2026 Security Hardening Program

Overview

In 2026, Toku ran a security hardening program across its infrastructure, endpoints, network, and application layers. This included new endpoint protection deployments, network access controls, infrastructure monitoring, credential management improvements, and independent third-party security assessments.

Third-Party Security Assessments

Toku engaged two independent firms to evaluate and improve its security posture:

• Infrastructure and operational security assessment covering infrastructure, access controls, and operational security.

• Application and digital asset security assessment covering platform controls and custody-related integration components.

Findings from both assessments drove the hardening actions below.

Endpoint Security Hardening

• Endpoint detection and response deployed on all employee endpoints for threat detection and managed threat hunting. Installation is mandatory and compliance is enforced.

• Enhanced endpoint monitoring deployed on devices with access to critical infrastructure, adding visibility into endpoint activity and investigation readiness.

• Endpoint evidence collection procedures established for employee devices with access to critical systems.

Network and Infrastructure Hardening

• Zero-trust VPN deployed as the required access path for all production infrastructure. No production system is reachable without authenticated network access.

• Web application firewall deployed on all application-layer traffic for DDoS mitigation, bot detection, rate limiting, and request filtering.

• Custody API network restrictions implemented where supported, limiting API access to known Toku infrastructure IPs.

• Network segmentation reinforced with full isolation between production, staging, and development.

Credential and Access Management

• Complete credential rotation across all integration services, including API keys, tokens, and secrets for every client integration.

• Client-side credential refresh coordinated for client-managed systems where credential rotation was required.

• Employee password rotation completed organization-wide with MFA reset and re-enrollment.

• MFA enforced for all employees using TOTP-based verification through 1Password.

• Scheduled credential rotation established as a standing operational practice.

Application and Database Improvements

• Database rebuild completed with enhanced security controls and hardened configurations.

• Enhanced database logging implemented for comprehensive audit trails on all data access and modifications.

• API endpoint hardening to eliminate token exposure in specific endpoints and enforce stricter credential handling throughout the application layer.

• Continuous dependency scanning with triage and remediation SLAs based on severity.

Monitoring and Detection

• Infrastructure monitoring deployed for systematic production health monitoring, performance tracking, and alerting.

• Enhanced security event logging across all systems, covering authentication, authorization, data access, and administrative actions.

• Automated alerting configured for integration API failures, anomalous access patterns, and security events, with on-call rotation ensuring 24/7 coverage.

Ongoing Security Program

Beyond the 2026 hardening program, Toku runs these ongoing security practices:

• Quarterly tabletop exercises covering breach, DDoS, ransomware, and insider threat scenarios

• Quarterly penetration testing by third-party firms with reports available on request

• Quarterly access reviews for critical systems and privileged accounts

• SOC 2 Type II compliance with continuous evidence collection

• Continuous vulnerability scanning with triage and remediation timelines by severity

Current Security Posture

The table below summarizes Toku's current security posture following the completion of the 2026 hardening program.

Questions

For any questions about Toku's security hardening program or current security posture, contact security@toku.com.