Skip to main content
Important Note: Data ResponsibilityApinizer does not store personal data except for Apinizer Manager users. The platform provides infrastructure to store API traffic, and masking, encryption, and deletion operations can be performed on this data. However, the responsibility for protecting, storing, and deleting personal data found in API traffic lies with the organization using Apinizer. Organizations should configure data retention and deletion policies according to their own data protection policies and legal requirements.

Apinizer and Data Management

Apinizer’s Data Retention Approach

Apinizer Manager Users

Apinizer Manager user information
  • User information required for platform management
  • Authentication and authorization information
  • User role and permission information

API Traffic Data

Infrastructure provision for API traffic
  • Infrastructure is provided to store API traffic
  • Masking, encryption, and deletion operations can be performed on data
  • Data retention and deletion policies can be configured
Apinizer does not store personal data except for Apinizer Manager users. The platform provides infrastructure to store API traffic, and masking, encryption, and deletion operations can be performed on this data. The responsibility for protecting, storing, and deleting personal data found in API traffic lies with the organization using Apinizer.

Data Protection Features

Data Masking and Privacy

Apinizer provides comprehensive data masking and privacy features to protect sensitive data in API traffic:
To protect sensitive data in API traffic:
  • Data Masking: Masking of sensitive fields (e.g., hiding credit card numbers except the last 4 digits)
  • Hashing: One-way hashing for data protection (creating an irreversible value)
  • Salt Usage: Salt value for hashing (adding random data to increase hash security)
  • Field-based Operations: Element name and operation definitions (applying specific rules to certain JSON/XML fields)
Scanned Fields:
  • Header, query parameter, and body of message from client
  • Header, query parameter, and body of message going to backend
  • Header and body of message returning from backend
  • Header and body of message returning to client
For detailed information, see the API Proxy Traffic Privacy Settings page.
To protect personal information:
  • Automatic Detection: Automatic detection of personal information (name, surname, email, phone number, etc.)
  • PII Masking Policies: Personal information masking rules (automatic masking application to detected PII data)
  • Data Minimization: Collection of only necessary data (principle of data collection limited to purpose)
  • Sensitive Data Filtering: Filtering of sensitive data (filtering or blocking certain PII types from traffic)
Encryption features for data security:
  • Encryption at Rest: Encryption in database (encryption of stored data)
  • Encryption in Transit: Encryption during transmission (communication security with TLS/SSL)
  • Field-level Encryption: Field-based encryption (encryption of certain sensitive fields)
  • Key Management: Encryption key management (secure creation, storage, and management of keys)

Hashing and Salt

When hashing method is used in API Proxy Traffic Privacy Settings:

Hashing Features

  • One-way hashing (converting data to an irreversible digest)
  • Irreversible (original data cannot be reached from hashed data)
  • Security enhancement with salt (ensures same data produces different hash values)
  • Secure data storage

Salt Usage

  • Automatic salt generation by Apinizer (unique salt value generated for each hash operation)
  • Secret storage (salt values are stored securely)
  • Hashed data verification (used to verify the accuracy of hashed data)
  • Security enhancement
What is Salt?When hashing method is selected, data is hashed with an algorithm to be stored irreversibly. With salt, the output that would normally be created by selecting a hash algorithm is made different, preventing the hashed value from being found through comparison. This provides protection against “rainbow table” attacks by ensuring that users with the same password have different hash values.

Audit and Logging

Audit Records

Apinizer provides comprehensive audit records for compliance requirements:

Token Requests

  • Token requests from authentication module (authentication attempts and results)
  • Token request data (request time, client information)
  • Environment and date filtering (filtering records by specific environment and time range)
  • User and API Proxy based filtering (viewing records belonging to specific user or API Proxy)

Login Records

  • Management console login operations (all login attempts to management interface)
  • User login records (which user logged in when)
  • IP address tracking (recording IP addresses from which login was made)
  • Login status (recording successful/unsuccessful login attempts)

Audit Records

  • Changes made on the system (configuration, policy, user changes)
  • Configuration changes (changes in API Proxy, environment, connection settings)
  • User operations (administrative operations such as user creation, editing, deletion)
  • Operation timestamps (recording when each operation was performed)

Test Console Audit Records

  • Tests performed from test console (API calls made through test console)
  • Test records (tested API, request and response details)
  • Test results (successful/unsuccessful test results)
  • Test user information (tracking which user performed which tests)

