How to Choose a Software Company in Şanlıurfa: A Practical 7-Criteria Guide
Seven concrete criteria to evaluate when choosing an enterprise software company in Şanlıurfa — portfolio, KVKK compliance, SLAs, team continuity, code ownership, and the failed-project question. An engineering note from eCloud Tech.
Choosing a software company in Şanlıurfa looks straightforward at first glance and turns multi-layered once you start. It looks simple because the market holds twenty to thirty firms; it turns multi-layered because half of those firms are freelance collectives, a third focuses only on web design, and the remaining third differ widely in certifications and references. What our team at the Karaköprü office has observed over the last fourteen years: the cost of choosing the wrong firm is not "paying a bit too much" — it's a project sliding six to twelve months and being rewritten from scratch.
This guide walks through seven criteria an enterprise buyer should evaluate in order. For each one, we explain what to ask, what answer to look for, and what we have learned from our own projects.
1. Continuity of the core engineering team
In enterprise software the most expensive loss is not money — it's institutional memory. Did the firm produce the three impressive references it shows you today with the same core team for the past three years, or was the team reshuffled mid-project? The answer to that question is the most reliable predictor of what you will experience over the next eighteen months.
Ask these three during the evaluation meeting:
- "Will the architect I'm seeing today stay on my project until completion?"
- "How many engineers left the firm last year?"
- "How long has the current team been with the firm on average?"
If the answer is vague, or if you hear "we'll assign the most appropriate person from our pool," stay alert. In outsource-heavy models, knowledge evaporates with each rotation; you end up re-explaining the project at the start of every sprint.
We structured our own engineering team for exactly this reason on a permanent core + external specialist model. Half of our 17-person core team has been at eCloud Tech for five or more years; that continuity is why we can still defend and explain the decisions made on BiCRM back in 2019.
2. Code-base ownership and repository access
The three most important pages of your contract are not the pricing pages — they are the intellectual-property and code-ownership pages. Most enterprise buyers underweight this section; two years later, when they try to change vendors, they realise half of the code is not actually theirs.
Three clauses to insist on:
- Full transfer of ownership — the developed code's intellectual rights transfer to you on delivery. The wording must be "transfers ownership," not "grants a licence."
- Joint access to the Git repository — from project day one your technical representative should have read access to the repository (GitHub, GitLab, or self-hosted). Receiving only final builds is not enough; the process should be transparent.
- Explicit list of third-party dependencies — every library used, its licence (GPL, MIT, commercial) and cost should be written down. Viral licences like AGPL that slip into a codebase cause serious problems later.
If a firm says "the code is our R&D asset, we don't share source — you're buying a service," that is the classic vendor lock-in play. The model makes commercial sense (for the firm) but is a strategic risk for an enterprise buyer. Go in with eyes open.
3. KVKK compliance — architecture or bolt-on?
Nearly every firm you meet in Şanlıurfa will say "we deliver KVKK-compliant services." The sentence is correct but insufficient. The real distinction is between firms that adopt KVKK compliance as a design-time decision and those that bolt it on as a final layer.
Three questions are enough to tell them apart:
Where is the data hosted? Are user data processed inside Türkiye? If the answer is "we use AWS Ireland," do you satisfy KVKK Article 9 on cross-border data transfer? What is the architectural cost of moving processing into Türkiye?
How is anonymisation defined? Do you use real user data in test environments, or an automatically anonymised dataset? Is production data ever pulled to developer machines?
Which events does the audit log cover? Which role accessing which data triggers a log entry? How long are logs retained? If the KVKK Authority requests an audit dump, how quickly can you produce one?
If all three questions don't get satisfying answers, the firm sees KVKK as a formality. That matters because when regulation changes or an audit request lands, bolt-on compliance falls apart quickly.
In our enterprise software services we treat KVKK compliance as a day-one architecture decision: we don't write code without first drafting a data-flow diagram; production data never lands on a developer's machine; an audit log is a standard module in every project.
