Security control area
Incident response, business continuity, disaster recovery, SOC 2, privacy, and audit evidence.
Toku maintains a formal Incident Management Response Plan with severity levels SEV-1 through SEV-4, assigned roles (Incident Commander, Technical Lead, Communications Lead, Legal Advisor), defined communication protocols, and blameless postmortems. Quarterly tabletop exercises cover scenarios including payment rail failures, API outages, and security events.
Business Continuity and Disaster Recovery Plans are tested annually. Backups are encrypted with AES-256 using separate key management. Recovery procedures are validated through tabletop exercises, structured walkthroughs, and simulation tests.
Toku has completed a SOC 2 Type II audit, with the renewed report expected in May 2026. Continuous compliance automation supports evidence collection. GDPR compliance is maintained with Data Processing Addendums for EU/UK employees. CCPA/CPRA compliance is maintained for California residents. Quarterly penetration testing is conducted by third-party firms with reports available upon request under NDA.