Application Logs

Application records include logs of worker, manager, and cache applications:
  • Start and End Date: Time range of log records
  • Message Content: Detailed content of log message
  • Logger Name: Name of logger that created the log record
  • Log Type: Log level and type (ERROR, WARN, INFO, DEBUG, TRACE)
  • Filtering Parameters: Advanced filtering options
Log levels can be set by class/package and include the following types:
  • Error: Application errors and critical issues
  • Warn: Potential issues or unexpected situations
  • Info: General flow of application and important events
  • Debug: Detailed information for development and debugging
  • Trace: Lowest level, very detailed tracking information
  • Off: Logging disabled (no log records are kept)
Log levels can be set by class/package. This allows defining different log levels for different components.
  • Application Logs: 60 minutes retention period (by default)
  • Automatic Log Cleanup: Automatic deletion of old logs after specified period
  • Log Rotation: Rotation of log files by size or time
  • Configurable Retention Policies: Customization of log retention periods

Log Management

Log Level Management

  • Class/package based log level setting (changing log level for specific components)
  • Manager, Gateway Engine, Cache log levels (managing log level of each component separately)
  • Bulk update support (updating log levels of multiple components at once)
  • Dynamic log level change (changing log level while system is running)

Log Filtering

  • Date range filtering (viewing logs in a specific time period)
  • Log type filtering (showing only logs of certain types like ERROR or WARN)
  • Message content filtering (searching for keywords in log message)
  • Logger name filtering (viewing logs belonging to a specific logger)

Data Storage and Retention

Data Retention Methods

Apinizer provides different retention and deletion methods for data retention:
  • Elasticsearch ILM: Automatic retention with Index Lifecycle Management (hot, warm, cold, delete phases)
  • Configurable Retention Periods: Different retention periods for different log types (e.g., error logs can be stored longer)
  • Automatic Deletion: Automatic deletion after specified period (with ILM policies)
  • Manual Deletion: Manual deletion operations by user (deleting logs in specific date range)
  • Index Rollover: Automatic rollover by index size or time
  • Fixed Retention Period: 60 minutes retention period (default)
  • Automatic Cleanup: Automatic cleanup after specified period
  • Log Rotation: Rotation of log files by size or time
  • Configurable Retention: Setting retention period according to needs
  • Configurable Retention: Configurable retention for audit logs (according to compliance requirements)
  • Automatic Deletion: Automatic deletion after specified period
  • Manual Deletion: Manual deletion by user
  • Long-term Retention: Long-term retention support for legal requirements
  • Flexible Policies: Different storage policies for different data types (API traffic, audit, application logs)
  • Time-based Deletion: Automatic deletion after specified date/period
  • Manual Deletion: Manual deletion operations by user
  • GDPR “Right to be Forgotten” Support: Data deletion mechanism (deletion of personal data upon request)
Data ResponsibilityThe responsibility for protecting, storing, and deleting personal data found in API traffic lies with the organization using Apinizer. Organizations should configure data retention and deletion policies according to their own data protection policies and legal requirements.

Security Controls

Access Control

Authentication

  • OAuth2 / OIDC: Standard authentication protocols (industry standard authentication)
  • JWT Tokens: JSON Web Token support (secure and verifiable token usage)
  • Multi-factor Authentication: Multi-factor authentication support
  • Session Management: Secure session management (secure management of user sessions)

Authorization

  • Role-based Access Control (RBAC): Role-based access control (role-based access control)
  • API Proxy Based Access Control: Control at API Proxy level (access permissions to specific API Proxies)
  • Endpoint Based Access Control: Control at endpoint level (access permissions to specific endpoints within API Proxy)
  • ACL (Access Control List) Management: Access control list management (detailed access control lists)

IP Control

  • IP Whitelist/Blacklist: IP address based access control (allowing/blocking requests from specific IP addresses)
  • X-Forwarded-For Support: Real IP detection behind proxy (detecting real client IP address behind proxy)
  • Real IP Detection: Determining real client IP address (securely determining client’s real IP address)

Audit Logging

  • All Access Records: Keeping access logs (API calls, administrative access)
  • Change Records: Recording configuration changes (all configuration changes in the system)
  • Operation Records: Audit record of all operations (important operations performed by users)
  • Detailed Traceability: Tracking who did what, when

