Contract Archive and KVKK Architecture for Fleet-Leasing Companies
TL;DR: Contract archives, driver-data KVKK alignment, e-signature integration, and site-to-site VPN for branches in fleet and car-rental companies.
Summary: IT architecture for fleet and car-rental companies is built on a digital contract archive, KVKK-aligned processing of driver data, e-signature integration, contract-expiry and collections tracking, and site-to-site VPN connectivity between multiple branches. Rather than juggling plate-contract-collections tracking across Excel sheets, the goal is a central system that stores driver licence, ID, and address data in line with KVKK and can produce documents within 30 minutes during an audit.
It's no longer a sustainable model in a fleet-leasing company to run operations without colour-coded contract-expiry days, without instant lookup of who holds which plate, and without automated tallying of overdue collections. Failing to explain — to a KVKK auditor — why driver-licence copies are kept and for how long is a direct administrative-fine risk.
In this article we cover the contract archive, driver-data KVKK alignment, and multi-branch network architecture for owners and IT leads in fleet and car-rental companies. Our target scale is 10–200-vehicle fleets and 1–10 branch operations.
Three Core Pillars of Fleet-Leasing IT
IT in this sector must answer three core needs.
1. Contract and Plate Management
Which vehicle is with whom, when does the contract expire, are insurance (kasko / traffic) policies due, have fees been paid? The daily backbone of operations.
2. Driver Data and KVKK Alignment
Driver licence, national ID, address, phone, driver-penalty points (with some corporate customers). Under KVKK, this is personal data; in some cases it crosses into special-category data. Statutory retention periods and secure-destruction rules are strict.
3. Branch Connectivity and Centralised Management
With multiple branches, a vehicle may be picked up at one branch and returned at another. Customer records, plate inventory, and financial transactions must be consistent and current across every branch.
The Digital Contract Archive
A central digital archive — instead of folders of paper contracts — pays off in several ways.
Typical Contract Data
- Customer information (TC, name, address, tax number for corporate customers)
- Driver information (if different)
- Plate, brand, model, year, mileage
- Lease start / end dates
- Rental amount, deposit, return terms
- Insurance information (kasko, IMM)
- Fuel, damage, late-return surcharges
- Contract PDF (signed scan)
Recommended Archive Architecture
| Layer | Purpose | Example |
|---|---|---|
| Database | Structured data (queryable) | PostgreSQL, MS SQL |
| File storage | PDF contracts, licence copies | NAS + cloud backup |
| Full-text search | Search old contracts by plate / name | Elasticsearch or DB built-in |
| Access layer | Web / mobile UI | Fleet-management software |
PDFs should be hashed and encrypted at rest. Document access must be role-based (RBAC): office staff can reach all contracts; depot personnel only plate status.
Colour-Coded Expiry Tracking
Colour-coding by days remaining to contract end:
- Green: 30+ days remaining
- Yellow: 7–30 days remaining (extension offer should go out)
- Orange: 0–7 days remaining (urgent action)
- Red: Past expiry, or return overdue
Automated SMS / email reminders (e.g. extension offer 30 days before, return reminder 3 days before).
E-Signature Integration
Classic flow: the customer comes to the office, signs the contract, a photocopy is taken, kept in a locked cabinet. Modern alternative: signing from anywhere with an e-signature.
Common E-Signature Solutions in Türkiye
- Document signing via e-Devlet (financial advisors, banks integrated)
- Mobile Signature (Turkcell, Vodafone, Türk Telekom)
- e-Yazışma with corporate customers
- Third-party SaaS: DocuSign, Adobe Sign, Onaylarım, eImza Türkiye
E-signed contracts are equivalent to wet signatures under Law 5070. If the customer doesn't have an e-signature, a hybrid flow works: the customer signs on paper, the office signs digitally, and the contract is archived as a mixed-signature PDF.
Benefits of an E-Signature Flow
- Customer doesn't have to visit the office — remote rental
- Contract PDF lands in the archive automatically (no manual scanning)
- Signatures are timestamped — strong evidence in court
- Zero paper / folder cost
- Searchable full text — historic contract lookups in seconds, not hours
KVKK and Driver Data
Fleet-leasing companies, as data controllers, handle a broad personal-data set.
Categories Processed
| Data | Category | Retention |
|---|---|---|
| National ID | Personal data | Contract end + 10 years (financial) |
| Licence info | Personal data | Contract end + a reasonable period |
| Licence copy | Personal data | Statutory + secure destruction |
| Address, phone | Personal data | Relationship duration + a reasonable period |
| Driver-penalty points | May be special-category | Explicit consent + strict limits |
| Insurance damage history | Personal data | Insurance contract period |
| Card information | Personal + financial | Never stored (PCI) |
Explicit Consent and Information Notice
- An information notice must be presented before the contract is signed
- Which data, for what purposes, for how long must be stated
- Corporate card processing (PCI) and licence verification (3rd-party API) and similar transfers must be disclosed
- Explicit written consent for special-category data
Card Information — Critical Note
Fleet companies often want to authorise the card for "deposit / pre-authorisation". Storing the card number or CVV in the system is a PCI-DSS violation. The right method: the payment provider's tokenisation (card number lives with the payment provider; you only have a token).
Data-Breach Notification
In case of a KVKK breach (e.g. a server is compromised, customer data leaks):
- Notify the Personal Data Protection Authority within 72 hours
- Inform affected individuals via an appropriate channel
- Activate the incident-response team immediately
Site-to-Site VPN: Branch Connectivity
In multi-branch operations, every branch needs to reach the central system.
