Security at Echo
We take security seriously. Learn about our security practices, compliance certifications, and how we protect your data.
SOC 2
In Progress
TLS 1.3
Encryption
AES-256
At Rest
US Region
Data Center
Compliance & Certifications
We are committed to maintaining the highest security standards and are actively pursuing industry-recognized certifications.
We have partnered with a certified auditor and are actively working towards SOC 2 Type II certification. This certification validates our security controls for handling customer data.
Echo is a US incorporated company (Delaware) with a subsidiary in Turkey. This structure allows us to serve global customers while maintaining compliance with local regulations.
Infrastructure Security
We build on enterprise-grade cloud infrastructure from industry-leading providers, inheriting their security certifications and best practices.
- DDoS protection
- Web Application Firewall (WAF)
- Automatic HTTPS/TLS
- Edge network encryption
- AES-256 encryption at rest
- TLS 1.3 in transit
- Automated backups
- Point-in-time recovery
- Encryption at rest
- TLS encryption
- Regional data isolation
- Access control
Security Compliance Checklist
Your data is protected at every stage with enterprise-grade security measures. Here's our complete security checklist.
| Category | Security Measure | Status |
|---|---|---|
Data at Rest |  AES-256 database encryption | |
| Encrypted backup storage | ||
| Secure key management | ||
| Automatic encryption rotation | ||
Data in Transit |  TLS 1.3 for all connections | |
| HTTPS enforced everywhere | ||
| Secure API endpoints | ||
Access Control | Role-based access control (RBAC) | |
| Multi-factor authentication | ||
| Session management | ||
| Audit logging | ||
Application Security | Input validation & sanitization | |
| SQL injection prevention | ||
| XSS protection | ||
| CSRF protection | ||
Infrastructure | DDoS protection | |
| Web Application Firewall (WAF) | ||
| Network isolation | ||
| Automated vulnerability scanning | ||
Monitoring & Response | 24/7 system monitoring | |
| Security event logging | ||
| Automated alerting |
Provided by:
Vercel
Neon
Echo
All security measures are continuously monitored and regularly audited to ensure compliance.
Internal Policies
Our internal policies ensure consistent security practices across all operations.
Data Retention
We retain customer data only for as long as necessary to provide our services. Upon account termination, data is securely deleted within 30 days.
Employee Access
Access to production systems is restricted to essential personnel only. All access is logged and regularly audited.
Incident Response
We maintain a comprehensive incident response plan with defined procedures for identifying, responding to, and recovering from security incidents.
Vendor Management
All third-party vendors undergo security assessment before integration. We only partner with vendors that meet our security standards.
Secure Development
Our development practices include code reviews, automated security scanning, and regular dependency updates to minimize vulnerabilities.
Business Continuity
Our infrastructure is designed for high availability with automated failover and disaster recovery capabilities.
KVKK (Turkish Data Protection)
Important information for Turkish customers and data subjects. Echo processes personal data in accordance with applicable data protection laws.
Data Processing
We may collect and process user email addresses and behavioral data for marketing automation, product recommendations, and service improvement. This data is processed based on legitimate business interests and, where required, user consent.
Data Controller Responsibility
When Echo processes end-user data on behalf of our customers (e-commerce merchants), the merchant acts as the data controller and is responsible for obtaining necessary consents from their users under KVKK. Echo acts as a data processor in these scenarios.
Cross-Border Data Transfers
Our infrastructure is hosted in the United States. Data transfers to the US are conducted in compliance with applicable data protection requirements, including appropriate safeguards for international transfers.
Your Rights
Data subjects have rights including access, rectification, erasure, and objection to processing. For exercising these rights regarding data processed through Echo, please contact the respective merchant (data controller) or reach out to us at privacy@get-echo.ai.
Note: This information is provided for general guidance and does not constitute legal advice. Merchants using Echo are responsible for their own KVKK compliance, including maintaining appropriate VERBÄ°S registrations if required and ensuring proper consent mechanisms are in place for their end users.
Security Questions?
Our team is available to answer any questions about our security practices and compliance status.