> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toktra.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# SOC 2

> Toktra's SOC 2 Type II readiness, security controls, and customer responsibilities.

## SOC 2 Type II readiness

Toktra has completed a SOC 2 Type I readiness assessment and is actively in the **SOC 2 Type II observation period** (July 2025 – June 2026). The observation period covers five Trust Services Criteria categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Upon completion, the SOC 2 Type II report will be available to customers and prospects under NDA. To request a copy, email **[security@toktra.io](mailto:security@toktra.io)**.

<Info>
  The SOC 2 Type II report covers the full Toktra SaaS platform — all hosted on AWS (us-east-1).
</Info>

## Security controls

### Multi-tenant isolation

Every data store that holds tenant data enforces strict per-organization isolation. Organization A cannot read Organization B's data through any API endpoint.

Cross-tenant isolation is verified by an automated test suite that runs continuously in CI.

### Audit logging

All administrative actions, configuration changes, and data access events are written to an append-only audit log. Audit log entries are archived to S3 with **Object Lock** (WORM — Write Once, Read Many) with a 7-year retention period. Entries cannot be modified or deleted during the retention window.

You can query your organization's audit log from the dashboard at **Audit Log**, or via the API:

```bash theme={null}
GET /v1/audit-log
```

### Chain of custody for evidence packages

Legal evidence packages (produced by the legal hold and IP recovery features) are stored in an **append-only chain-of-custody record**. No entry can be modified or deleted after it is written. Each node is timestamped using **RFC 3161** from a trusted timestamp authority (DigiCert TSA), providing tamper-proof non-repudiation for litigation support.

### AWS WAF v2

The Toktra API load balancer is protected by an **AWS WAF v2 WebACL** with the following active rules:

| Rule                                   | Description                                                      |
| -------------------------------------- | ---------------------------------------------------------------- |
| `AWSManagedRulesCommonRuleSet`         | Blocks SQLi, XSS, path traversal, and other OWASP Top 10 vectors |
| `AWSManagedRulesKnownBadInputsRuleSet` | Blocks patterns associated with known exploits (Log4j, etc.)     |
| `RateLimitTenantAPI`                   | 1,000 requests per 5 minutes per IP on the public API            |
| `RateLimitInternalAPI`                 | 500 requests per 5 minutes per IP on internal admin routes       |
| `RequireAPIKeyHeader`                  | Blocks requests to the public API missing the `X-API-Key` header |

<Note>
  The agent telemetry endpoint (mTLS) is not behind the WAF — it uses mutual TLS certificate authentication at the network layer, which provides equivalent protection against unauthenticated requests.
</Note>

### Encryption

| Layer                             | Standard                                   |
| --------------------------------- | ------------------------------------------ |
| Data in transit (device → ingest) | mTLS, TLS 1.3                              |
| Data in transit (dashboard/API)   | TLS 1.3                                    |
| Data at rest (PostgreSQL/RDS)     | AES-256, AWS KMS                           |
| Data at rest (analytics store)    | AES-256, EBS encryption                    |
| Data at rest (S3)                 | SSE-KMS                                    |
| Token Perks personal data         | Per-user envelope encryption (AES-256-GCM) |

### Additional controls

<AccordionGroup>
  <Accordion title="Logical access controls">
    Multi-factor authentication is enforced for all Toktra employees accessing production systems, cloud infrastructure (AWS), and administrative interfaces (GitHub). API keys rotate on a 90-day maximum lifetime. All production changes require peer-reviewed pull requests. Quarterly access reviews cover AWS IAM, RDS, and EKS.
  </Accordion>

  <Accordion title="Vulnerability management">
    Container images are scanned with Trivy on every CI build. Dependency vulnerabilities are tracked via Dependabot. Quarterly infrastructure vulnerability scans are conducted, and critical vulnerabilities are remediated within 72 hours.
  </Accordion>

