.2 AA-focused accessibility infrastructure. A single-embed solution for banks, participation banks, investment firms and fintech.

Request a Banking Demo Get Started Free local hosting · audit logging · KVKK + EAA

Frameworks covered under Turkish banking regulations

The badges above are supported standards. cerez.io is not an institution that issues a "BDDK compliance certificate"; it provides support for configuration aligned with BDDK requirements.

Industry challenges

Banking's special compliance burden.

Far beyond a standard e-commerce site: multiple regulators, high security requirements, a local data hosting obligation and accessibility rights for people with disabilities must all be managed at once.

BDDK + KVKK · red

Consent without an audit log does not meet the burden of proof.

Under the BDDK Information Systems Communiqué, web components processing customer data must produce auditable logs. The KVKK explicit consent burden of proof also rests in your consent record. cerez.io stores the record of IP + timestamp + consent version + accepted categories in a data center in Turkey with 365+ day retention.

  • Retrospective consent log records ready for a BDDK audit
  • Under KVKK Article 9, all data is in a data center in Turkey
  • Timestamped log, version tracking and CSV/XLSX export
Learn about the audit log
5411 · customer confidentiality

GA4 or Meta Pixel should not run after a customer logs in.

Article 73 of Banking Law No. 5411, the customer confidentiality obligation: transferring data that can be linked to a customer to 3rd-party analytics tools without consent carries serious audit risk. cerez.io blocks all external scripts until consent is obtained; only permitted categories are loaded.

  • GA4, Meta Pixel, Hotjar, LinkedIn Insight consent-based control
  • Granular script management with the data-cb-category attribute
  • Google Consent Mode v2 signals are updated on time
How script blocking works
WCAG 2.2 · accessibility

Access to e-banking is a fundamental right; no customer with a disability should be left out.

The EAA 2019/882 Directive directly covers banking services; in force since 28 June 2025. According to TÜİK 2022 data, around 12.8 percent of Turkey's population has a disability. Access to e-banking for elderly, visually impaired and cognitively challenged customers is both a legal obligation and a corporate responsibility.

  • 10+ ready-made profiles: senior, visually impaired, cognitive, seizure safe
  • EAA statement generator: documenting and publishing the obligation
  • WCAG 2.2 scanner: 0-100 compliance score + prioritized violation report
Our accessibility approach
Why a local CMP

A tool that knows Turkish banking regulations and keeps data in Turkey.

OneTrust and Cookiebot are powerful tools; however, on KVKK Article 9 data location, BDDK regulations and Turkish support, the advantage of a local solution is clear.

OneTrust / Cookiebot

Powerful but far from Turkey.

  • Consent log in an EU/US data center, KVKK Article 9 risk
  • No configuration support specific to BDDK + KAİK regulations
  • No primary Turkish support channel, limited to business days
  • WCAG accessibility widget is a separate product, separate invoice

"GDPR-compliant" and "KVKK + BDDK-compliant" are not the same thing.

cerez.io

Focused on Turkish regulations, local hosting.

  • All consent data in Turkey, compliant with KVKK Article 9
  • Templates and configuration specific to BDDK + KVKK + KAİK regulations
  • Turkish support, response within business days
  • Cookies + accessibility in one embed, one invoice

Honestly: at international scale OneTrust is broader; for Turkish banking compliance we are more specific.

0
Days of consent log retention, ready for a BDDK audit
0
Accessibility profiles, e-banking prioritized
0
Regulatory frameworks covered with a single embed
0 dk
Setup time before a BDDK audit
Industry scenarios

Banking profile examples.

The scenarios below are not real customer cases; they are representative examples showing common need profiles in the banking sector.

LARGE PRIVATE BANK

5M+ monthly visitors, 10+ subdomains

Multi-domain: corporate site, e-banking, mobile, campaign, careers. Independent KVKK/EAA policy for each domain. Whitelabel + corporate identity. Enterprise plan + custom SLA.

PARTICIPATION BANK

KAİK + KVKK dual compliance

BDDK scope + KAİK accessibility guide covered with a single embed. Turkish bank legal text templates ready.

INVESTMENT FIRM

SPK + IAB TCF programmatic

Client confidentiality + investor disclosure for firms subject to SPK regulations. IAB TCF 2.3 certified CMP, ready for the EU programmatic ecosystem.

