KK UNİVERSAL TURİZM KONAKLAMA GAYRİMENKUL VE GELİŞTİRME A.Ş.
INFORMATION SECURITY POLICY
1. PURPOSE AND SCOPE
KK UNİVERSAL TURİZM KONAKLAMA GAYRİMENKUL VE GELİŞTİRME A.Ş. ("KK Universal"); ensuring the confidentiality, integrity and availability of all information processed within our real estate development, accommodation and asset management processes is a fundamental operating principle.
This policy covers all employees, managers, business partners, suppliers and other parties acting on behalf of KK Universal. It governs the Company's commitments regarding the protection of digital and physical information assets and the responsibilities for implementing those commitments.
2. FUNDAMENTAL PRINCIPLES
KK Universal regards ensuring the continuity of the three fundamental elements of information security in all activities carried out as a priority:
- Confidentiality: Ensuring that information is accessible only to authorised persons; preventing unauthorised access, disclosure or sharing.
- Integrity: Protecting information from unauthorised alteration; ensuring that any modification during transfer or processing can be detected.
- Availability: Ensuring that information can be used securely by authorised users at the time it is needed.
3. INFORMATION SECURITY MANAGEMENT SYSTEM
KK Universal manages its information security processes in accordance with internationally recognised standards (TS EN ISO/IEC 27001:2022 Information Security Management System standard) and in line with the "One platform, one standard" vision.
Within this framework, the obligations undertaken by management are as follows:
- To communicate this policy to all employees; to provide the necessary resources, training and leadership for the policy to be put into practice.
- To ensure compliance with applicable legislation, the TS EN ISO/IEC 27001:2022 standard, contracts, and internal policies and procedures in information security management.
- To conduct risk assessments at regular intervals for the purpose of protecting information assets; to take the necessary actions against identified risks.
- To implement the principle of segregation of duties and the in-process control system.
- To monitor the effectiveness of the Information Security Management System through internal audits; to include audit results in management review processes and to continuously improve the system.
- To take the necessary technical and administrative measures against information security breaches; to immediately activate established procedures in the event of a breach.
4. TECHNOLOGICAL INFRASTRUCTURE AND DATA PROTECTION
KK Universal uses up-to-date cybersecurity technologies to protect its digital assets.
- The Webflow-based platform and cloud systems are protected by data encryption, regular backups and continuous monitoring protocols against cyber threats.
- Identity verification and authorisation control mechanisms are applied for system access; access authorisations are defined in accordance with the "least privilege" principle.
- Security vulnerabilities are scanned at regular intervals; identified vulnerabilities are remediated in order of priority.
- Personal data is processed and protected within the framework of the technical security obligations under Law No. 6698 on the Protection of Personal Data (KVKK) and related legislation.
5. BUSINESS CONTINUITY AND DISASTER RECOVERY
Comprehensive Business Continuity and Disaster Recovery plans are prepared and tested at regular intervals to ensure that operations and guest services can be maintained without interruption in the event of possible technical failures, cyberattacks or force majeure situations.
- Backup processes are defined for critical systems and data; the integrity of backups is verified periodically.
- Response procedures and chains of responsibility for emergency scenarios are established in advance.
- Ensuring the uninterrupted continuation of core and supporting business activities is the direct responsibility of senior management.
6. EMPLOYEE AWARENESS AND TRAINING
Information security is not merely a technical matter but an integral part of corporate culture.
- All employees and business partners are obliged to comply with information security protocols in accordance with their level of authorisation.
- Information security awareness training is organised upon commencement of employment and on a periodic basis thereafter.
- The information security awareness of internal and external stakeholders is kept at a high level; relevant obligations are clearly communicated and compliance is encouraged.
- Policy violations are addressed within the scope of disciplinary procedures.
7. THIRD-PARTY AND SUPPLIER RELATIONSHIPS
All technology providers, suppliers and business partners working with KK Universal are expected to ensure full compliance with information security standards.
- Confidentiality and data security obligations are contractually bound in all professional relationships.
- Third-party access to information systems is limited to business needs, monitored, and immediately terminated upon the expiry of the contract.
- Suppliers' compliance with information security requirements is assessed periodically.
8. REVIEW AND UPDATE
This policy is reviewed at least every two years or in the following circumstances:
- A significant change in applicable legislation or international standards.
- A serious information security breach occurring.
- A fundamental transformation in the Company's field of activity or technological infrastructure.
The results of the review are approved by senior management and communicated to all relevant parties.
(Last Updated: June 2026)