  <Accordion title="Availability and resilience">
    All critical services are deployed across multiple AWS availability zones with automatic failover. A disaster recovery plan is tested annually.
  </Accordion>

  <Accordion title="Change management">
    All production changes require peer review before deployment. Automated tests, linting, and security scans run on every change. Infrastructure changes are managed as code and reviewed before deployment.
  </Accordion>
</AccordionGroup>

## Penetration testing

Toktra conducts an **annual penetration test** by an independent external firm. The defined scope covers:

* All production API endpoints (`api.toktra.io/v1/*`)
* The device agent ingest endpoint (mTLS/HTTPS)
* The tenant dashboard
* The Chrome and Edge browser extensions
* The macOS, Windows, and Linux agents
* Cross-tenant data isolation (gray-box testing with two tenant credentials)
* Token Perks personal data isolation

Testing methodology includes black-box external testing, gray-box authenticated testing, IDOR testing across all resource types, injection testing (SQLi, XSS, SSRF), privilege escalation scenarios, and cross-tenant isolation verification.

The penetration test report is available to customers under NDA. Email **[security@toktra.io](mailto:security@toktra.io)** to request a copy.

## Incident response

Toktra maintains a formal **Incident Response Plan (IRP)** aligned with SOC 2 Trust Services Criteria, GDPR Article 33/34, and NIST SP 800-61.

### Severity tiers and response targets

| Severity          | Examples                                                          | Containment target | IC engaged        |
| ----------------- | ----------------------------------------------------------------- | ------------------ | ----------------- |
| **P0 — Critical** | Data breach, all services down, encryption key compromise         | Within 1 hour      | Immediately       |
| **P1 — High**     | Single service outage, confirmed unauthorized access              | Within 4 hours     | Within 30 minutes |
| **P2 — Medium**   | Suspicious activity under investigation, non-critical degradation | Within 24 hours    | Next business day |
| **P3 — Low**      | Security advisory, policy violation                               | Best effort        | As needed         |

### GDPR breach notification

If a personal data breach involves EU/EEA data subjects, Toktra notifies the lead supervisory authority within **72 hours** of becoming aware of the breach (GDPR Article 33). If the breach poses a high risk to data subjects, individual notification follows under Article 34.

Affected customers are notified within 72 hours of a confirmed breach. Contact **[security@toktra.io](mailto:security@toktra.io)** for security-related communications.

### Requesting the SOC 2 report

To receive a copy of the SOC 2 Type II report (available upon completion of the observation period in June 2026) or the current Type I readiness assessment, contact:

**[security@toktra.io](mailto:security@toktra.io)**

Include your organization name and whether you are an existing customer or prospective customer. Reports are shared under mutual NDA.

## Your responsibilities as a customer

Toktra operates a shared responsibility model. The following responsibilities fall on your organization:

<Steps>
  <Step title="Protect your API keys">
    Toktra API keys provide access to your organization's usage data and admin functions. Store keys in a secrets manager (not source code). Rotate keys via the dashboard under **Developer → API Keys** or the API at `DELETE /v1/api-keys/{id}` followed by `POST /v1/api-keys`.
  </Step>

  <Step title="Configure SSO">
    Enable SAML 2.0 single sign-on via your identity provider (Okta, Azure AD, or Google Workspace) to enforce your organization's authentication policies, including MFA. Configure at **Settings → SSO** or via `POST /v1/sso/config`.
  </Step>

  <Step title="Set up SCIM provisioning">
    Enable SCIM 2.0 to automatically provision and deprovision users when employees join or leave. This ensures terminated employees lose access promptly. Configure at **Settings → SCIM** or via `/v1/scim/v2/`.
  </Step>

  <Step title="Review access regularly">
    Audit which users have admin vs. standard roles in your Toktra organization. Use SCIM or the API to remove access for users who change roles or leave the organization.
  </Step>

  <Step title="Configure data retention">
    Set your organization's data retention period to match your legal and business requirements under **Settings → Retention Policies**.
  </Step>
</Steps>