FINTECH START-UP

5-min setup before BDDK audit

Get started right away with the free plan before a license application or annual audit. Consent log retention is ready ahead of the audit; switching to Enterprise is flexible as your team grows.

The scenarios above are not real customer references; they are representative needs profiles.
FAQ

Questions the banking sector asks

The most frequently asked questions on BDDK, KVKK, Law No. 5411, open banking and accessibility.

Why is cookie management critical in a BDDK information systems audit?
Under the BDDK Communiqué on the Procedures and Principles to Be Applied in Information Systems Management, banks must ensure that all components processing customer data (including websites) produce auditable audit logs. Consent records are considered among the records that can be presented in the audit file as "proof of customer consent". cerez.io the consent log infrastructure offers audit-ready logs with 365+ day retention, IP + timestamp + consent version.
How does Banking Law No. 5411 affect cookies?
Article 73 of Law No. 5411 governs the client confidentiality obligation: data that can be linked to a customer falls within bank secrecy. Transferring data such as account numbers, customer IDs or CRM IDs to 3rd-party tools via cookies creates serious audit risk. cerez.io with script blocking, it controls the load timing and data access of tools like GA4, Hotjar and Meta Pixel on a consent basis.
Why is WCAG 2.2 AA mandatory for a banking site?
The EAA Directive 2019/882 has been in force as of 28 June 2025; banking services fall directly within its scope. In Türkiye, according to TÜİK 2022 data, the population with disabilities is around 12.8 percent; access to e-banking is a fundamental right under Article 10 of the Constitution and Law No. 6701. cerez.io it provides 11 accessibility profiles (visually impaired, elderly, dyslexia, cognitive) with a single embed.
What is the local advantage over a foreign CMP (OneTrust, Cookiebot)?
Three main advantages: (1) Data location: Article 9 of KVKK restricts the transfer of personal data abroad; consent log data is also within this scope. cerez.io hosted in a data center in Türkiye; in a BDDK audit, the question "where is the consent data?" gets a clear answer. (2) Regulatory focus: KVKK, BDDK, KAİK expertise and Turkish legal text templates. (3) Support: Turkish-language support on business days, direct access for the bank's technical team.
How do open banking + consent management work?
Under the BDDK Open Banking Regulation, granular, withdrawable explicit consent is mandatory for sharing customer data with third-party providers (TPP). These principles are consistent with GDPR and KVKK. cerez.io the cookie consent infrastructure (category-based consent, audit log, re-consent widget) offers a reference model for the open banking API consent model.
Are card details stored in cookies?
No. cerez.io it does not store or process sensitive data such as card details, account numbers, Turkish ID numbers or CVV in cookies. This data is processed in tokenized and encrypted form by payment infrastructure providers under PCI DSS Level 1 and Article 6 of KVKK. cerez.io it only stores consent records: anonymous consent ID, IP hash, timestamp and the accepted categories.
How is the multi-domain setup configured?
Banks typically run between 5 and 15 subdomains: main corporate site, e-banking, mobile web, campaign, investor relations, careers. cerez.io the multi-domain architecture manages all domains under a single account; an independent banner color, language preference, consent categories and retention period can be defined for each domain. On Pro and higher plans, whitelabel allows integration of the bank's logo and corporate colors.
What is the difference between a demo call and a sales call?
Demo meeting (30 min, non-binding): live SDK setup with your technical team, a multi-domain example, consent log flow and WCAG widget test. Sales meeting (45-60 min, commercial process): including legal, procurement and IT security units; custom offer, SLA document and corporate contract terms (DPA, confidentiality, audit right). You can schedule both steps independently via the contact form; we get back to you within a business day.

A 30-minute demo with your banking team.

Live SDK setup with your technical + legal teams, a multi-domain example, consent log flow and WCAG widget test. Non-binding. Local hosting, Turkish-language support, BDDK + KVKK + EAA in a single package.

Request a Banking Demo Get Started Free

Note: cerez.io it is not an institution that issues a "BDDK compliance certificate". It provides support for a configuration aligned with BDDK requirements; for certification, the official audit mechanisms must be carried out.


⚡ YASAL ZORUNLULUK 2025/10 Cumhurbaşkanlığı Genelgesi: Kamu, belediye, banka, üniversite, hastane, okullar için 21 Haziran 2026'ya WCAG 2.2 A zorunlu · Ceza: 5.000–25.000 TL/tespit
Detay →