4. Maintenance agreements (SLA) — concrete numbers
What does the phrase "24/7 support" actually mean in your contract? Often, nothing. A real maintenance SLA puts a number on every line below:
| Item | Question to Ask | Expected Structure |
|---|---|---|
| First response time | "If I send a critical bug report, how soon will I hear from a human?" | Critical: 30 min · High: 2 h · Medium: 1 business day |
| Resolution time | "How fast is a fix pushed to production?" | Critical: 4 h · High: 1 business day · Medium: 1 week |
| Uptime guarantee | "What is the monthly downtime commitment?" | 99.5% (~22 min/month) or 99.9% (~4 min/month) |
| Backup | "What is the backup retention period and the restore time?" | 30-day backwards + restore within 4 h |
| Off-hours support | "Are night and weekend critical incidents billed separately?" | A clear answer either way — included or a separate line item |
A firm answering "it depends" to every row hasn't made these decisions yet, or doesn't have a real maintenance organisation. Both are risk signals.
5. Three references and the failed-project question
Showing successful references is easy; every firm keeps its three brightest customers in the deck. A firm's real maturity shows in how it talks about projects that did not go well. At the end of your meeting, ask:
"In the last three years, has a project failed to deliver what you wanted? What went wrong, and what did you change afterwards?"
A practical breakdown of the answer categories:
- "No, all our projects have been successful." — Red flag. In software engineering every firm has failures; the opposite claim is not credible. This answer either means the firm has shipped very few projects or is closed to self-criticism.
- "We had problems on Customer X, but it was their fault." — Yellow flag. One-sided blame indicates poor introspection. If they cannot articulate what they learned, the same mistake will recur.
- "On Project X we made the architecture decision too late, so we had to rewrite Module Y twice. We later instituted a rule: complete the architecture decisions before sprint 1." — Green flag. Specific case + specific lesson + specific process change. This firm manages its institutional memory well.
Returning to past projects, naming the mistakes, and explaining the process fix is one of the strongest indicators of an engineering firm's maturity.
In the reference call itself, watch three additional points. First: the customer's satisfaction with post-launch maintenance. Projects look good on delivery day; satisfaction two years later is a separate question. Second: planning-vs-actual alignment — when the firm said "eight weeks," did they actually finish in eight, or did it stretch to fourteen? Third: whether the customer hired the firm again. Repeat business is the strongest quality signal; an enterprise running three different projects with the same firm over five years genuinely trusts them. This last point won't surface on its own — if the firm doesn't volunteer it, ask directly.
6. Technical fit — does its stack speak to yours?
Is the firm's technology stack (programming languages, frameworks, database, cloud) compatible with your existing infrastructure? This is not a preference question; it determines integration cost down the line.
Two scenarios:
Scenario A. Your infrastructure runs .NET / SQL Server / Azure. The firm you're meeting only has experience in PHP / MySQL / shared hosting. Which stack will they build the new project on? If they push their comfort stack (PHP), you will later need an API layer between two systems for enterprise integration. If they say "we do .NET too," you need to verify their .NET depth through reference projects.
Scenario B. Your infrastructure is modest (e.g. WordPress + a handful of Google Workspace seats). The firm proposes an enterprise-grade Kubernetes architecture. The maintenance cost of that architecture may exceed your internal technical capacity. A grand architecture is the wrong decision for the wrong customer.
A good firm proposes a stack that fits your long-term maintenance capacity — not the stack its team is most comfortable with. The short technical assessment a good firm runs before recommending anything is the first concrete differentiator between weak and strong vendors.
A second practical test: ask "What happens if a library we use becomes unmaintained five years from now?" The answer reveals engineering maturity. "We'll migrate when a new library appears" is insufficient; a strong answer shows the firm considered long-term support (LTS releases, community size, sponsoring companies) at framework-selection time. Mature ecosystems like React, .NET, Node.js LTS indicate sustainability-aware choices; a firm picking a "trendy" framework leaves you paying a migration debt in two to three years.
