Legal Protection of SaaS in Turkey: Structural Framework

Software-as-a-service (SaaS) legal protection in Turkey operates at the intersection of private law frameworks governing the service-plus-license commercial relationship, intellectual property law protecting the underlying software assets, data protection law governing the personal data processing that pervades SaaS operations, platform-specific regulation addressing hosting and takedown obligations, consumer and e-commerce law for B2C relationships, dispute resolution frameworks spanning arbitration and litigation, and ongoing compliance across multiple regulatory dimensions. The foundational private law framework derives from the Turkish Code of Obligations No. 6098 (TBK), with SaaS typically characterized as an atypical (atipik) or mixed (karma) contract combining elements of the contract for work (istisna / eser sözleşmesi — TBK Articles 470-486), the agency contract (vekâlet sözleşmesi — TBK Articles 502-514), and license elements, rather than fitting a single traditional contract category. Intellectual property protection operates through the Intellectual and Artistic Works Law No. 5846 (FSEK) with computer programs protected as literary and scientific works (ilim ve edebiyat eserleri) under Article 2, and the Industrial Property Law No. 6769 (SMK) with limited software patentability under Article 82/2(c) following the European Patent Convention approach. Data protection compliance flows from the Personal Data Protection Law No. 6698 (KVKK) with Article 9 governing cross-border transfers as reformed by Law No. 7499 (published in Resmi Gazete No. 32487 dated 12 March 2024, effective 1 June 2024 with a transition period until 1 September 2024) establishing the three-tier adequacy-safeguards-derogations architecture. Electronic commerce operations fall under the Electronic Commerce Regulation Law No. 6563 with pre-contractual information obligations and distance contract provisions. Consumer protection under Law No. 6502 applies to B2C relationships with unfair terms control under Article 5 and the 14-day withdrawal right for distance contracts under Article 48. Electronic signatures operate under Law No. 5070, with qualified electronic signatures (nitelikli elektronik imza) having legal weight equivalent to handwritten signatures. Internet content regulation under Law No. 5651 addresses hosting obligations, takedown procedures, and content-related frameworks. E-invoice (e-fatura) and e-archive (e-arşiv) obligations under Tax Procedure Law No. 213 and the General Communique on Electronic Documents No. 509 affect billing operations for qualifying taxpayers. Dispute resolution operates through Turkish courts under HMK No. 6100, international arbitration under MTK No. 4686 including ISTAC institutional alternatives, mediation under Law No. 6325, and foreign arbitral award enforcement under the New York Convention 1958. Practice may vary by authority and year, and integrated compliance architecture benefits from systematic attention because these frameworks interact in ways that isolated compliance cannot address. A lawyer in Turkey coordinating SaaS legal protection establishes the foundation that supports the provider's business lifecycle from MVP through scale to eventual exit.

SaaS legal characterization: service contract, license, and sui generis framework

A Turkish Law Firm addressing SaaS legal characterization works through the analytical framework that determines which TBK provisions govern the relationship. SaaS does not fit cleanly within traditional TBK categories — it is neither a simple sale of goods (TBK Articles 207-281 apply to sales of tangible movable goods), nor an employment contract (hizmet sözleşmesi under TBK Articles 393-469 addresses employer-employee relationships), nor a pure license (which operates as an atypical contract). The typical characterization treats SaaS as an atypical or mixed contract combining elements from several traditional categories: the contract for work (istisna / eser sözleşmesi under TBK Articles 470-486) for result-oriented elements of software delivery and configuration, the agency contract (vekâlet sözleşmesi under TBK Articles 502-514) for ongoing service and support, license elements for the customer's authorized use of the platform, and data processing elements where customer personal data is handled. The applicable framework for a specific SaaS relationship may therefore draw from TBK general contract provisions (Articles 1-206), the specific contract type provisions for each elemental component, intellectual property framework for license elements, and KVKK framework for data processing components. CISG (the Vienna Convention on Contracts for the International Sale of Goods) generally does not apply to SaaS because SaaS is a service relationship rather than a sale of goods transaction, so international SaaS disputes do not benefit from the uniform Vienna framework and must be resolved under the applicable national law. The characterization matters for every downstream question — performance standards, breach remedies, termination framework, statutes of limitations, and implied warranties all depend on which statutory provisions supply the default rules that the contract does not displace. For framework on confidentiality and non-disclosure agreements commonly integrated into SaaS licensing, readers can consult our NDA guide for Turkey. Practice may vary by authority and year, and SaaS characterization requires Turkish legal analysis because the framework application affects commercial and legal outcomes materially.

Turkish lawyers who address SaaS agreement provisions work through the architecture that translates the hybrid characterization into enforceable contractual relationships. A Master Services Agreement (MSA) establishes the foundational framework with order forms or service descriptions defining terms for each customer engagement. Service scope definition distinguishes subscription services from services requiring separate agreement including customization, integration services, training, and professional services. Service level agreements (SLAs) define availability commitments (typically expressed as percentage uptime such as 99.5% or 99.9%), performance standards for throughput or response time, incident response commitments, support response times by severity tier, and remedies for performance shortfalls including service credits, extended terms, or termination rights for material or repeated breach. Support architecture including support tiers, response time commitments, communication channels (email, ticketing, phone, chat), and escalation pathways supports practical service delivery. License scope provisions addressing permitted use, user count limitations, geographic scope, and use restrictions define the commercial boundary. Intellectual property provisions addressing ownership of the underlying platform (remaining with the provider), customer rights to use the platform under subscription, ownership of customer-specific customizations or configurations, ownership of customer data (typically remaining with the customer), and derivative works allocations establish the IP framework. Data handling provisions addressing the provider's role as data processor handling customer personal data, security commitments, data location, retention, and return or destruction at termination integrate data protection. Termination provisions including termination rights (for cause, for convenience, for material breach), consequences, data return mechanics, and survival of specific provisions structure the lifecycle. Limitation of liability and indemnification allocate risks with attention to mandatory TBK Article 115 provisions limiting contractual waiver for gross negligence and intentional misconduct. Practice may vary by authority and year, and SaaS agreement drafting benefits from industry templates adapted to Turkish law.

An English speaking lawyer in Turkey coordinating click-wrap and browse-wrap enforceability analysis addresses the framework determining whether online-accepted SaaS terms bind users. Click-wrap agreements where users actively indicate acceptance through specific action such as checking an "I agree" box or clicking an acceptance button generally produce enforceable agreements under Turkish law when implemented with clear prominence of terms, unambiguous acceptance action, and documentation of the acceptance event (logging user ID, IP, timestamp, and terms version accepted). Browse-wrap agreements, where terms are merely posted with a link without requiring user acceptance action, are considerably weaker and may not produce enforceable agreements depending on prominence, user awareness, and other factors. Best practice implementation for material terms includes required user action (not merely a passive opportunity to decline), clear visibility of the terms (not hidden in a lengthy scrolling document below the fold), specific logging of acceptance with verification-ready records, and preservation of the terms version accepted for future verification when disputes arise years later. Subscription auto-renewal requires careful handling under consumer protection framework for B2C relationships — prominent pre-renewal disclosure, accessible cancellation mechanisms, and renewal notice obligations support compliant implementation. Unfair terms analysis under Consumer Protection Law No. 6502 Article 5 applies to B2C SaaS relationships, with unfair terms (terms that cause significant imbalance against consumer rights contrary to good faith) facing enforceability limitations even where technically included in agreed terms. Amendment mechanics for SaaS terms where providers need to update terms periodically require a framework addressing user notification, reasonable opportunity to terminate if not accepting changes, and practical implementation that respects the consumer's position under the amended terms. Practice may vary by authority and year, and click-wrap architecture benefits from attention to implementation details because generic approaches may fail to produce enforceable agreements.

