Documentation Index
Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
Use this file to discover all available pages before exploring further.
SOC 2 Type II readiness
Toktra has completed a SOC 2 Type I readiness assessment and is actively in the SOC 2 Type II observation period (July 2025 – June 2026). The observation period covers five Trust Services Criteria categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Upon completion, the SOC 2 Type II report will be available to customers and prospects under NDA. To request a copy, email security@toktra.io.The SOC 2 Type II report covers the full Toktra SaaS platform — all hosted on AWS (us-east-1).
Security controls
Multi-tenant isolation
Every data store that holds tenant data enforces strict per-organization isolation. Organization A cannot read Organization B’s data through any API endpoint. Cross-tenant isolation is verified by an automated test suite that runs continuously in CI.Audit logging
All administrative actions, configuration changes, and data access events are written to an append-only audit log. Audit log entries are archived to S3 with Object Lock (WORM — Write Once, Read Many) with a 7-year retention period. Entries cannot be modified or deleted during the retention window. You can query your organization’s audit log from the dashboard at Audit Log, or via the API:Chain of custody for evidence packages
Legal evidence packages (produced by the legal hold and IP recovery features) are stored in an append-only chain-of-custody record. No entry can be modified or deleted after it is written. Each node is timestamped using RFC 3161 from a trusted timestamp authority (DigiCert TSA), providing tamper-proof non-repudiation for litigation support.AWS WAF v2
The Toktra API load balancer is protected by an AWS WAF v2 WebACL with the following active rules:| Rule | Description |
|---|---|
AWSManagedRulesCommonRuleSet | Blocks SQLi, XSS, path traversal, and other OWASP Top 10 vectors |
AWSManagedRulesKnownBadInputsRuleSet | Blocks patterns associated with known exploits (Log4j, etc.) |
RateLimitTenantAPI | 1,000 requests per 5 minutes per IP on the public API |
RateLimitInternalAPI | 500 requests per 5 minutes per IP on internal admin routes |
RequireAPIKeyHeader | Blocks requests to the public API missing the X-API-Key header |
The agent telemetry endpoint (mTLS) is not behind the WAF — it uses mutual TLS certificate authentication at the network layer, which provides equivalent protection against unauthenticated requests.
Encryption
| Layer | Standard |
|---|---|
| Data in transit (device → ingest) | mTLS, TLS 1.3 |
| Data in transit (dashboard/API) | TLS 1.3 |
| Data at rest (PostgreSQL/RDS) | AES-256, AWS KMS |
| Data at rest (analytics store) | AES-256, EBS encryption |
| Data at rest (S3) | SSE-KMS |
| Token Perks personal data | Per-user envelope encryption (AES-256-GCM) |
Additional controls
Logical access controls
Logical access controls
Multi-factor authentication is enforced for all Toktra employees accessing production systems, cloud infrastructure (AWS), and administrative interfaces (GitHub). API keys rotate on a 90-day maximum lifetime. All production changes require peer-reviewed pull requests. Quarterly access reviews cover AWS IAM, RDS, and EKS.
Vulnerability management
Vulnerability management
Container images are scanned with Trivy on every CI build. Dependency vulnerabilities are tracked via Dependabot. Quarterly infrastructure vulnerability scans are conducted, and critical vulnerabilities are remediated within 72 hours.
Availability and resilience
Availability and resilience
All critical services are deployed across multiple AWS availability zones with automatic failover. A disaster recovery plan is tested annually.
Change management
Change management
All production changes require peer review before deployment. Automated tests, linting, and security scans run on every change. Infrastructure changes are managed as code and reviewed before deployment.
Penetration testing
Toktra conducts an annual penetration test by an independent external firm. The defined scope covers:- All production API endpoints (
api.toktra.io/v1/*) - The device agent ingest endpoint (mTLS/HTTPS)
- The tenant dashboard
- The Chrome and Edge browser extensions
- The macOS, Windows, and Linux agents
- Cross-tenant data isolation (gray-box testing with two tenant credentials)
- Token Perks personal data isolation
Incident response
Toktra maintains a formal Incident Response Plan (IRP) aligned with SOC 2 Trust Services Criteria, GDPR Article 33/34, and NIST SP 800-61.Severity tiers and response targets
| Severity | Examples | Containment target | IC engaged |
|---|---|---|---|
| P0 — Critical | Data breach, all services down, encryption key compromise | Within 1 hour | Immediately |
| P1 — High | Single service outage, confirmed unauthorized access | Within 4 hours | Within 30 minutes |
| P2 — Medium | Suspicious activity under investigation, non-critical degradation | Within 24 hours | Next business day |
| P3 — Low | Security advisory, policy violation | Best effort | As needed |
GDPR breach notification
If a personal data breach involves EU/EEA data subjects, Toktra notifies the lead supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). If the breach poses a high risk to data subjects, individual notification follows under Article 34. Affected customers are notified within 72 hours of a confirmed breach. Contact security@toktra.io for security-related communications.Requesting the SOC 2 report
To receive a copy of the SOC 2 Type II report (available upon completion of the observation period in June 2026) or the current Type I readiness assessment, contact: security@toktra.io Include your organization name and whether you are an existing customer or prospective customer. Reports are shared under mutual NDA.Your responsibilities as a customer
Toktra operates a shared responsibility model. The following responsibilities fall on your organization:Protect your API keys
Toktra API keys provide access to your organization’s usage data and admin functions. Store keys in a secrets manager (not source code). Rotate keys via the dashboard under Developer → API Keys or the API at
DELETE /v1/api-keys/{id} followed by POST /v1/api-keys.Configure SSO
Enable SAML 2.0 single sign-on via your identity provider (Okta, Azure AD, or Google Workspace) to enforce your organization’s authentication policies, including MFA. Configure at Settings → SSO or via
POST /v1/sso/config.Set up SCIM provisioning
Enable SCIM 2.0 to automatically provision and deprovision users when employees join or leave. This ensures terminated employees lose access promptly. Configure at Settings → SCIM or via
/v1/scim/v2/.Review access regularly
Audit which users have admin vs. standard roles in your Toktra organization. Use SCIM or the API to remove access for users who change roles or leave the organization.