On our own approach, we ask two questions: "Which systems sit in your current software infrastructure?" and "Who maintains them in-house?" Their answers shape not the stack recommendation but the architectural approach. Heavy Microsoft ecosystem → .NET; data-heavy analytics → Python; fast API layers → Node.js. Stack choice is not ideological — it's a calculation of concrete integration cost.
7. Engineer-hour transparency and the pricing logic
Pricing is the hardest part of software projects because you're selling time, not a product. The choice between fixed price and hourly billing depends on the nature of the project:
Fixed price fits when:
- Scope is locked, requirements have settled
- PoC or MVP work
- Small integration jobs (e.g. adding a module to an existing API)
- Duration under eight weeks
Sprint / hourly fits when:
- Requirements will evolve (most enterprise projects)
- Duration three months or more
- The customer wants to be part of technical decisions
- Post-launch maintenance
A firm that pushes fixed price while keeping scope open amplifies your risk: every change request meets resistance; features you thought were included get billed as "additional development." In hourly models, uncontrolled work expands the timeline and inflates the invoice.
A healthy pricing conversation includes these four items:
- Engineer-hour estimate and distribution (e.g. 200 h backend, 80 h frontend, 40 h DevOps).
- Sprint structure — sprint length, demo + retro cadence.
- Change-request process (CR) — how new feature requests get priced.
- Post-launch pricing — what model continues for monthly maintenance after delivery.
A firm that won't talk openly about these four items can drop a surprise invoice on you.
Decision matrix
Bringing the seven criteria into one table:
| Criterion | Ideal Answer | Red Flag |
|---|---|---|
| 1. Team continuity | 3+ years average tenure, named engineer stays | Vague "we'll assign appropriate staff" |
| 2. Code ownership | Full transfer + joint repo access | "Source is our R&D, we don't share" |
| 3. KVKK compliance | TR-resident processing + anonymisation + audit log | "It's in the contract, no problem" |
| 4. SLA | Numbered response + resolution + uptime + backup + off-hours | "We provide 24/7 support" (no number) |
| 5. References + failed project | Three references + specific case + lesson + process change | "All our projects have succeeded" |
| 6. Technical fit | Stack proposal respectful of existing infrastructure | Accepting unknown stack OR unnecessary grandeur |
| 7. Pricing transparency | Hour estimate + sprint + CR process + maintenance | "All-inclusive turnkey price" |
Few firms score green on all seven; a practical heuristic from past projects: five or more green + at most two yellow is a solid candidate.
A note on the Şanlıurfa ecosystem
Şanlıurfa's software ecosystem matured significantly between 2019 and 2026. The number of Şanlıurfa Technopark registered firms grew, university-industry collaboration strengthened, and the R&D-incentive profile diversified. The remaining structural weakness — commitment to long-term enterprise projects — is still a development area for mid-sized firms. Here larger firms hold the advantage less in certifications than in team continuity and financial stability.
Our BiCRM enterprise CRM platform, built by the same core team for seven years, is a concrete answer to this structural challenge. Two years later, our customers still speak with the same engineer — a rare but defining trait in enterprise software.
Decision day
Choosing a software firm is not about "finding the best firm" — it's about finding the most appropriate firm for your organisation. In Şanlıurfa, a handful of firms meet all seven criteria at first-class level; dozens meet them at second class. What matters for you is weighting the criteria against your project's specifics: a small PoC weights pricing transparency and technical fit higher; a large enterprise project weights team continuity and SLA.
If you've started evaluating your own project against these seven criteria, we recommend writing the "questions to ask" onto a small note before the meeting. Take notes on the answers during each meeting; after three meetings, comparing answers makes the picture clear. If you want a second opinion during the process, reach out to our team — in our free preliminary call we walk through how the seven criteria apply to your specific scenario.