Security control area
Encryption, integration security, data minimization, and custody-specific safeguards for sensitive payroll and digital asset workflows.
All data at rest is encrypted with AES-256. All data in transit is encrypted with TLS 1.3 (minimum TLS 1.2). Encryption keys are managed through the cloud provider's key management service with automatic rotation. Toku collects data required for payroll processing and employment administration.
Toku secures external system connections with OAuth 2.0, least-privilege scoping, encrypted credential storage, and client-controlled provisioning and revocation. Custody-related API access is additionally restricted to known Toku infrastructure addresses where applicable.
Toku operates on a strict non-custody model. Client approval and execution remain outside Toku's infrastructure, and Toku never holds private keys, funds, or signing authority. This separation of duties is enforced at the infrastructure level.
