Referred customers receive a 10% discount on all core offerings and solutions - up to $5,000. Contact us now!
Book a Demo

Security Overview

Introduction to Toku Security

Classification: External / Client-FacingContact: security@toku.com

Security by Design

Toku processes sensitive employee, compensation, payroll, and digital asset data. Security is therefore treated as an architectural requirement, not an after-the-fact checklist. Controls are designed into infrastructure, application development, access management, data handling, monitoring, incident response, and compliance operations.

The Trust Center is organized around the controls that protect customer data and production systems: infrastructure and application security, data protection, access governance, resilience, compliance, and ongoing security investments.

Layered Security Model

Toku uses a layered security model so that no single control is responsible for protecting the platform. Network isolation, encryption, identity controls, endpoint requirements, secure development practices, monitoring, and audit evidence work together to reduce risk and improve detection and response.

  • Infrastructure controls restrict how production systems are reached and separate production from non-production environments.
  • Application controls require peer review, vulnerability scanning, security-focused review for sensitive changes, and controlled release practices.
  • Data controls encrypt sensitive records at rest and in transit, govern retention, and keep production data out of non-production environments.
  • Identity controls enforce centralized authentication, MFA, least privilege, access reviews, and immediate offboarding.
  • Operational controls provide alerting, incident response, business continuity planning, disaster recovery testing, and audit evidence.

Separation of Duties

Toku designs sensitive workflows so that control is separated across systems and roles. Toku does not hold customer funds, private keys, or unilateral signing authority. Payment-related workflows require client approval through systems outside Toku infrastructure, while Toku maintains the records needed for reconciliation and auditability.

Internal access follows least privilege. Employees receive only the access needed for their role, privileged access is reviewed, and production data access is logged.

Security Operations

Security operations combine continuous monitoring, endpoint and infrastructure controls, vulnerability management, access reviews, penetration testing, and compliance evidence collection. Security findings are assigned ownership, tracked to remediation, and reviewed as part of the operating program.

Toku maintains documented incident response, business continuity, and disaster recovery processes. These processes are tested through tabletop exercises, structured walkthroughs, and recovery validation.

Trust Center Topic Areas

The rest of the Trust Center provides detail across these areas:

  • Platform Security: infrastructure, endpoint, application, and secure development controls.
  • Data Security: encryption, data handling, integration security boundaries, and non-custody controls.
  • Access & Identity: authentication, MFA, RBAC, access reviews, personnel controls, and vendor review.
  • Resilience & Compliance: incident response, business continuity, disaster recovery, SOC 2, privacy, and audit evidence.
  • Security Investments: recent and ongoing hardening work across endpoint security, access, monitoring, credential management, and assessments.

Commitment to Security

Toku maintains a dedicated security operating program for protecting customer data and production systems. The program includes policy governance, employee training, background checks, endpoint compliance, vulnerability management, third-party assessments, penetration testing, incident response, and compliance monitoring.

Security documentation, audit evidence, and relevant reports are available to clients and prospective clients upon request, subject to NDA where appropriate.