GDPR and KVKK Compliance Statement
At MXGate, we ensure full compliance with personal data protection and privacy standards.
Core Principle: Data Minimization + Purpose Limitation
At MXGate, we only process and store the minimum data necessary for service delivery. Email contents are analyzed in real-time and never permanently stored.
Data Controller / Service Provider
Company: İnetmar İnternet Hizmetleri Bil. Tek. San. Tic. Ltd. Şti.
Address: Mansuroğlu Mah, 286/1 Sokak No:16, Bayraklı / İzmir
Phone: +90 850 455 35 01
E-posta: destek@mxgate.com.tr
Processed Data Types and Retention Periods
| Data Type | Processed? | Stored? | Retention Period |
|---|---|---|---|
| Email Content | ✓ Real-time filtering | ✗ Not permanently stored | 0 |
| Header Information | ✓ | ✓ | 30-90 days |
| IP Address | ✓ | ✓ | 30-90 days |
| SPF/DKIM/DMARC Result | ✓ | ✓ | 90 days |
| Quarantined Email | ✓ | ✓ (Customer preference) | 7-30 days |
Important: MXGate does not permanently store email contents and does not display them outside of analysis purposes. Only technical metadata and header information are retained temporarily.
Technical Security Layers
1. SMTP Proxy Layer
- Email content processed in RAM
- Content not written to disk
- Only log metadata retained
2. Log Layer
- Stored on separate log server
- AES-256 disk encryption
- Role-based access control (RBAC)
3. Customer Isolation
- Domain-based logical separation
- Each customer only accesses their own logs
- Multi-tenant with mandatory data isolation
Security Measures
Data Processing Agreement (DPA)
As Data Processor
The Service Provider processes personal data on behalf of the Data Controller solely for technical transmission, spam filtering, threat analysis, and delivery verification purposes within the scope of email security services.
Service Provider Commitments:
- ✗ Does not permanently store email contents
- ✓ Only processes header and technical metadata
- ✗ Does not use data for other purposes
- ✗ Does not share with third parties
- Provides written notification if sub-processor used
Processed Data Types
- Email addresses
- IP addresses
- Mail header information
- Security scores
- SPF/DKIM/DMARC results
Retention Period
Header and log data are stored for a maximum of 90 days and automatically deleted.
Data Breach Notification
In case of a potential data breach:
- 72h — GDPR Compliant Notification: Data Controller informed within 72 hours
- KVKK: Notification made within reasonable time
Data Subject Rights
Under KVKK and GDPR, data subjects have the right to:
- Learn if their data is being processed
- Request correction
- Request deletion or destruction
- Object to processing
* These requests are processed through the relevant Data Controller (customer organization).