Intellectual property: FSEK 5846 software copyright and SMK 6769

A lawyer in Turkey coordinating software intellectual property protection under Turkish law works within the framework where software receives protection primarily through copyright under FSEK No. 5846 with complementary frameworks. FSEK Article 1/B defines computer programs as "expressed set of instructions that can be executed, directly or indirectly, on a device capable of processing data, and the preparatory design materials resulting in such sets of instructions." FSEK Article 2 categorizes computer programs under literary and scientific works (ilim ve edebiyat eserleri), establishing that software enjoys copyright protection arising automatically upon creation without registration requirement. Protection scope covers the literal code expression, the internal architecture reflected in the code, preparatory materials, and related documentation. Algorithms as abstract mathematical concepts are not protected by copyright — the expression of an algorithm in code is protected, but the underlying abstract concept remains free for others to implement in their own independent code. Optional registration through the Ministry of Culture and Tourism's Directorate General of Copyright (Kültür ve Turizm Bakanlığı Telif Hakları Genel Müdürlüğü) provides documentary evidence of creation and date, supporting enforcement, though registration is not a prerequisite for copyright protection. Patent protection under SMK No. 6769 has limited application to software under the European Patent Convention approach — SMK Article 82/2(c) excludes computer programs from patentable subject matter when claimed "as such," though computer-implemented inventions producing a technical effect beyond the software itself may qualify for patent protection (the so-called "technical character" requirement). Trade secret protection under Turkish Commercial Code No. 6102 Articles 54-63 (unfair competition provisions) and contractual frameworks supplements copyright for proprietary algorithms, business logic, operational know-how, and customer data. Database protection under FSEK Additional Article 8 (database sui generis right, inspired by EU Directive 96/9/EC) provides an additional layer for databases representing substantial investment in the obtaining, verification, or presentation of the contents. For framework on software copyright in Turkey including enforcement mechanics, readers can consult our software copyright guide. Practice may vary by authority and year, and software IP architecture benefits from layered protection combining copyright, limited patent where applicable, trade secret, and contractual protections.

Turkish lawyers who address IP ownership discipline for SaaS operations work through the chain-of-title issues that frequently surface during investor due diligence, customer acquisition, or M&A transactions. Employee-created IP under Labor Law No. 4857 and FSEK Article 18/2 typically belongs to the employer where the work is created within the scope of employment duties, though express contractual assignment language is recommended to eliminate ambiguity. Contractor and freelancer-created IP does not automatically belong to the commissioning party without express assignment — generic service contracts often fail to produce effective IP transfer, and Turkish courts construe assignments narrowly. Effective contractor assignments include specific identification of the IP created, express assignment of all rights including moral rights to the extent waivable (manevi haklar under FSEK are substantially non-transferable but usage consents can reduce practical friction), warranties regarding authorship and freedom from third-party claims, and indemnification. Founder pre-existing IP contributed to SaaS operations requires explicit assignment documentation executed at company formation or contribution time — retrospective "look back" assignments years later face enforceability questions and can surface as diligence red flags. Co-founder joint development during early stages requires attention to ownership attribution and clean allocation among founders before external investors enter. Third-party IP incorporation including licensed components, stock images or content, and acquired IP requires documentation of acquisition terms and ongoing compliance with license terms. Sub-processor IP flowing through the SaaS technology stack — cloud infrastructure (AWS, Azure, Google Cloud), database services, AI and ML providers, analytics services — requires analysis of flow-through terms affecting customer-facing commitments, particularly on data rights, IP indemnification, and security commitments. For framework on software agreements addressing chain-of-title and IP assignment drafting, readers can consult our software agreement legal basics guide. Practice may vary by authority and year, and IP chain-of-title discipline should be established from day one because retroactive remediation typically requires substantial effort.

An Istanbul Law Firm coordinating IP enforcement strategy for SaaS providers addresses the framework that translates IP rights into practical protection when infringement occurs. Evidence preservation for suspected infringement — website screenshots with timestamps, access logs showing unauthorized use, behavioral evidence of code copying (not just functional similarity but textual similarity that copyright law protects), and witness statements — forms the foundation for subsequent enforcement. Cease-and-desist letters as initial enforcement communication provide opportunity for voluntary cessation before formal proceedings, with attention to content that supports subsequent enforcement if voluntary cessation does not occur (identifying the infringing conduct specifically, asserting the rights holder's entitlement, demanding cessation, and preserving rights for escalation). Civil enforcement through specialized Intellectual and Industrial Rights Civil Courts (Fikri ve Sınai Haklar Hukuk Mahkemeleri) provides the primary framework for civil IP disputes, with interim injunction (ihtiyati tedbir) under HMK Articles 389-399 available for urgent preservation of rights. Criminal enforcement under FSEK Article 71 is available for specific categories of copyright infringement, though prosecution generally requires complainant initiation (şikayete bağlı) for most offenses. Administrative enforcement through TÜRKPATENT under SMK framework provides additional pathways for trademark and patent matters. Customs enforcement under Customs Law No. 4458 and the IP-customs framework supports border interception of goods containing infringing IP. Online enforcement including platform notice-and-takedown procedures, DMCA-equivalent mechanisms where the platform operates under US framework, DNS-related enforcement through RIR and registrar complaints, and Law No. 5651 procedures where content is hosted in Turkey addresses internet-hosted infringement. International enforcement coordination where infringement crosses borders requires multi-jurisdictional strategy with attention to the most effective enforcement forum, often driven by where the infringer's assets, customer base, or hosting infrastructure is located. Practice may vary by authority and year, and IP enforcement benefits from early engagement because evidence degrades and strategic options narrow over time.

