Does this tool produce a legally valid policy for my company?

No. The tool produces a structured starting template based on KVKK 6698, EU AI Act, GDPR, ISO/IEC 42001 and OWASP LLM Top 10 references. Before adoption it must be reviewed by a KVKK expert / Data Controller and legal counsel, and compared against sectoral regulator requirements (BDDK, SPK, MASAK, Ministry of Health, RTÜK). The output is not legal advice.

Is the information I provide stored on the server, KVKK compliant?

Document generation happens entirely in your browser. Only anonymous form inputs (sector, employee band, selected taxonomy ids) are stored server-side for internal analytics; company name is optional. No lead record is created unless you provide an email. IP address is one-way hashed; not stored directly.

Which sectors get dedicated annexes?

Sector annexes (Annex A) are generated for 9 sectors: finance/banking/insurance, healthcare/medical/pharma, public sector/government/municipality, e-commerce/retail, manufacturing/logistics, education/academia, software/SaaS, legal/consulting, media/publishing. Each sector covers high-risk areas (EU AI Act Annex III parallel), sectoral regulatory references (BDDK, MASAK, MDR, etc.) and sector-specific rules.

Which reference frameworks does the document cite?

KVKK 6698 + VERBİS regulation, EU AI Act (Regulation 2024/1689), GDPR (Regulation 2016/679), ISO/IEC 42001:2023 (AI Management System), NIST AI RMF 1.0 + GenAI Profile (2024), OECD AI Principles (rev. 2024), OWASP LLM Top 10 (2025), Code of Practice for GPAI Models. Sector-specific: BDDK IT Regulation, SPK VII-128.9, MASAK Guide, MDR 2017/745, Turkish MoH AI Strategy 2024, Law No. 5846 on IP.

How do I download the document and what are the formats?

Two formats are supported: (i) PDF A4 — print-ready, suitable for internal distribution; (ii) Markdown — for Notion, Confluence, GitHub Wiki, Google Docs (via conversion) or DOCX (via Pandoc / Word import). The document is structured with a table of contents and numbered sections; 18 main sections + 4-5 annexes.

How do we operationalise the document as our master policy?

Recommended 4 steps: (1) Line-by-line review with KVKK expert + legal counsel, (2) Integrated cross-reference to your ISO 27001/42001 documentation, (3) AI Ethics Committee approval + senior management signature, (4) Announce to all staff + mandatory training (90 min) + policy certification quiz. For tailoring to your organisation, request consulting via /yapay-zeka-danismani.

Who is responsible when AI output hallucinates or is wrong?

As the policy explicitly states: ultimate responsibility for AI output lies with the PERSON who applies / sends to customer / files it. The policy mandates hallucination control and human-in-the-loop (HITL) processes, so the employee must apply those processes. Additionally each AI system has an assigned 'owner'; system-level responsibility consolidates there.

What should be the policy update cycle?

Recommendation: periodic 6-12 month review + extraordinary triggers: KVKK/EU AI Act changes, post Sev-1/Sev-2 incidents, new AI tool integration, ISO 42001 external audit findings. The final section of the policy includes a 'Version History' table to track changes. Allow a 30-day grace period for major changes.

AI Interactive Tools

Corporate AI Policy Generator

Generates a KVKK + EU AI Act + ISO 42001 aligned corporate AI usage policy draft tailored to your company. 6-step wizard producing a sector-specific 20+ section reference document.

Definition

Corporate AI Use Policy: An internal regulation defining an organisation's rules for designing, procuring, developing, deploying and operating AI systems day-to-day; aligned with KVKK, EU AI Act and sectoral legislation; covering governance, accountability, data sharing, prompt security, copyright, human-in-the-loop and incident management.; Also known as: AI governance policy, enterprise AI use policy

1. Company Profile

Core parameters of the policy: sector, employee band and regulatory regime. These choices drive sector-specific annexes and regulatory references.

Company name (optional)Leave blank to use 'the Company'; provide your legal name to use full document headers.SectorEmployee band

Applicable regulatory regimeKVKK + GDPR if you serve EU customers; KVKK + BDDK for financial institutions; KVKK + Health for health data processing.

Frequently Asked Questions

No. The tool produces a structured starting template based on KVKK 6698, EU AI Act, GDPR, ISO/IEC 42001 and OWASP LLM Top 10 references. Before adoption it must be reviewed by a KVKK expert / Data Controller and legal counsel, and compared against sectoral regulator requirements (BDDK, SPK, MASAK, Ministry of Health, RTÜK). The output is not legal advice.

References

Kişisel Verilerin Korunması Kanunu (KVKK) — 6698 sayılı Kanun, T.C. Resmî Gazete
Regulation (EU) 2024/1689 — Artificial Intelligence Act, EUR-Lex
ISO/IEC 42001:2023 — Artificial intelligence — Management system, International Organization for Standardization
NIST AI Risk Management Framework (AI RMF 1.0) + GenAI Profile, NIST
OECD AI Principles (2019, revised 2024), OECD
OWASP Top 10 for Large Language Model Applications 2025, OWASP Foundation
Cumhurbaşkanlığı Dijital Dönüşüm Ofisi — Ulusal Yapay Zeka Stratejisi 2021-2025, T.C. Cumhurbaşkanlığı
T.C. Sağlık Bakanlığı — Yapay Zeka Strateji Belgesi 2024, T.C. Sağlık Bakanlığı
Code of Practice for General-Purpose AI Models, European Commission