Secure Development Lifecycle
Toku follows a secure development lifecycle that integrates security checks into every phase of delivery, from design through deployment.
All code changes require peer review before merging to production. Security-focused reviews are required for changes touching authentication, authorization, payment flows, API integrations, or data handling.
Third-Party Security Audits and Penetration Testing
Toku engages third-party firms for independent security audits and penetration testing on a quarterly basis. Findings are tracked to resolution with code changes reviewed and merged. Penetration testing reports are available to clients under NDA.
Vulnerability Management
Toku maintains a multi-layered vulnerability management program:
- Automated dependency scanning runs continuously against the codebase, monitoring for known CVEs across the application stack.
- Vulnerability scan results are triaged by severity, with critical and high-severity issues addressed on an expedited timeline.
- Automated static analysis runs on all code changes to catch common vulnerability patterns before production.
- Findings are tracked in a centralized tracker with assigned ownership and resolution timelines.
Change Management
Toku's change management process ensures that all modifications to production systems are reviewed, approved, and auditable:
- Change request submitted with description and risk assessment.
- Technical and security review by engineering peers.
- Leadership approval for significant changes.
- Automated deployment through CI/CD pipeline.
- Post-deployment validation and monitoring.
For emergency changes, an expedited process is available with retroactive review required within 24 hours and executive approval requirements.
Code Security Controls
Before any code reaches production, the following controls are enforced:
- Mandatory peer review for all code changes.
- Security-focused review for sensitive changes (auth, payments, data handling).
- Automated static analysis to detect vulnerabilities.
- Continuous dependency scanning for vulnerable libraries.
- All automated tests must pass before code can be merged.
- No secrets, credentials, or API keys are permitted in source code.
Secret Management
All application secrets, API credentials, and integration tokens are stored in encrypted secret management infrastructure. Secrets are never committed to source code, logged in application output, or included in error messages. Access to secrets is restricted by role and logged.
Security Event Logging
Toku captures security-relevant events across the application layer:
- Authentication events: logins, password changes, MFA events, account lockouts
- Authorization changes: permission changes, role assignments, privilege escalation
- Administrative actions: user account changes, configuration updates, policy changes
- Data access: sensitive data queries, file downloads, API calls
- Network activity: source IPs, geolocation, VPN connections
- System changes: software installations, configuration modifications, patches
Logs are retained per Toku's data retention policy.
Compliance Automation
Toku uses a compliance automation platform for continuous monitoring of security controls, employee compliance status, and SOC 2 evidence collection. The platform verifies that controls are operating as expected, including hard drive encryption, screen lock policies, and endpoint protection status. All employees complete annual compliance recertification.
Security Monitoring and Analytics
Application analytics and monitoring are configured to exclude PII from tracking. Monitoring covers application errors, infrastructure health, performance alerting, and anomalous behavior without storing personally identifiable information in analytics events.
Log Integrity Protection
Toku implements protections against log tampering:
- Role-based access limiting log access to the security team only.
- All log access is itself logged and monitored.
- Log retention policies enforced across all systems.