KVKK compliance and data processing under Article 9 framework

A Turkish Law Firm coordinating KVKK compliance for SaaS operations works through the integrated framework applicable where SaaS providers handle personal data of Turkish data subjects or operate through Turkish legal presence. Data controller and processor characterization addresses the SaaS provider's role: when the provider determines purposes and means of processing (for its own operational purposes including analytics, security, service improvement, and platform-level personalization), it operates as data controller; when the provider processes customer data on behalf of the enterprise customer who determines purposes and means, it operates as data processor; when both elements coexist in the same processing scope, joint or dual-role analysis applies. Data processing agreement (DPA) architecture with enterprise customers addresses the processor role including processing purposes, subject categories, personal data categories, processing duration, controller's rights and obligations, processor's security obligations, sub-processor engagement requirements (typically requiring controller consent or notification), data subject request handling, data breach notification within the statutory window (72 hours to the Board under current framework), deletion or return at termination, and audit rights — addressing the requirements under KVKK Article 12 data security obligations and accompanying regulation. Privacy notice architecture addresses the information obligation under KVKK Article 10 requiring clear disclosure to data subjects about controller identity, processing purposes, recipients, processing methods and legal basis, and data subject rights. Layered notice architecture providing essential information prominently with detailed information available on request supports both compliance and user experience. VERBIS (Veri Sorumluları Sicili) registration where applicable thresholds are met based on employee count, annual balance sheet, or data processing categories provides the formal registry of controller status; exemption criteria and thresholds are periodically updated. Data subject rights handling under KVKK Article 11 including access, rectification, deletion (erasure), objection to automated decision-making, and other rights requires operational infrastructure capable of responding within the thirty-day statutory window under the Data Controller Application Regulation (Veri Sorumlusuna Başvuru Yönetmeliği). For detailed framework on KVKK audit defense including Authority inspection preparation, readers can consult our KVKK audit defense guide. Practice may vary by authority and year, and KVKK compliance architecture benefits from privacy-by-design implementation during technical development rather than retrofit after launch.

Turkish lawyers who address the reformed cross-border data transfer framework work within KVKK Article 9 as amended by Law No. 7499 (published in Resmi Gazete No. 32487 dated 12 March 2024), effective 1 June 2024 with a transition period during which the former regime's explicit-consent basis remained usable until 1 September 2024. The reform establishes a three-tier transfer architecture. First tier — adequacy-based transfers apply where the Personal Data Protection Board issues a formal adequacy decision for the destination country, a specific sector within a country (sectoral adequacy is newly recognized), or an international organization, with adequacy decisions subject to reassessment at least every four years; as of this guide's drafting, the Board has not yet published any adequacy decisions. Second tier — appropriate safeguards-based transfers apply through several mechanisms: standard contractual clauses (SCCs) published by the Board on 10 July 2024 and usable without modification except for the optional clauses expressly permitting alternative content, binding corporate rules (BCRs) for intra-group transfers within multinational groups with the BCR application form and guidelines published by the Board on 10 July 2024, international agreements between public institutions, or written undertakings (yazılı taahhütname) with Board approval for transfers outside SCC and BCR paths. Standard contractual clause-based transfers require notification to the Authority within five business days of execution through the Data Transfer Module (Veri Aktarım Modülü), with administrative fines of 50,000 to 1,000,000 Turkish Lira for failure to notify. Third tier — derogations under KVKK Article 9/6 apply to enumerated narrow circumstances including explicit consent of the data subject to the specific transfer, contract necessity specific to the transfer context, public interest, legal claims establishment or defense, vital interest protection, and specific other narrow grounds; derogations are not suitable for ongoing routine transfers. The Regulation on Procedures and Principles Regarding Transfer of Personal Data Abroad (Resmi Gazete No. 32598 dated 10 July 2024) specifies implementation. Law No. 7499 also changed appellate jurisdiction for KVKK administrative fines from sulh ceza magistrate courts to administrative courts. SaaS operations typically involve substantial cross-border flows — cloud infrastructure, analytics, communication platforms, AI and ML services — and transfer inventory documenting each flow with its legal basis and applicable mechanism supports systematic compliance. Practice may vary by authority and year, and cross-border transfer compliance under the reformed framework benefits from systematic architecture.

An English speaking lawyer in Turkey coordinating GDPR-KVKK harmonization for international SaaS providers addresses the framework where providers serving both EU and Turkish data subjects manage compliance across both. KVKK and GDPR share substantial structural similarities — lawful basis requirements, data subject rights, accountability, breach notification — supporting coordinated compliance, and the 2024 KVKK reform moved KVKK significantly closer to GDPR on cross-border transfers. Key differences remain: the specific lawful basis list under GDPR Article 6 and KVKK Article 5 overlap but are not identical; the cross-border transfer architecture still differs in details despite reform (GDPR Chapter V versus KVKK Article 9); data subject rights implementation (GDPR Articles 12-22 versus KVKK Article 11) overlap but have procedural differences; breach notification timing (both 72 hours but with different reporting authorities and thresholds); and enforcement mechanics and penalty framework differ substantially. DPO (Data Protection Officer) appointment under GDPR Article 37 in specific circumstances does not have a direct KVKK equivalent; Turkish practice uses veri sorumlusu temsilcisi for foreign-established controllers without Turkish presence but processing Turkish data subjects. Consent mechanics under both frameworks require informed and specific consent, with GDPR's explicit consent for special category data comparable to KVKK Article 6 special category data requirements. Technical and organizational measures appropriate under both frameworks support integrated security. Privacy notices can use integrated templates covering both frameworks or jurisdiction-specific notices depending on approach; integrated notices are efficient but risk leaving one regime under-served. DPA templates can often be drafted in a single form covering both GDPR Article 28 and KVKK Article 12 processor requirements, with jurisdiction-specific annexes. Breach response coordination addressing both GDPR Article 33-34 and KVKK notification obligations supports efficient incident response. Practice may vary by authority and year, and coordinated GDPR-KVKK compliance benefits from expertise in both frameworks because isolated single-framework analysis often misses coordination opportunities and compliance gaps.

Platform liability, SLA architecture, and takedown procedures under Law 5651

A lawyer in Turkey addressing SaaS platform liability works through the framework combining contractual liability allocation with regulatory obligations applicable to online platforms. Contractual liability allocation through SaaS agreement provisions includes limitation of liability caps tied to contract values (commonly 12-month paid fees), exclusions for indirect and consequential damages where permissible, indemnification for IP infringement claims and data breach claims, and warranty scope and disclaimer provisions. SLA performance commitments with specific availability percentages, performance metrics, response times, and service credit or termination remedies for shortfalls translate operational commitments into contractual structure. Force majeure (mücbir sebep) and impossibility (ifa imkansızlığı) provisions under TBK Articles 136 and hardship (aşırı ifa güçlüğü) under TBK Article 138 address scenarios where external events affect service delivery and may justify performance adjustment or termination. Mandatory provisions on liability waiver include TBK Article 115 making contractual waiver of liability for gross negligence and intentional misconduct unenforceable as against public policy, and consumer protection framework preventing certain waivers against consumers. Consumer protection context under Law No. 6502 for B2C relationships imposes mandatory protections including unfair terms control under Article 5, 14-day withdrawal right under Article 48, and specific mandatory information obligations that cannot be waived. Internet Content Law No. 5651 applies to SaaS platforms that host user-generated content, act as hosting service providers (yer sağlayıcı under Article 2/m), or provide internet access in defined configurations, with obligations including content removal upon specific notifications, user information preservation, privacy-protection mechanisms, and operational compliance. For framework on cybersecurity law compliance integrating with platform liability architecture, readers can consult our cybersecurity law compliance guide. Practice may vary by authority and year, and platform liability architecture benefits from integrated contractual and regulatory framework because generic contract provisions often fail to address regulatory requirements.

