Our security controls
Secure by design
We use least privilege when connecting to customers’ environments, scoped to only what’s needed to satisfy the control.
Access management
Tonic.ai restricts employee access using the principle of least privilege, ensuring that employees only have access to what they need to perform their specific roles.
External validation
Tonic.ai uses an independent auditor to maintain a SOC 2 report, ensuring adherence to industry standards for security and privacy.
3rd party pen testing
Tonic.ai completes annual third-party static code analysis and manual penetration tests by a qualified assessor.
Manual and automated testing
Tonic.ai uses a combination of manual testing, automatic unit and integration tests, and security scanning as part of every release.
Monitoring
Tonic.ai uses multiple logging and monitoring tools to ensure that the software we build and deploy is free of defects and configured securely.
Security & Risk Management Team
Tonic.ai employs staff with industry knowledge and experience in secure infrastructure, application management, risk, and operations.
Device management
Tonic.ai uses centrally managed endpoint management solutions to ensure that all employee and BYOD devices are configured securely, receive proper updates, and remain compliant with Tonic requirements while in use.
Annual security training
Our annual security training covers security hygiene, phishing, data protection, new threats that employees may encounter, and general best practices.
Reporting security issues
If you believe you’ve found something in a Tonic.ai product that has security implications, please email your findings to security@tonic.ai. If you would like to report these over a secure channel, please send us an email, and we can provide a PGP key or other secure form of communication.
For more information about our security processes, please visit our Trust Center or reach out to hello@tonic.ai.
