Our security controls

Secure by design

We use least privilege when connecting to customers’ environments, scoped to only what’s needed to satisfy the control.

Access management

Tonic.ai restricts employee access using the principle of least privilege, ensuring that employees only have access to what they need to perform their specific roles.

External validation

Tonic.ai uses an independent auditor to maintain a SOC 2 report, ensuring adherence to industry standards for security and privacy.

3rd party pen testing

Tonic.ai completes annual third-party static code analysis and manual penetration tests by a qualified assessor.

Manual and automated testing

Tonic.ai uses a combination of manual testing, automatic unit and integration tests, and security scanning as part of every release.


Tonic.ai uses multiple logging and monitoring tools to ensure that the software we build and deploy is free of defects and configured securely.

Security & Risk Management Team

Tonic.ai employs staff with industry knowledge and experience in secure infrastructure, application management, risk, and operations.

Device management

Tonic.ai uses centrally managed endpoint management solutions to ensure that all employee and BYOD devices are configured securely, receive proper updates, and remain compliant with Tonic requirements while in use.

Annual security training

Our annual security training covers security hygiene, phishing, data protection, new threats that employees may encounter, and general best practices.

Reporting security issues

If you believe you’ve found something in a Tonic.ai product that has security implications, please email your findings to security@tonic.ai. If you would like to report these over a secure channel, please send us an email, and we can provide a PGP key or other secure form of communication.

For more information about our security processes, please visit our Trust Center or reach out to hello@tonic.ai.