Turkish lawyers who address Internet Content Law No. 5651 obligations for SaaS platforms work through the compliance framework applicable to hosting providers. Hosting provider obligations under Law No. 5651 include response to official content removal requests from competent authorities, preservation of user connection information (traffic data) for one to two years under specific categories for law enforcement use when legally requested, cooperation with privacy-protection mechanisms, and operational registration under BTK (Bilgi Teknolojileri ve İletişim Kurumu — Information and Communication Technologies Authority) framework for qualifying providers. Content removal procedures operate through multiple articles: Article 8 addresses access blocking (erişim engelleme) for content related to catalog offenses specifically identified in the Law (including obscenity, gambling, narcotics promotion, Atatürk-related offenses, and others), with blocking orders issued by judges, prosecutors in specific emergency cases, or BTK in specified categories. Article 8/A addresses access blocking for national security, public order, and similar grounds with BTK authority and judicial confirmation pathway. Article 9 addresses content removal (içerik çıkarma) and access blocking for violation of personal rights, operating through a request to the hosting or content provider first, with judicial application if the direct request is not satisfied within 24 hours. Article 9/A specifically addresses privacy violations (özel hayatın gizliliğinin ihlali) with an accelerated procedure for content affecting individual privacy, permitting BTK access-blocking within specific timeframes and judicial confirmation. Notice-and-takedown procedures for IP-related content follow separate framework under FSEK and SMK as described above. Counter-notice procedures where content posters may challenge takedown decisions support balanced content moderation, though the specific procedural protections vary by the takedown basis. Cross-border platform considerations where international SaaS platforms face Turkish takedown obligations require analysis of compliance pathway — direct platform response, Turkish representative appointment under Law 7253 (the so-called "social media law"), or Turkish infrastructure decisions. Practice may vary by authority and year, and Law No. 5651 compliance for SaaS platforms benefits from specialist regulatory counsel.

An Istanbul Law Firm coordinating sectoral SaaS compliance addresses the framework where SaaS platforms serving regulated sectors face additional requirements beyond general SaaS regulation. Fintech SaaS platforms supporting financial services may require integration with Banking Law No. 5411 for bank-facing services (including outsourcing rules under BDDK regulation limiting certain critical functions from full outsourcing), Capital Markets Law No. 6362 for capital markets services, Payment Services and Electronic Money Law No. 6493 for payment-related services (with licensing through BDDK), AML framework under MASAK Law No. 5549, and other financial sector frameworks. Healthtech SaaS platforms supporting health services face additional compliance including Basic Health Services Law No. 3359, the Patient Rights Regulation, enhanced KVKK Article 6 requirements for health data as special category data (including the requirement under pre-2024 framework for either explicit consent or the narrow legal exceptions), the Regulation on Provision of Remote Health Services published in Resmi Gazete dated 10 February 2022 establishing the telemedicine framework, and Ministry of Health licensing where the SaaS itself qualifies as a medical device or provides medical services directly. Government and public sector SaaS may require specific security certifications, audit requirements, and public procurement compliance under Public Procurement Law No. 4734. Critical infrastructure SaaS under the national cybersecurity framework may require enhanced security and operational obligations. Third-party certifications including ISO 27001 (information security management), ISO 27701 (privacy information management), SOC 2 Type II (service organization controls), and industry-specific certifications support customer confidence and regulatory compliance. E-invoice (e-fatura) and e-archive (e-arşiv) obligations under Tax Procedure Law No. 213 and the General Communique on Electronic Documents No. 509 affect billing operations for taxpayers meeting gross sales thresholds (currently 3 million TL for most categories, adjusted periodically), requiring electronic ledger (e-defter) integration and electronic delivery note (e-irsaliye) capabilities in specific scenarios. Practice may vary by authority and year, and sectoral SaaS compliance benefits from integrated specialist advice.

Dispute resolution, jurisdiction, and enforcement

A Turkish Law Firm designing dispute resolution architecture for SaaS agreements works through the framework balancing enforceability, efficiency, and commercial characteristics. Jurisdiction selection between Turkish courts and foreign courts depends on business characteristics — Turkish court selection may suit primarily Turkish customer bases and enables faster enforcement against Turkish assets, while foreign court selection requires attention to MÖHUK Articles 50-58 recognition and enforcement framework in Turkey, including reciprocity requirements (de facto or by treaty) and public order (kamu düzeni) review. Arbitration selection provides alternative dispute resolution with benefits including specialized expertise, procedural flexibility, confidentiality, and typically faster resolution than court litigation. International arbitration under MTK No. 4686 permits institutional administration through ISTAC (Istanbul Arbitration Centre) for Turkey-seated arbitration with costs comparable to other regional institutions, ICC for globally-recognized institutional arbitration with higher costs but strong enforcement pedigree, SIAC, HKIAC, LCIA for other centers, or UNCITRAL rules for institution-less ad hoc administration. Seat selection determines procedural law applicable to the arbitration with implications for court support, interim measures, and annulment challenges. Drafting supporting enforceability includes clear scope definition (what disputes are arbitrable), specific number of arbitrators (one or three), appointment mechanisms, language selection, seat and venue selection, and procedural framework references. Mandatory mediation under Law No. 6325 applies to commercial disputes involving monetary claims under Law No. 7155 (effective 2019) and extended to certain property and labor disputes, and the mediation requirement must be satisfied before litigation — though arbitration agreements can contract out of mandatory mediation for commercial disputes. Choice of law under MÖHUK Article 24 generally permits party selection subject to mandatory provisions and public order, though consumer protection mandatory provisions under Law No. 6502 apply regardless of party choice for B2C relationships with Turkish consumers. For framework on international enforcement of Turkish judgments in cross-border SaaS disputes, readers can consult our international enforcement guide. Practice may vary by authority and year, and dispute resolution architecture benefits from prospective design through contract provisions because retroactive forum selection typically produces worse outcomes.

Turkish lawyers who address B2C versus B2B distinction in SaaS dispute resolution work through the framework where consumer protection significantly affects dispute resolution for B2C relationships. Consumer arbitration limitations under Law No. 6502 mean that arbitration clauses in consumer contracts may face enforceability limitations where they would limit consumer remedy options otherwise available under consumer protection framework. Consumer court jurisdiction for consumer disputes under specific value thresholds is specialized with simpler procedure and consumer-protective rules. Consumer arbitration committees (Tüketici Hakem Heyetleri) for small-value consumer disputes below the thresholds periodically updated (currently set levels apply under adjusting regulation) provide specialized consumer-focused resolution with binding decisions subject to limited judicial review. The 14-day withdrawal right (cayma hakkı) under Article 48 of Law No. 6502 for distance contracts affects SaaS subscription structures — the right applies unless the service is fully performed with express consumer consent within the 14-day window, and SaaS subscriptions that provide immediate full access typically trigger this exception while fee-based tiered access may not. Unfair terms analysis under Article 5 may invalidate provisions that impose disproportionate burden on consumers, even if technically agreed, and the unfair terms analysis examines specific clauses in the specific consumer context. B2B relationships where consumer protection does not apply provide broader contractual flexibility — more extensive limitation of liability, more specific arbitration requirements, more aggressive termination provisions, and more restrictive warranty limitations. Mixed customer bases serving both consumers and businesses require tiered documentation with B2C and B2B variants addressing the different frameworks, or unified documentation drafted to satisfy the more restrictive B2C framework throughout. Automatic customer classification during signup based on indicators (business name, tax ID, employee count) supports operational compliance across the mixed base. Practice may vary by authority and year, and B2C-B2B distinction benefits from specific documentation architecture.