VPN Topologies
| Topology | Suitable scenario | Pros | Cons |
|---|---|---|---|
| Hub-and-spoke | Head office + branches | Simple management | If head office drops, branches drop with it |
| Full mesh | Direct branch-to-branch traffic | Faster traffic | Complex management |
| SD-WAN | Many branches, dynamic traffic | Automatic routing | Higher cost |
At SME scale, hub-and-spoke is usually enough. A central firewall (FortiGate, Sophos, pfSense) terminates every branch tunnel.
Typical Traffic
- Branch → central DB server (contract archive)
- Branch → central file server (contract PDFs)
- Branch → central PBX (IP phones)
- Branch → Internet (usually local breakout, faster)
Backup Connectivity
With the primary VPN over fibre, every branch should have 4G / 5G backup. With automatic failover, transactions continue through a fibre outage.
Collections Tracking and Automated Alerts
Late collections are the most common cash-flow problem in leasing companies.
Automated Collections Flow
- The contract defines the payment period (monthly, daily, etc.)
- The system auto-invoices and emails / texts the customer
- Past the due date, colour-coded alerts (yellow, orange, red)
- After a defined number of days, automatic late-payment interest applies
- Collections team reviews the overdue list daily
Collections Tied to Contract
When a customer has overdue collections, the system should automatically alert when a new contract is opened. That prevents scenarios like "the same customer rented at another branch — the prior debt was known".
Backup Strategy
Losing the contract archive and driver data creates serious legal and operational issues.
3-2-1 Rule Adaptation
| Copy | Location | Retention |
|---|---|---|
| Production | Central server | Live |
| Local backup | Central NAS | 30-day rolling |
| Cloud backup | Türkiye / EU region | 90-day rolling + critical immutable |
| Offline | Encrypted disk in a safe | Annual snapshot |
PDFs in particular should be in the immutable backup tier — suspicion of later tampering on an old contract can become a problem in a court proceeding.
What Yamanlar Bilişim Offers
End-to-end support sized to your fleet-leasing company:
- Fleet-management software selection and rollout support
- Digital contract-archive architecture
- E-signature provider integration
- KVKK information-notice technical support
- VERBİS registration guidance
- Site-to-site VPN design and branch rollout
- Backup + immutable archive architecture
- Collections system integration
Frequently Asked Questions
Conclusion
IT in a fleet-leasing company comes into its own through the right contract archive, KVKK-aligned processing of driver data, integrated multi-branch operation, and automated collections. Moving from paper folders to a digital archive doesn't just free physical space — it lets you produce documents within 30 minutes during an audit, opens up remote rental in the customer experience, and brings down the late-collection rate in cash flow.
Yamanlar Bilişim designs IT architectures sized to your fleet, KVKK-aligned and scalable — covering everything from your contracts through to your collections, from branch connectivity to e-signature.
Frequently Asked Questions
Do I need to keep the customer's driver-licence copy?
Keeping it for the duration of the contract is legitimate under legitimate interest (verification during rental, insurance processes after damage). After the contract ends, it should be retained for a reasonable period and then securely destroyed. Indefinite retention is a KVKK violation; the retention period must be defined in the VERBİS record.
Can I keep the customer's card on file as a guarantee?
Storing the card number and CVV is a PCI-DSS violation . The right method: the payment provider's tokenisation (Stripe, iyzico, Param). The token lives in your system; the card number stays at the provider. Pre-authorisations are made via that token.
Is e-signature investment expensive for an SME fleet?
SaaS e-signature options (DocuSign, Adobe Sign, local alternatives) sit in the $30–$200 / month range. A customer who doesn't have to come into the office = remote rental; this investment pays back quickly. Once paper-archive cost and loss risk are factored in, ROI is high.
Do I need to keep both wet and digital signed versions of the contract?
No — one is enough. In practice, some customers don't have an e-signature; in that case, a hybrid approach is used: scan of the wet-signed contract + a digitally signed cover page . Which signature type was used must be clearly noted at the end of the contract.
Where do I get driver-penalty-point information, and is that within KVKK scope?
For certain corporate rental customers this is requested; the customer shares it via e-Devlet under their own explicit consent. It may be classified as special-category personal data ; written explicit consent must be obtained, strict access control applied, and it must be deleted as soon as the need ends.
Is a cloud-based solution sufficient without branch-to-branch VPN?
It may be. A full SaaS approach: contract software in the cloud, every branch accesses it from a browser, no server. In that case a VPN isn't required. But if there's a local server / file share or you're not using SaaS, the VPN is required. The SME trend leans steadily toward SaaS; but data residency should favour Türkiye / EU for KVKK alignment.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Industry IT Solutions solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Endpoint Security on Doctor and Clinic Computers: An EDR Playbook
Choosing EDR for doctor workstations in clinics and private practices, extra controls for endpoints carrying patient data, and a USB policy.
IT Infrastructure for Residential Site Management: IP Cameras, Elevator IoT, and Dues Systems
An integrated IT infrastructure and KVKK compliance guide for IP cameras, elevator IoT, dues collection, and resident management systems in residential complexes.
OT/IT Network Separation in Manufacturing: A Practical Architecture for SME Factories
Separating OT (operational technology) and IT (information technology) networks in manufacturing, PLC/SCADA segmentation, and industrial firewall architecture.