Data Security

  • TLS/SSL Encryption (in Transit): Encryption during transmission (encryption of data during communication)
  • Database Encryption (at Rest): Encryption in database (encryption of stored data)
  • Field-level Encryption: Field-based encryption (special encryption of sensitive fields)
  • Certificate Management: Certificate management (management of SSL/TLS certificates)
  • Message Integrity: Message integrity check (verification that messages have not been altered)
  • Digital Signatures: Digital signature support (guaranteeing data has not been altered with digital signatures)
  • Hash Verification: Hash verification (verification of data’s hash value)
  • Anomaly Detection: Detection of abnormal behavior (automatic detection of unexpected or suspicious behaviors)
  • Security Events: Monitoring of security events (tracking security breaches or challenges in the system)
  • Intrusion Detection: Attack detection (detection and alerting of system attacks)
  • Security Monitoring: Security monitoring (continuous security monitoring and reporting)

Compliance Standards and Apinizer Support

GDPR Compliance

GDPR Requirements and Apinizer Support

GDPR (General Data Protection Regulation) is the European Union’s comprehensive regulation for the protection and processing of personal data. Apinizer provides the following features to meet GDPR requirements:
GDPR Requirement: Collection and processing of only necessary data.Apinizer Support:
  • API Proxy Traffic Privacy Settings: Protection of sensitive data with masking or hashing
  • Data Filtering: Removal of certain fields from logs
  • Configurable Logging: Configuration to log only necessary data
  • PII Detection: Automatic detection and protection of personal information
How to Use: Define sensitive fields in API Proxy Traffic Privacy Settings to ensure these fields are protected with masking or hashing in logs.
GDPR Requirement: Deletion of personal data upon request.Apinizer Support:
  • Elasticsearch ILM: Automatic data deletion policies
  • Manual Data Deletion: Manual deletion of data in specific date range
  • Data Storage Policies: Configurable retention periods
  • Data Cleanup Tasks: Automatic data cleanup tasks
How to Use: Configure Elasticsearch ILM policies to automatically delete data after specified period. For manual deletion, you can delete data in specific date range through Analytics Engine.
GDPR Requirement: Export of personal data in standard formats.Apinizer Support:
  • Data Export: Export of API traffic logs
  • Standard Formats: Export in standard formats like JSON, CSV
  • Filtering and Querying: Data export according to specific criteria
  • Analytics Engine: Data viewing and export tools
How to Use: Filter according to specific criteria through Analytics Engine and export data. Export operation can be done in JSON or CSV format.
GDPR Requirement: Protection of personal data with technical and organizational measures.Apinizer Support:
  • Data Encryption: Encryption at Rest and in Transit
  • Data Masking: Protection of sensitive data with masking
  • PII Protection: Automatic detection and protection of personal information
  • Access Control: Access control with RBAC and ACL
How to Use: Define sensitive fields in API Proxy Traffic Privacy Settings. Protect data transmission using TLS/SSL encryption. Configure access control with RBAC and ACL.
GDPR Requirement: Recording and traceability of data processing activities.Apinizer Support:
  • Comprehensive Audit Logging: Recording of all system changes
  • Access Records: Recording of API calls and administrative access
  • Change Tracking: Tracking of configuration changes
  • Timestamped Records: Recording of each operation with timestamp
How to Use: Regularly review audit records. Track all changes on the system by tracking change records.
GDPR Requirement: Notification within 72 hours in case of data breach.Apinizer Support:
  • Security Event Monitoring: Automatic detection of security events
  • Alarms and Notifications: Automatic alarm and notification for security events
  • Anomaly Detection: Detection of abnormal behaviors
  • Log Analysis: Detection of security events through log analysis
How to Use: Configure anomaly detection and alarms in Monitoring Component. Configure alarm channels to receive automatic notifications for security events.

KVKK Compliance

KVKK Requirements and Apinizer Support

KVKK (Personal Data Protection Law) is Turkey’s legal regulation for the processing and protection of personal data. Apinizer provides the following features to meet KVKK requirements:
KVKK Requirement: Obtaining explicit consent for processing personal data and keeping consent records.Apinizer Support:
  • Audit Records: Recording of all user operations
  • Token Requests: Recording of authentication and authorization operations
  • API Traffic Logs: Recording of API calls (for tracking consent status)
  • Timestamped Records: Recording of consent given time
How to Use: Track consent status in API traffic logs. Monitor user operations in audit records. Record authentication operations in token requests.
KVKK Requirement: Informing data subject about data processing.Apinizer Support:
  • API Documentation: Information about API usage
  • Data Processing Records: Recording of data processing activities
  • Log Viewing: Data subject viewing their own data
  • Data Export: Data subject exporting their own data
How to Use: Keep API documentation up to date in API Portal. Enable data subjects to view and export their own data through Analytics Engine.
KVKK Requirement: Protection of personal data with technical and administrative measures.Apinizer Support:
  • Technical Measures: Encryption, masking, access control
  • Administrative Measures: RBAC, ACL, audit logging
  • Security Tests: Security tests and evaluations
  • Security Monitoring: Continuous security monitoring and reporting
How to Use: Protect sensitive data in API Proxy Traffic Privacy Settings. Configure access control with RBAC and ACL. Activate security monitoring and alarm systems.
KVKK Requirement: Data subject’s rights to access, correct, delete, and object.Apinizer Support:
  • Right to Access: Data subject viewing their own data (Analytics Engine)
  • Right to Correction: Correction of incorrect data (manual data correction)
  • Right to Deletion: Data deletion mechanism (ILM and manual deletion)
  • Right to Object: Right to object to data processing (stopping data processing)
How to Use: Enable data subjects to view their own data through Analytics Engine. Use ILM policies for data deletion requests or perform manual deletion.