An English speaking lawyer in Turkey coordinating cross-border enforcement strategy for SaaS providers addresses the framework where enforcement crosses national boundaries. Turkish provider enforcement abroad against foreign customers depends on the specific foreign jurisdiction's recognition framework for Turkish judgments or arbitral awards. Foreign arbitral awards originating in Turkish-seated arbitration benefit from favorable enforcement under the New York Convention 1958 in over 170 signatory countries, with narrow grounds for refusal under Convention Article V (invalidity of agreement, lack of notice, award exceeding scope, composition irregularity, award not yet binding, subject matter non-arbitrable in enforcement forum, public policy). Turkish court judgment enforcement abroad depends on the specific foreign framework — some countries have bilateral treaties with Turkey providing recognition, others apply reciprocity practice, and others may not recognize Turkish judgments at all. Foreign provider enforcement in Turkey against Turkish customers operates through MÖHUK Articles 50-58 for foreign judgments or New York Convention for arbitral awards — arbitral awards typically enjoy smoother enforcement, while foreign judgments face the reciprocity, public order, and procedural fairness review. Asset recovery across jurisdictions where customer assets are distributed internationally requires coordination between jurisdictions and investigation of asset location. Interim measures across jurisdictions addressing asset preservation during proceedings require analysis of the interim measures available at each relevant seat and jurisdiction, with attention to recognition and enforcement of interim measures orders. Sector-specific compliance during cross-border enforcement — foreign exchange (Decision No. 32), tax (withholding obligations), data protection (cross-border transfer in enforcement context) — may affect enforcement mechanics. Practice may vary by authority and year, and cross-border SaaS enforcement benefits from integrated multi-jurisdictional planning.

Open source software licensing and compliance

A lawyer in Turkey coordinating open source software (OSS) compliance for SaaS operations works through the framework where OSS components commonly integrated into SaaS platforms produce license obligations depending on the OSS licenses involved. Permissive OSS licenses — MIT, BSD (2-clause and 3-clause), Apache 2.0 — generally permit incorporation into proprietary software with limited obligations: attribution to the original author, license notice preservation and distribution, state changes notice for some licenses, and patent grant provisions under Apache 2.0. These licenses do not require source code disclosure of the larger work that incorporates the OSS component. Copyleft OSS licenses impose more extensive obligations that can affect proprietary software incorporation. Strong copyleft licenses — GPLv2 and GPLv3 — generally require that derivative works be distributed under the same license with source code availability to recipients of the compiled software. Weak copyleft licenses — LGPLv2.1 and LGPLv3 — permit proprietary linking under specific conditions (typically requiring that the LGPL library remain replaceable and that the user be able to relink a modified version), with more limited obligations than full GPL. The SaaS delivery model has specific implications for OSS obligations. SaaS providers typically do not "distribute" software in the traditional sense — users access hosted service rather than receiving software copies — and this affects obligations under licenses that tie requirements to distribution. Under GPLv2 and GPLv3, the internal use of GPL software for providing hosted services (without distribution of the software itself) does not trigger the copyleft distribution obligation, an exception commonly called the "ASP loophole" or "SaaS loophole." However, AGPL (Affero GPL, both AGPLv3 and the earlier AGPLv1) specifically closes this loophole by triggering copyleft obligations when software is made available to users over a network even without traditional distribution — AGPL therefore creates source code availability obligations for SaaS providers using AGPL-licensed components, and AGPL components must be carefully managed or avoided in proprietary SaaS platforms. OSS inventory and compliance tracking through systematic OSS component identification (build-time and runtime), license identification, obligation tracking, and compliance documentation supports systematic management. For framework on intellectual property licensing frameworks, readers can consult our IP licensing guide. Practice may vary by authority and year, and OSS compliance benefits from systematic architecture because cumulative compliance across dozens or hundreds of components requires systematic management.

Turkish lawyers who address OSS compliance governance architecture work through the framework establishing systematic OSS compliance. OSS policy documentation addressing which license categories are permitted for which use categories — for example, permissive licenses (MIT, BSD, Apache) approved for production code, weak copyleft (LGPL) permitted for specific linking patterns, strong copyleft (GPL, AGPL) restricted or prohibited in production code — supports systematic decision-making rather than case-by-case ad hoc judgments. License clearance procedures requiring review before new OSS components are incorporated into production builds support proactive compliance; developers submit the proposed component with its license, and the review confirms compatibility with the policy. Compliance tracking tools including Software Composition Analysis (SCA) tools (examples: Snyk, Black Duck, FOSSA, OSS Review Toolkit) that automatically scan codebases and dependencies to identify OSS components and their licenses provide systematic inventory that manual tracking cannot match. Developer training on OSS compliance addressing license categories, practical implications of each category, and the company's specific policy supports operational compliance — engineers need actionable guidance rather than legal abstractions. Procurement integration ensuring that vendor technology is reviewed for OSS compliance before procurement supports coordinated compliance. M&A and investor due diligence readiness where OSS compliance receives intensive scrutiny during investor or acquirer review supports transaction value preservation. OSS disclosure practices including third-party notices file listing all OSS components with required attribution and license text, in-product "About" disclosures where required, and license text distribution with the product (or access to it) address license obligations. License conflict analysis where specific combinations of OSS licenses produce incompatible obligations (for example, combining a GPL component with a proprietary component without LGPL-style linking separation) requires attention. OSS contribution strategy where the SaaS provider contributes code to OSS projects requires analysis of the contributor license agreement (CLA) or developer certificate of origin (DCO) terms and the IP implications of contribution. Practice may vary by authority and year, and OSS governance benefits from early establishment.

An Istanbul Law Firm coordinating OSS-specific due diligence exposure addresses the framework where OSS issues affect SaaS provider transactions. Investor due diligence OSS review typically examines OSS inventory completeness against actual runtime and build-time dependencies, license categorization accuracy against the OSS project's actual license, compliance status for each obligation (attribution present, license text distributed, source code availability for copyleft components in distribution scenarios), governance process adequacy with documented policy and clearance procedures, and AGPL or other SaaS-relevant license exposure. Gaps in OSS compliance can affect valuation, transaction structure (escrow for IP matters, extended indemnity periods, specific representations carve-outs), or deal timing (remediation before closing). M&A acquirer OSS due diligence is typically more detailed than investor review and may include technical analysis of integration patterns, compliance verification through SCA tools, interviews with engineering leadership, and specific remediation requirements before closing. Customer due diligence where enterprise customers conduct vendor due diligence on SaaS providers before engagement may examine OSS compliance as part of vendor risk assessment, particularly where the customer's industry has specific OSS sensitivity (financial services, government, regulated industries). Compliance remediation when gaps are identified may require license compliance actions (adding attributions, distributing license texts), architectural changes (replacing an AGPL component or isolating it), license alternative substitution (finding a permissively-licensed alternative), or contribution-back (for some copyleft scenarios). IP warranty obligations in customer contracts and M&A transactions are affected by OSS compliance status; warranty coverage typically excludes OSS-related claims under specific carve-outs or addresses them through specific OSS-focused representations. Source code escrow arrangements may have OSS interaction — escrow release conditions must account for any OSS source code availability obligations that already apply. Open source contribution strategy where the SaaS provider contributes to OSS projects should have a documented approval framework. Practice may vary by authority and year, and OSS due diligence preparedness benefits from proactive compliance architecture.

