Documentation Index
Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
Use this file to discover all available pages before exploring further.
What Toktra captures
Toktra is a metadata-only monitoring platform. The agent and browser extensions never read, intercept, or store the content of any AI conversation — no prompts, no responses, no file attachments. The following fields are captured for every LLM request:| Field | Example |
|---|---|
| Token count (estimated, then reconciled) | 1,247 tokens |
| Provider hostname | api.openai.com |
| Model identifier | gpt-4o |
| Timestamp (UTC) | 2026-04-06T09:15:00Z |
| Application context | Chrome, VS Code |
| Device identifier | Device certificate fingerprint |
| User attribution | Linked to your identity provider |
| Request/response size (bytes) | 4,096 bytes |
| Estimated cost | $0.03 |
How capture works
Toktra agents detect LLM provider traffic using Server Name Indication (SNI) inspection at the TLS handshake layer. SNI is a standard field in every TLS connection that announces the destination hostname — it is readable without decrypting the connection.The agent reads the SNI hostname (e.g.,
api.openai.com) to confirm an LLM provider connection is occurring. The TLS session is never decrypted. Prompt and response content remain completely private end-to-end.- macOS — Swift Network Extension (
NEFilterDataProvider) reads outbound SNI fields - Windows — WFP (Windows Filtering Platform) callout driver observes outbound connections (
ALWAYS PERMIT— never blocks traffic) - Linux — eBPF socket probes trace outbound TCP connections on port 443
- Browser extensions — Chrome, Edge, Firefox, and Safari extensions use the
webRequestAPI to observe HTTP metadata to known LLM provider domains
Privacy Hours
Employees can configure a Privacy Hours schedule to pause all monitoring during personal time. During a privacy hours window, the agent collects no telemetry — nothing is captured, buffered, or transmitted. To configure Privacy Hours on macOS, click the Toktra icon in the system tray and select Preferences → Privacy Hours. You can set daily start and end times, specific days, or a custom schedule per day. The existence of a privacy hours gap is logged (as a period with no telemetry), but no data from within the window is ever collected.Personal vs. business separation
If your organization enables Token Perks — a personal AI usage allowance — that personal usage flows through a completely separate data pipeline and is never visible to admins.Token Perks personal usage flows through a completely separate data pipeline and is never visible to corporate analytics. Even Toktra platform admins can only access aggregate-level Token Perks reports — individual personal usage records are inaccessible to all admins.
Data retention
Your organization controls how long individual-level telemetry is retained. You configure retention policies in the admin dashboard under Settings → Retention Policies. The default and configurable retention behavior:| Data type | Default retention | Behavior after period |
|---|---|---|
| Individual usage telemetry | 90 days | Aggregated and anonymized; no individual attribution |
| Aggregated team/org data | 2 years | Retained (no individual attribution) |
| Device enrollment records | Duration of enrollment + 30 days | Anonymized after decommissioning |
| Employee account records | Duration of employment + 30 days | Anonymized |
| Audit logs | 7 years (WORM) | Retained; required for compliance |
| Legal hold data | Per hold duration | Exempt from standard retention |
mTLS device authentication
All telemetry from Toktra agents is encrypted in transit using mutual TLS (mTLS). Both the device agent and Toktra’s cloud backend authenticate each other using X.509 certificates. Device certificates are issued by the Toktra Intermediate CA, stored in the device’s secure keychain, and are valid for 90 days. Each device has a unique certificate — if a device is decommissioned or an employee is offboarded, the certificate is revoked via OCSP and enrollment records are anonymized. This means:- All data in transit is encrypted (TLS 1.3)
- Only enrolled, authenticated devices can submit telemetry
- Compromised or decommissioned devices are immediately revocable
Data residency
You select your data residency region during onboarding or by contacting your Toktra account team. Your telemetry, analytics, and user data is stored only in your chosen region.United States
us-east-1 (N. Virginia) — Default regionEuropean Union
eu-west-1 (Ireland) — GDPR-compliant EU data storageAustralia
ap-southeast-2 (Sydney) — Australian data sovereigntyCanada
ca-central-1 (Canada) — Canadian data residencyCan I change my data residency region after onboarding?
Can I change my data residency region after onboarding?
Yes. Contact your Toktra account team or email support to initiate a data residency migration. Migrating between regions requires a planned maintenance window.
Does Toktra transfer data outside my chosen region?
Does Toktra transfer data outside my chosen region?
No personal or organizational data is transferred outside your chosen region for storage or processing. Sub-processors are configured to operate within your selected region. Standard Contractual Clauses (SCCs) are in place for any EEA-adjacent transfers. Contact legal@toktra.io for a copy of the Data Processing Agreement.
What encryption is used for data at rest?
What encryption is used for data at rest?
All data stores use AES-256 encryption at rest, managed by AWS KMS. Encryption keys are restricted to authorized Toktra services only.
Who can see my organization's data?
Who can see my organization's data?
Within Toktra, your data is isolated by access controls scoped to your organization ID. Toktra platform engineers require a documented business justification to access tenant data, and all such access is audit-logged.