Referred customers receive a 10% discount on all core offerings and solutions - up to $5,000. Contact us now!
Book a Demo

Access & Identity

Vendor & Personnel Security

Classification: External / Client-FacingContact: security@toku.com

No Subcontractors Policy

Toku uses only Toku-employed team members for customer service delivery and operations. Toku does not use subcontractors, offshore development teams, or third-party providers for platform development or customer data handling.

Every person who handles customer data is a vetted, background-checked Toku employee subject to Toku's security policies, training requirements, and access controls.

Background Checks

Toku runs background checks on all employees before granting access to customer data or production systems. Checks include:

  • Criminal history verification
  • Employment history verification
  • Education credential verification
  • SSN validation
  • Credit history (for financial roles)

Proof of completed background checks is available under NDA.

Employee Security Requirements

Every Toku employee is required to meet the following security requirements:

  • Endpoint detection and response installed and active on their work device.
  • Zero-trust VPN installed and active for production infrastructure access.
  • Device management and patch compliance enrollment for company-managed devices.
  • Centralized SSO for authentication across internal systems.
  • MFA enforced on all Toku accounts and critical systems (1Password for shared credentials).
  • Compliance verification for hard drive encryption, screen lock, and endpoint protection status.
  • Annual compliance recertification.

Compliance with these requirements is continuously monitored. Non-compliance is treated as a performance issue.

Principle of Least Privilege

All internal access follows the principle of least privilege. Employees are granted access only to the systems and data required for their specific role. Access requests go through a centralized identity management platform with manager and system owner approval. Access is automatically provisioned upon approval and revoked upon role change or separation.

Internal Access Logging

All Toku employee access to production data is logged. Authentication events, data access events, administrative actions, and configuration changes are captured with timestamps, source IPs, and user identifiers. Logs are retained for compliance and audit purposes.

Separation on Termination

When an employee leaves Toku, all administrative and system access is revoked immediately. Revocation is automated through the identity management platform and verified during offboarding.

Third-Party Vendor Assessment

Toku evaluates the security posture of third-party vendors and service providers that access customer data or integrate with Toku's platform. Assessments cover security certifications, data handling practices, and compliance posture.

Critical third-party vendors are reviewed for independent security certifications and relevant compliance evidence before use.

Vendor reviews cover the vendor role, security certifications, data handling practices, access scope, subprocessors, and evidence of control operation. Reviews are updated when vendor risk changes or when new access to customer data is introduced.