Localization, e-commerce law compliance, and consumer protection

A Turkish Law Firm coordinating SaaS localization for Turkish market operations works through the framework where Turkish language, regulatory, and cultural requirements affect delivery. Electronic Commerce Regulation Law No. 6563 establishes requirements for electronic commercial activities including pre-contract information obligations addressing specific information that must be provided before contract conclusion (identity of seller, product/service details, price, payment and delivery terms, withdrawal right where applicable, complaint and dispute resolution mechanisms), distance contract provisions for contracts concluded electronically, commercial electronic communication rules under Article 6 addressing electronic marketing with opt-in consent and unsubscribe requirements, and other e-commerce framework elements. Turkish-language documentation requirements for B2C relationships mean that terms of service, privacy policies, and customer-facing documentation should be available in Turkish for enforceability and consumer accessibility — English-only terms may be challenged by consumers and may face enforceability issues in consumer disputes. Tax Procedure Law No. 213 and Revenue Administration (Gelir İdaresi Başkanlığı) secondary regulation affect billing operations; the General Communique on Electronic Documents No. 509 establishes the current e-belge framework including e-fatura (mandatory for taxpayers above the gross sales threshold, currently 3 million TL for most categories), e-arşiv (e-archive for invoices to non-e-fatura recipients), e-defter (electronic ledger), and e-irsaliye (electronic delivery note) for qualifying scenarios. Electronic notification framework includes KEP (Kayıtlı Elektronik Posta — registered electronic mail) under Law No. 6102 for commercial communications with legal effect, and UETS (Ulusal Elektronik Tebligat Sistemi — National Electronic Notification System operated by PTT) for formal legal notifications from authorities and courts. Electronic signature framework under Law No. 5070 provides the signature levels — qualified electronic signature (nitelikli elektronik imza) created with a secure signature creation device and qualified certificate from a licensed certificate service provider has legal weight equivalent to handwritten signatures under Article 5; other signature levels (advanced, simple) have lesser weight. Cultural adaptation addressing Turkish business practices and communication norms supports practical acceptance beyond legal compliance. For framework on e-commerce compliance addressing business patterns, readers can consult our e-commerce compliance guide. Practice may vary by authority and year, and SaaS localization benefits from attention to Turkish-specific requirements.

Turkish lawyers who address consumer protection compliance for SaaS B2C operations work through Law No. 6502. Distance contract framework under Article 48 addresses contracts concluded through electronic means including pre-contract information obligations, contract documentation provision in durable medium, and framework for withdrawal. The 14-day withdrawal right (cayma hakkı) under Article 48 provides consumers with the right to withdraw from distance contracts within 14 days without cause and without penalty, though the right has exceptions in the accompanying Regulation on Distance Contracts. For SaaS specifically, the right typically applies at the start of a subscription unless an exception applies; the exception for digital content not supplied on tangible medium (Regulation Article 15/1-ğ) applies where the consumer has given prior express consent to performance and has acknowledged loss of withdrawal right — SaaS subscriptions frequently address this through specific consent language at signup. Unfair terms control under Article 5 addresses unfair terms imposing disproportionate burden on consumers contrary to good faith, which can invalidate contractual provisions even when technically agreed; examples in SaaS context include overly broad liability disclaimers, automatic renewal without adequate notice, excessive cancellation penalties, and one-sided modification rights. Clear and transparent terms obligation requires consumer-facing documentation to be readable and comprehensible. Pricing transparency including total cost disclosure, additional cost disclosure (taxes, currency conversion, surcharges), and automatic renewal price notifications supports compliance. Automatic renewal disclosure requirements specifically address subscription auto-renewal with prominent disclosure before renewal, accessible cancellation, and consumer-favorable implementation; renewal notice requirements periodically tighten under new regulation. Subscription cancellation mechanics requiring the cancellation process to be as accessible as the signup process (no harder to cancel than to subscribe) is an increasing regulatory expectation. Refund procedures for consumer circumstances including immediate refund obligations where applicable under the withdrawal framework support compliant implementation. Practice may vary by authority and year, and B2C SaaS compliance benefits from specific consumer law expertise.

An English speaking lawyer in Turkey coordinating commercial electronic communication compliance addresses the framework governing electronic marketing and notifications. Commercial electronic communication consent framework under Electronic Commerce Law No. 6563 Article 6 requires opt-in consent before sending commercial electronic communications (marketing emails, SMS, automated calls), with a narrow exception for existing customer relationships permitting communications about similar products or services where the consumer had opportunity to object at the time of data collection and in each subsequent communication. İYS (İleti Yönetim Sistemi — Message Management System) serves as the centralized consent registry managed under the framework administered by the Ministry of Trade; senders must verify consent through İYS before sending commercial electronic communications, and recipients can manage their consents across all senders in a unified interface. Transactional communications distinct from commercial communications — service-related notifications, account-related communications, legal notices, security alerts — generally face a different framework and do not require the same opt-in consent. Subscription management for marketing communications requires accessible unsubscribe mechanisms in each communication (typically a working unsubscribe link or SMS keyword), processing of unsubscribes within short timeframes, and suppression list maintenance preventing re-contact. Content requirements for commercial electronic communications include clear sender identification, subject matter identification as commercial communication, and accurate identification of the goods or services promoted. Cross-border commercial communication where Turkish users receive communications from foreign senders requires the foreign sender to comply with Turkish framework, though practical enforcement of extraterritorial compliance has limits. Complaint management addressing recipient complaints or regulatory inquiries — responding promptly, documenting the handling, and correcting compliance gaps identified — supports ongoing compliance. Penalty framework under Article 12 of Law No. 6563 creates administrative fine exposure for violations at levels that have increased materially with recent amendments. Practice may vary by authority and year, and commercial communication compliance benefits from integrated operational and legal implementation.

