Compliance & Certifications

SOC 2 Type II

Toku has completed a SOC 2 Type II audit. The SOC 2 Type II report evaluates the operating effectiveness of Toku's controls over an extended audit period, covering trust service criteria including security, availability, and confidentiality.

Toku is currently in the process of renewing its SOC 2 Type II report. The updated report is expected to be available in May 2026. Contact security@toku.com to be notified when the renewed report is ready.

Toku's infrastructure provider maintains SOC 2 Type II and SOC 3 Type II certifications independently.

Compliance Automation

Toku uses a compliance automation platform for continuous monitoring of security controls, automated evidence collection for SOC 2, and employee compliance tracking. The platform verifies that controls are operating effectively in real time, including hard drive encryption, screen lock enforcement, endpoint protection status, and security training completion. All employees complete annual compliance recertification.

GDPR Compliance

Toku complies with the General Data Protection Regulation (GDPR) for employees in EU and UK jurisdictions.

Data Processing Addendum (DPA): Available for all clients with EU/UK employees.

Data Minimization: Toku collects only the data required for payroll processing and employment administration.

Right to Erasure: Supported. Deletion requests are confirmed in writing and processed per Toku's data retention policy.

Data Breach Notification: Toku notifies supervisory authorities and affected data subjects within the GDPR-required 72-hour window when a qualifying breach occurs.

GDPR Compliance Framework: Toku maintains a documented GDPR compliance framework governing data processing activities across all jurisdictions.

CCPA/CPRA Compliance

Toku complies with the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), for California-resident employees.

Service Provider Agreement: Toku operates as a service provider under CCPA/CPRA and does not sell personal information.

Deletion Rights: Toku processes consumer deletion requests in accordance with CCPA/CPRA requirements.

SOX Control Alignment

For publicly traded clients subject to the Sarbanes-Oxley Act (SOX), Toku maintains audit trail integrity and enforces separation of duties in payment workflows. The non-custody model ensures that no single party can unilaterally move funds, supporting SOX internal control requirements.

Regulatory Compliance by Jurisdiction

Toku applies the data protection requirements of each employee's jurisdiction. Where local requirements are stricter than Toku's standard policies, local requirements take precedence. Toku tracks relevant employment, payroll, data privacy, and digital asset regulations for the jurisdictions where it processes data.

Security and Privacy Policies

Toku maintains security and privacy policies that are reviewed and updated on a regular schedule:

• Data Protection Policy

• Incident Response Plan

• Business Continuity Plan

• Disaster Recovery Plan

• Acceptable Use Policy

• Access Control Policy

• Change Management Policy

Policy documents are available to clients upon request under NDA.

Penetration Testing

Toku conducts penetration testing on a quarterly basis through third-party security firms. Quarterly penetration testing ensures continuous validation of Toku's security posture and rapid identification of potential vulnerabilities. All findings are tracked to resolution with clear ownership and timelines. Penetration testing reports are available to clients upon request under NDA.

Documentation Available Under NDA

The following compliance and security documentation is available to clients and prospective clients upon request:

Contact security@toku.com to request any of the above.