CCPA Compliance

CCPA Requirements and Apinizer Support

CCPA (California Consumer Privacy Act) is California’s consumer privacy law. Apinizer provides the following features to meet CCPA requirements:
CCPA Requirement: Consumers’ rights to access, delete, and opt-out of sale.Apinizer Support:
  • Right to Access: Data subject viewing their own data (Analytics Engine)
  • Right to Deletion: Data deletion mechanism (ILM and manual deletion)
  • Right to Opt-out of Sale: Right to object to data sale (stopping data processing)
  • Data Export: Data subject exporting their own data
How to Use: Enable data subjects to view and export their own data through Analytics Engine. Use ILM policies for data deletion requests.
CCPA Requirement: Transparency about data collection and usage.Apinizer Support:
  • Data Collection Descriptions: API documentation and terms of use
  • Data Usage Information: Recording of data processing activities
  • Third-party Sharing: Recording of data sharing
  • Log Viewing: Data subject viewing their own data
How to Use: Provide descriptions about data collection and usage in API Portal. Enable data subjects to view their own data through Analytics Engine.
CCPA Requirement: Secure protection of consumer data.Apinizer Support:
  • Secure Data Processing: Encryption, masking, access control
  • Data Encryption: Encryption at Rest and in Transit
  • Access Control: Access control with RBAC and ACL
  • Security Monitoring: Continuous security monitoring and reporting
How to Use: Protect sensitive data in API Proxy Traffic Privacy Settings. Protect data transmission using TLS/SSL encryption. Configure access control with RBAC and ACL.
CCPA Requirement: Recording of data processing activities.Apinizer Support:
  • Data Processing Records: Recording of all data processing activities
  • Access Logs: Keeping access logs
  • Change Tracking: Tracking of changes
  • Timestamped Records: Recording of each operation with timestamp
How to Use: Regularly review audit records. Track all changes on the system by tracking change records.

ISO 27001 Preparation

ISO 27001 Controls and Apinizer Support

ISO 27001 is the information security management system standard. Apinizer provides the following features to meet ISO 27001 controls:
ISO 27001 Requirement: Creation and documentation of information security policies.Apinizer Support:
  • Security Policies: Security policies at API Proxy level
  • Access Control Policies: Access control with RBAC and ACL
  • Data Protection Policies: Data masking and encryption policies
  • Documentation: Documentation of all policies
How to Use: Define security policies in API Proxies. Configure access control policies with RBAC and ACL. Define data protection policies in API Proxy Traffic Privacy Settings.
ISO 27001 Requirement: Control of access to information and information processing resources.Apinizer Support:
  • Authentication: OAuth2, OIDC, JWT token support
  • Authorization: RBAC, API Proxy based, Endpoint based access control
  • ACL Management: Detailed access control lists
  • IP Control: IP whitelist/blacklist support
How to Use: Configure authentication in Identity Manager. Define authorization policies with RBAC and ACL. Configure whitelist/blacklist for IP control.
ISO 27001 Requirement: Implementation of cryptographic controls.Apinizer Support:
  • Encryption: Encryption at Rest and in Transit
  • TLS/SSL: Encryption during transmission
  • Field-level Encryption: Field-based encryption
  • Key Management: Encryption key management
How to Use: Configure TLS/SSL certificates. Activate database encryption. Use field-level encryption for sensitive fields.
ISO 27001 Requirement: Management and reporting of information security incidents.Apinizer Support:
  • Security Event Monitoring: Automatic detection of security events
  • Alarms and Notifications: Automatic alarm and notification for security events
  • Anomaly Detection: Detection of abnormal behaviors
  • Incident Reporting: Reporting of security events
How to Use: Configure anomaly detection and alarms in Monitoring Component. Configure alarm channels to receive automatic notifications for security events.
ISO 27001 Requirement: Secure management of operating systems.Apinizer Support:
  • Log Management: Comprehensive log management and storage
  • Security Monitoring: Continuous security monitoring
  • Backup: Data backup and recovery
  • Change Management: Management of configuration changes
How to Use: Configure log management policies. Activate security monitoring systems. Perform regular backups.
ISO 27001 Requirement: Compliance with legal and regulatory requirements.Apinizer Support:
  • Audit Records: Comprehensive audit records
  • Data Protection: Data masking and encryption
  • Data Retention: Configurable data storage policies
  • Compliance Reporting: Creation of compliance reports
How to Use: Regularly review audit records. Configure data protection policies. Set data retention policies according to legal requirements.

