Referred customers receive a 10% discount on all core offerings and solutions - up to $5,000. Contact us now!
Book a Demo

Access & Identity

Authentication & Access Control

Classification: External / Client-FacingContact: security@toku.com

Single Sign-On (SSO)

Toku uses SAML 2.0 SSO to centralize client-facing authentication and reduce password-based risk. Identity provider configuration is governed through controlled setup and metadata exchange.

Toku's client-facing authentication is managed through an identity platform that handles the SSO lifecycle, including SAML assertion processing, session creation, and identity provider metadata management.

Internally, Toku uses centralized SSO for administrative access to its own systems, ensuring consistent authentication policies across internal tooling.

Multi-Factor Authentication (MFA)

MFA is enforced using TOTP-based verification (time-based one-time passwords). MFA checks run before session-level authorization, meaning a valid second factor is required before access is granted.

MFA is enforced for all Toku employees. Client users are strongly encouraged to enable MFA. MFA enrollment events are logged with timestamps and source IP addresses.

Automated User Provisioning (SCIM)

Where SCIM 2.0 is configured, user lifecycle events are automated to reduce stale access. Provisioning and deprovisioning events are tied to identity-provider updates and retained in audit logs.

Role-Based Access Control (RBAC)

Role-based access control is enforced at every level:

  • Client administrators can only view and manage data for their own organization. Cross-tenant access is prevented by logical database isolation.
  • Toku internal staff follow least-privilege access. Access is granted only to the systems and data required for a specific role.
  • All internal access to production data is logged.

Access requests go through a centralized identity management platform with manager and system owner approval required. Provisioning is automated on approval with a full audit trail.

Access Reviews

Toku conducts systematic access reviews to ensure access remains appropriate:

  • Quarterly reviews for critical systems and privileged accounts.
  • Annual reviews for standard user access across all systems.
  • Ad-hoc reviews triggered by role changes or security events.

Each review covers account status, permission levels, privileged access, service accounts, and third-party vendor access.

Employee compliance status is continuously monitored, including endpoint security requirements, hard drive encryption, and screen lock policies, providing automated verification that access controls are maintained.

Session Management

Session tokens are invalidated immediately upon password reset. Password reset tokens expire within 24 hours and are single-use. Old password reset tokens are automatically invalidated when a new token is generated. Rate limiting is enforced on all authentication endpoints, including password reset and MFA verification.

Post-Employment Access

Toku uses a deliberate post-employment access model built for payroll systems:

  • Administrative and active system access is revoked immediately on separation.
  • Historical read access to pay stubs, tax documents, and payment history is retained until the user requests deletion. Employees have a right to their historical compensation data.
  • Personal wallet access is retained since employees may hold personal cryptocurrency funds.

This model removes active access immediately while preserving employee rights to their own records.

Authentication Event Logging

All authentication events are logged with full detail: successful and failed login attempts, password changes, MFA enrollment and verification events, account lockouts, session creation and termination, and source IP addresses with geolocation.

Authentication logs are retained for a minimum of 90 days in active storage and 1 year in archives.