Investment due diligence and SaaS legal readiness

A lawyer in Turkey coordinating SaaS legal readiness for investment events works through the framework preparing SaaS companies for investor or acquirer scrutiny. Corporate structure review ensures cap table completeness with accurate share ownership records, share issuance documentation with proper board resolutions and filings, option grant documentation aligned with board-approved option pools, and corporate governance documentation including articles of association, shareholders' agreements, and board resolutions. Founder equity discipline including founder vesting (typically 3-4 year vest with one-year cliff), IP assignments executed at formation, and founder agreements addressing competition, confidentiality, and departure scenarios supports transaction value. Employee and contractor IP assignment verification addresses systematic assignment of IP from all contributors to platform development — gaps in assignment documentation routinely surface during due diligence, especially for early contractor work before formal IP discipline was established, and can affect transaction value or require remediation. Customer contract portfolio review addresses contract completeness (signed copies for every active customer), problematic provisions (unusual indemnification, MFN clauses, exclusivity, change-of-control triggers), customer concentration (single-customer percentage of revenue), and other customer relationship elements. Regulatory compliance documentation across KVKK (VERBIS registration, DPAs, cross-border transfer mechanisms, breach response history), sector-specific compliance where applicable, tax compliance (VKN registration, VAT compliance, withholding compliance), employment compliance (SGK registration, work permits for foreign employees, labor law compliance), and other dimensions supports due diligence response. Financial records completeness with statutory financial statements, audit reports for qualifying companies, tax return and filing documentation, and other financial records supports transaction preparation. Legal records organization including contract portfolio (contracts categorized and searchable), IP portfolio (trademark and copyright registrations, OSS inventory), regulatory matters (correspondence, filings, inquiries), litigation records (current matters and resolved matters with documentation), and other legal records supports efficient due diligence response. For framework on asset purchase agreements addressing transaction structure, readers can consult our asset purchase agreement guide. Practice may vary by authority and year, and legal readiness benefits from sustained attention throughout the SaaS company's development.

Turkish lawyers who address SaaS-specific due diligence elements work through the technology-focused review characterizing SaaS transactions. IP architecture review includes copyright ownership chain-of-title for all platform code, OSS compliance including component inventory, license compliance status, and AGPL or similar exposure review, third-party IP licensed components with documentation of acquisition terms and ongoing compliance, customer data ownership provisions in customer contracts, and derivative work handling. Data protection compliance review examines KVKK compliance architecture including VERBIS registration status, DPA templates and execution with enterprise customers, cross-border transfer mechanisms under the reformed Article 9 framework, breach history including incident reports and Authority interactions, data subject request handling records, and sub-processor documentation. Technology infrastructure review addresses cloud infrastructure contracts (typically AWS, Azure, Google Cloud), key technology dependencies (databases, CDNs, authentication providers), security architecture including access controls, encryption, logging, and incident response, and other technology elements. Customer relationship review examines customer contract portfolio, customer concentration risks (the "Mercedes problem" where one customer represents 20-30%+ of revenue), renewal rates and churn metrics, customer-specific obligations (committed roadmap items, service credits earned, escalated matters), and customer satisfaction indicators. Product and IP roadmap review addresses product development plans, IP development plans including patent filings and trademark portfolios, and forward-looking investment requirements. Employment matters including key person considerations (retention of founders, key engineers), employment terms including competitive restrictions under TBK Articles 444-447 (non-compete requiring geographic, temporal, and subject matter limitation plus consideration), IP assignment completeness across all contributors, and foreign employee work permit compliance. Financial metrics including MRR (Monthly Recurring Revenue), ARR (Annual Recurring Revenue), CAC (Customer Acquisition Cost), LTV (Lifetime Value), gross and net retention rates, and SaaS-specific Rule of 40 (growth rate + profit margin) support valuation and transaction planning. Practice may vary by authority and year, and SaaS-specific due diligence benefits from specialized experience.

An Istanbul Law Firm coordinating representations and warranties architecture for SaaS transactions addresses the framework allocating risks between buyer and seller in SaaS M&A and investment transactions. Standard representations categories adapted for SaaS include corporate authority and organization, financial statements accuracy and completeness, IP ownership and non-infringement with SaaS-specific IP chain-of-title representations, data protection compliance with KVKK and GDPR coverage as applicable, regulatory compliance across the applicable framework, material contracts disclosure with any unusual provisions identified, customer relationships including material customers and contract terms, employment matters with key person and compliance coverage, tax compliance including proper registration, filing, and payment, and other categories. SaaS-specific representations include IP architecture representations (copyright ownership, OSS compliance with specific AGPL carve-out, third-party IP compliance, customer data ownership), data protection representations (KVKK compliance with cross-border transfer compliance specifically called out, breach history disclosure, DPA completeness), security architecture representations (certifications held, material security incidents, access controls, encryption practices), customer contract representations (contract completeness, specific concentration and MFN disclosure, change-of-control analysis), and technology stack representations (key dependencies, any unusual licenses or contractual restrictions). Survival periods for representation categories — general representations typically 12-18 months, IP and data protection representations potentially 24-36 months, tax representations through the statute of limitations, fundamental representations (corporate authority, capitalization) indefinitely — structure post-closing risk. Indemnification framework includes cap amounts (typically a percentage of purchase price with fundamental representations often uncapped), baskets or thresholds (deductible or first-dollar depending on structure), indemnification procedures (notice periods, defense control, settlement rights), and other elements. SaaS-related indemnification categories include IP infringement indemnification (often with specific coverage formulas), data breach indemnification with specific regulatory penalty coverage, and customer claim pass-through indemnification. Disclosure schedules where exceptions to representations are documented adjust risk allocation to reflect known issues that the buyer accepts in exchange for agreed purchase price. Warranty and indemnity (W&I) insurance supplements traditional indemnification, particularly for larger transactions where the insurance provides a substitute for the escrow portion of indemnification. Practice may vary by authority and year, and SaaS transaction representations benefit from specialist experience.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive, with particular concentration on SaaS legal protection including service contract and license characterization under TBK No. 6098 as atypical or mixed contract combining elements of contract for work (TBK Articles 470-486), agency contract (TBK Articles 502-514), and license; intellectual property protection under FSEK No. 5846 Article 1/B computer program definition and Article 2 literary and scientific works categorization with Article 18/2 employee-created work framework and Article 71 criminal enforcement, Ministry of Culture and Tourism copyright registration, SMK No. 6769 Article 82/2(c) computer program patent exclusion with technical character exception, TTK No. 6102 Articles 54-63 unfair competition protection, and FSEK Additional Article 8 database sui generis right; KVKK No. 6698 data protection compliance including Article 9 cross-border transfers as reformed by Law No. 7499 (Resmi Gazete No. 32487 dated 12 March 2024, effective 1 June 2024, transition until 1 September 2024) with the Regulation on Procedures and Principles Regarding Transfer of Personal Data Abroad (Resmi Gazete No. 32598 dated 10 July 2024) establishing three-tier adequacy-safeguards-derogations architecture including standard contractual clauses with 5-business-day notification (50,000-1,000,000 TL fine for non-notification), binding corporate rules, written undertakings, and Article 9/6 derogations, with administrative fine appeals moved to administrative courts; GDPR-KVKK harmonization for international SaaS operations; Electronic Commerce Law No. 6563 Article 6 commercial electronic communications with İYS Message Management System; Consumer Protection Law No. 6502 Article 5 unfair terms and Article 48 distance contract framework with 14-day withdrawal right; Internet Content Law No. 5651 Articles 8, 8/A, 9, and 9/A hosting provider obligations; Electronic Signature Law No. 5070 qualified electronic signature framework; dispute resolution through Turkish courts under HMK, international arbitration under MTK No. 4686 with ISTAC, ICC, SIAC, HKIAC, LCIA alternatives, and New York Convention 1958 award enforcement; mandatory commercial mediation under Law No. 6325 and Law No. 7155; open source software compliance across MIT, BSD, Apache, LGPL, GPL, and AGPL frameworks with specific attention to the SaaS delivery model and AGPL network-trigger implications; tax compliance under Tax Procedure Law No. 213 and General Communique on Electronic Documents No. 509 including e-fatura, e-arşiv, e-defter, and e-irsaliye obligations; and investment due diligence coordination including corporate, IP, data protection, customer, and SaaS-specific review elements with representations and warranties architecture.