SOC 2 Preparation

SOC 2 Trust Principles and Apinizer Support

SOC 2 (Service Organization Control 2) is an audit standard based on security, availability, processing integrity, confidentiality, and privacy principles. Apinizer provides the following features to meet SOC 2 requirements:
SOC 2 Requirement: Protection of system resources against unauthorized access.Apinizer Support:
  • Access Control: Access control with RBAC, ACL, IP control
  • Authentication: OAuth2, OIDC, JWT token support
  • Encryption: Encryption at Rest and in Transit
  • Security Monitoring: Continuous security monitoring and alarms
How to Use: Configure authentication in Identity Manager. Define authorization policies with RBAC and ACL. Activate security monitoring systems.
SOC 2 Requirement: Ensuring system availability.Apinizer Support:
  • High Availability: Horizontal scaling and load balancing
  • Failover: Automatic failover mechanism
  • Monitoring: System performance monitoring
  • Backup and Recovery: Data backup and recovery
How to Use: Configure horizontal scaling. Activate failover mechanisms. Monitor system performance.
SOC 2 Requirement: System operations being performed correctly and completely.Apinizer Support:
  • Data Accuracy: Message integrity check
  • Operation Verification: Verification of operations
  • Error Management: Error management mechanisms
  • Audit Logging: Recording of all operations
How to Use: Activate message integrity check. Configure error management policies. Activate audit logging.
SOC 2 Requirement: Protection of confidential information.Apinizer Support:
  • Data Encryption: Encryption at Rest and in Transit
  • Data Masking: Masking of sensitive data
  • Access Control: Access control with RBAC and ACL
  • Security Monitoring: Detection of confidentiality breaches
How to Use: Protect sensitive data in API Proxy Traffic Privacy Settings. Use TLS/SSL encryption. Configure access control.
SOC 2 Requirement: Protection of personal information and respect for privacy rights.Apinizer Support:
  • Personal Information Protection: PII protection and masking
  • Data Storage Policies: Configurable data storage
  • Data Deletion: Automatic and manual data deletion
  • Privacy Monitoring: Detection of privacy breaches
How to Use: Define PII protection policies in API Proxy Traffic Privacy Settings. Configure data retention policies. Activate data deletion mechanisms.

Compliance Checklist

GDPR Checklist

  • Data encryption active (TLS/SSL, Encryption at Rest)
  • Data masking configured (API Proxy Traffic Privacy Settings)
  • PII protection policies defined
  • Data retention periods determined (Elasticsearch ILM)
  • Audit logging active
  • Access records being kept
  • Change records being kept
  • Log retention policies defined
  • Data access mechanism available (Analytics Engine)
  • Data deletion mechanism available (ILM, manual deletion)
  • Data correction mechanism available
  • Data portability support available (Export)

ISO 27001 Checklist

Security Controls

  • Access control configured (RBAC, ACL)
  • Encryption active (TLS/SSL, Encryption at Rest)
  • Security monitoring configured (Anomaly detection, Alarms)
  • Incident management procedures available

Documentation

  • Security policies documented
  • Procedures defined
  • Risk assessment performed

Best Practices

Data Minimization

  • Collect only necessary data
  • Limit data retention periods
  • Delete unused data
  • Clarify data collection purpose

Security

  • Use strong encryption (TLS 1.3, strong algorithms)
  • Perform regular security updates
  • Keep access control strict (RBAC, ACL)
  • Perform security tests regularly

Audit

  • Log all operations
  • Regularly review logs
  • Perform anomaly detection
  • Store audit records

Training

  • Train personnel
  • Create security awareness
  • Organize regular training
  • Share compliance requirements

Next Steps

Audit

Review audit records

Application Logs

Manage application logs

API Proxy Traffic Privacy Settings

Configure traffic privacy settings

Security Management

Configure security settings