> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Data privacy

> How Toktra collects, protects, and isolates employee usage data.

## What Toktra captures

Toktra is a metadata-only monitoring platform. The agent and browser extensions never read, intercept, or store the content of any AI conversation — no prompts, no responses, no file attachments.

The following fields are captured for every LLM request:

| Field                                    | Example                          |
| ---------------------------------------- | -------------------------------- |
| Token count (estimated, then reconciled) | 1,247 tokens                     |
| Provider hostname                        | `api.openai.com`                 |
| Model identifier                         | `gpt-4o`                         |
| Timestamp (UTC)                          | `2026-04-06T09:15:00Z`           |
| Application context                      | Chrome, VS Code                  |
| Device identifier                        | Device certificate fingerprint   |
| User attribution                         | Linked to your identity provider |
| Request/response size (bytes)            | 4,096 bytes                      |
| Estimated cost                           | \$0.03                           |

<Warning>
  Toktra **never** captures prompt content, response text, keystroke data, screen recordings, file contents, full URLs beyond the provider domain, or any non-LLM browsing activity.
</Warning>

## How capture works

Toktra agents detect LLM provider traffic using **Server Name Indication (SNI) inspection** at the TLS handshake layer. SNI is a standard field in every TLS connection that announces the destination hostname — it is readable without decrypting the connection.

<Info>
  The agent reads the SNI hostname (e.g., `api.openai.com`) to confirm an LLM provider connection is occurring. The TLS session is **never decrypted**. Prompt and response content remain completely private end-to-end.
</Info>

This approach applies to all platforms:

* **macOS** — Swift Network Extension (`NEFilterDataProvider`) reads outbound SNI fields
* **Windows** — WFP (Windows Filtering Platform) callout driver observes outbound connections (`ALWAYS PERMIT` — never blocks traffic)
* **Linux** — eBPF socket probes trace outbound TCP connections on port 443
* **Browser extensions** — Chrome, Edge, Firefox, and Safari extensions use the `webRequest` API to observe HTTP metadata to known LLM provider domains

## Privacy Hours

Employees can configure a **Privacy Hours** schedule to pause all monitoring during personal time. During a privacy hours window, the agent collects no telemetry — nothing is captured, buffered, or transmitted.

<Tip>
  Privacy Hours is designed for BYOD (Bring Your Own Device) scenarios where personal and work use may overlap. Your organization's admin configures whether Privacy Hours is available on company-owned devices.
</Tip>

To configure Privacy Hours on macOS, click the Toktra icon in the system tray and select **Preferences → Privacy Hours**. You can set daily start and end times, specific days, or a custom schedule per day.

The existence of a privacy hours gap is logged (as a period with no telemetry), but no data from within the window is ever collected.

## Personal vs. business separation

If your organization enables **Token Perks** — a personal AI usage allowance — that personal usage flows through a completely separate data pipeline and is never visible to admins.

<Note>
  Token Perks personal usage flows through a completely separate data pipeline and is never visible to corporate analytics. Even Toktra platform admins can only access aggregate-level Token Perks reports — individual personal usage records are inaccessible to all admins.
</Note>

Personal usage data is also encrypted with per-user keys using envelope encryption, with an org-level master key (KEK). This means that even at the storage layer, personal records are cryptographically isolated.

## Data retention

Your organization controls how long individual-level telemetry is retained. You configure retention policies in the admin dashboard under **Settings → Retention Policies**.

The default and configurable retention behavior:

| Data type                  | Default retention                | Behavior after period                                |
| -------------------------- | -------------------------------- | ---------------------------------------------------- |
| Individual usage telemetry | 90 days                          | Aggregated and anonymized; no individual attribution |
| Aggregated team/org data   | 2 years                          | Retained (no individual attribution)                 |
| Device enrollment records  | Duration of enrollment + 30 days | Anonymized after decommissioning                     |
| Employee account records   | Duration of employment + 30 days | Anonymized                                           |
| Audit logs                 | 7 years (WORM)                   | Retained; required for compliance                    |
| Legal hold data            | Per hold duration                | Exempt from standard retention                       |

Toktra enforces these policies automatically. You can adjust retention periods per organization via **Settings → Retention Policies** in the dashboard.

## mTLS device authentication

All telemetry from Toktra agents is encrypted in transit using **mutual TLS (mTLS)**. Both the device agent and Toktra's cloud backend authenticate each other using X.509 certificates.

Device certificates are issued by the Toktra Intermediate CA, stored in the device's secure keychain, and are valid for 90 days. Each device has a unique certificate — if a device is decommissioned or an employee is offboarded, the certificate is revoked via OCSP and enrollment records are anonymized.

This means:

* All data in transit is encrypted (TLS 1.3)
* Only enrolled, authenticated devices can submit telemetry
* Compromised or decommissioned devices are immediately revocable

## Data residency

You select your data residency region during onboarding or by contacting your Toktra account team. Your telemetry, analytics, and user data is stored only in your chosen region.

<CardGroup cols={2}>
  <Card title="United States" icon="flag">
    `us-east-1` (N. Virginia) — Default region
  </Card>

  <Card title="European Union" icon="building">
    `eu-west-1` (Ireland) — GDPR-compliant EU data storage
  </Card>

  <Card title="Australia" icon="globe">
    `ap-southeast-2` (Sydney) — Australian data sovereignty
  </Card>

  <Card title="Canada" icon="map">
    `ca-central-1` (Canada) — Canadian data residency
  </Card>
</CardGroup>

You can view or update your organization's data residency configuration via the API:

```bash theme={null}
GET /v1/data-residency
```

<AccordionGroup>
  <Accordion title="Can I change my data residency region after onboarding?">
    Yes. Contact your Toktra account team or email support to initiate a data residency migration. Migrating between regions requires a planned maintenance window.
  </Accordion>

  <Accordion title="Does Toktra transfer data outside my chosen region?">
    No personal or organizational data is transferred outside your chosen region for storage or processing. Sub-processors are configured to operate within your selected region. Standard Contractual Clauses (SCCs) are in place for any EEA-adjacent transfers. Contact [legal@toktra.io](mailto:legal@toktra.io) for a copy of the Data Processing Agreement.
  </Accordion>

  <Accordion title="What encryption is used for data at rest?">
    All data stores use AES-256 encryption at rest, managed by AWS KMS. Encryption keys are restricted to authorized Toktra services only.
  </Accordion>

  <Accordion title="Who can see my organization's data?">
    Within Toktra, your data is isolated by access controls scoped to your organization ID. Toktra platform engineers require a documented business justification to access tenant data, and all such access is audit-logged.
  </Accordion>
</AccordionGroup>