He advises individuals and companies across Technology Law, Commercial and Corporate Law, Commercial Contracts, Foreign Investment, Data Protection and Privacy, Intellectual Property, Arbitration and Dispute Resolution, Enforcement and Insolvency, Citizenship and Immigration (including Turkish Citizenship by Investment), Real Estate (including acquisitions and rental disputes), International Tax, International Trade, Foreigners Law, Sports Law, Health Law, and Criminal Law. He regularly supports SaaS providers on service agreement architecture with integrated license and data processing provisions, IP protection strategy with OSS compliance integration, KVKK compliance architecture including cross-border transfer mechanisms under the reformed framework, platform liability management with SLA design, Turkish regulatory compliance across sector-specific frameworks (fintech, healthtech, public sector), dispute resolution planning, localization execution, and investment or M&A transaction preparation and execution.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.

Frequently asked questions

1. How is SaaS characterized under Turkish contract law? SaaS typically operates as an atypical or mixed contract combining elements of the contract for work (istisna under TBK Articles 470-486), agency contract (vekâlet under TBK Articles 502-514), and license rather than fitting a single traditional category. CISG (Vienna Convention) generally does not apply because SaaS is a service rather than a sale of goods.
2. How is software protected by IP in Turkey? Software copyright under FSEK No. 5846 Article 2 arises automatically upon creation, protecting computer programs as literary and scientific works. Optional registration through the Ministry of Culture and Tourism Directorate General of Copyright provides documentary evidence. Patent protection under SMK No. 6769 has limited application — Article 82/2(c) excludes computer programs "as such" from patentable subject matter, though computer-implemented inventions producing technical effect may qualify.
3. Does KVKK apply to SaaS providers? Yes, when SaaS providers process personal data of Turkish data subjects or operate through Turkish legal presence. Role as data controller or processor depends on who determines processing purposes and means, with joint or dual-role analysis where both elements coexist.
4. How does cross-border data transfer work after the 2024 reform? Law No. 7499 (Resmi Gazete No. 32487 dated 12 March 2024) amended KVKK Article 9 effective 1 June 2024 (with transition until 1 September 2024) establishing three-tier architecture: adequacy decisions (none issued yet as of this drafting), appropriate safeguards including standard contractual clauses and binding corporate rules published 10 July 2024, and derogations under Article 9/6. Standard contract transfers require notification to the Authority within 5 business days of execution, with 50,000-1,000,000 TL fines for non-notification.
5. Are click-wrap agreements enforceable in Turkey? Generally yes when implemented with clear prominence of terms, unambiguous acceptance action, and documentation of the acceptance event (user ID, IP, timestamp, terms version). Browse-wrap agreements without active user acceptance are considerably weaker.
6. Does consumer protection apply to B2C SaaS? Yes. Consumer Protection Law No. 6502 applies with distance contract framework, 14-day withdrawal right under Article 48 (with digital content exception where consumer has given prior express consent and acknowledged loss of withdrawal), unfair terms control under Article 5, and mandatory information obligations that cannot be waived.
7. What hosting obligations apply under Internet Content Law 5651? SaaS platforms operating as hosting providers face obligations under Articles 8 (access blocking for catalog offenses), 8/A (national security-related access blocking), 9 (content removal for personal rights violations with 24-hour direct-request procedure), and 9/A (accelerated privacy violation procedure). Traffic data preservation for one to two years under specified categories is required.
8. How are OSS licenses typically handled in SaaS? Permissive licenses (MIT, BSD, Apache 2.0) permit proprietary incorporation with attribution obligations. Weak copyleft (LGPL) permits proprietary linking under specific conditions. Strong copyleft (GPL) requires derivatives under the same license with source code availability. AGPL specifically addresses SaaS by triggering copyleft when software is made available over networks even without traditional distribution, closing the GPL "SaaS loophole."
9. What Turkish-language documentation is required? B2C relationships generally require Turkish-language terms, privacy policies, and customer-facing documentation for enforceability and consumer accessibility. Electronic Commerce Law No. 6563 pre-contract information obligations apply to distance contracts.
10. How do e-invoice and e-archive obligations apply? Tax Procedure Law No. 213 and the General Communique on Electronic Documents No. 509 impose e-fatura and e-arşiv obligations on taxpayers above applicable thresholds (currently 3 million TL gross sales for most categories, adjusted periodically), affecting SaaS billing operations with e-defter and e-irsaliye in specific scenarios.
11. What commercial electronic communication rules apply? Electronic Commerce Law No. 6563 Article 6 requires opt-in consent for commercial electronic communications with a narrow existing-customer exception. İYS (Message Management System) centralizes consent management with mandatory verification before commercial communications.
12. What dispute resolution options exist for SaaS agreements? Turkish courts under HMK, international arbitration under MTK No. 4686 with ISTAC, ICC, SIAC, HKIAC, LCIA, or UNCITRAL alternatives, mandatory commercial mediation under Law No. 6325 and Law No. 7155, and consumer arbitration committees for consumer disputes. Foreign arbitral awards enjoy favorable enforcement under the New York Convention 1958 in over 170 signatory countries.
13. What SaaS-specific IP issues arise in investor due diligence? IP chain-of-title completeness across founders, employees, and contractors; OSS license compliance with SCA tool inventory; AGPL exposure analysis; third-party IP incorporation documentation; customer data ownership; and patent or trademark portfolio completeness typically receive intensive scrutiny.
14. What representations and warranties are typical in SaaS M&A? Corporate authority, IP ownership and non-infringement with SaaS-specific chain-of-title and OSS coverage, KVKK and GDPR compliance with cross-border transfer specific representations, security architecture, customer contracts including concentration and MFN disclosure, regulatory compliance, and financial statements accuracy. Survival periods range from 12-18 months for general representations to indefinite for fundamental representations.
15. How does ER&GUN&ER Law Firm structure SaaS engagements? Engagements begin with integrated assessment of contract, IP, data protection, regulatory, operational, and commercial dimensions, translated into service agreement architecture with integrated DPA, IP protection strategy with OSS governance, KVKK compliance framework including cross-border transfer mechanisms under the reformed Article 9, platform liability management, dispute resolution planning, and ongoing compliance supporting the provider's business lifecycle from MVP through scale to exit.