TokonLab

Security

Security is not a feature we added after the fact — it's built into every layer of our infrastructure. Here's what we do to protect your data and your applications.

SOC 2 Type II

Independently audited security controls

GDPR Compliant

Full compliance with EU data protection regulation

CCPA Compliant

California Consumer Privacy Act compliance

TLS 1.3

All traffic encrypted in transit

Zero Data Retention

Prompts and completions never stored

Data in Transit

All communication between your application and our API is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and do not support older, insecure protocol versions. Our API endpoints use HSTS to prevent downgrade attacks.

Data at Rest

We do not store the content of your API requests or responses. Account data and usage metadata are encrypted at rest using AES-256. Database backups are encrypted and stored in geographically separate locations.

API Key Security

API keys are stored as salted SHA-256 hashes — we cannot recover your key if you lose it. Keys are displayed only once at creation time. We recommend:

  • Storing keys in environment variables, never in source code
  • Using separate keys for development and production
  • Rotating keys immediately if you suspect compromise
  • Setting spending limits on keys to minimize blast radius

Infrastructure Security

Our infrastructure runs on enterprise cloud providers with SOC 2 Type II certification. We use network segmentation, least-privilege access controls, and automated vulnerability scanning. All production access requires multi-factor authentication.

Zero Prompt Retention

We do not log, store, or analyze the content of your prompts or the AI responses. Your data flows through our gateway and is forwarded to the model provider — we do not retain a copy. This is a hard architectural guarantee, not a policy that could be changed by configuration.

Incident Response

We maintain a documented incident response plan. In the event of a security incident affecting your data, we will notify affected users within 72 hours as required by GDPR, and as promptly as possible for all other users.

Responsible Disclosure

If you discover a security vulnerability in our systems, please report it to [email protected]. We commit to:

  • Acknowledging your report within 24 hours
  • Providing a timeline for resolution within 5 business days
  • Crediting you in our security acknowledgments (if desired)
  • Not pursuing legal action against good-faith researchers

Contact

For security concerns or questions, contact our security team at [email protected].