Legal — Toqen

Security and Responsible Disclosure

We implement appropriate technical and organisational measures to protect personal data and maintain service security, and we welcome responsible vulnerability reports.

TL;DR

  • Secure transport and encryption where appropriate.
  • Strict access controls, environment separation, and monitoring.
  • Responsible disclosure with a safe-harbor commitment for good-faith research.

Security Measures

We maintain a security program designed to protect the confidentiality, integrity, and availability of the Toqen service and any personal data processed in connection with it. Our measures are selected and maintained using a risk-based approach, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks to individuals.

  • Encryption in transit using current TLS standards; encryption at rest where appropriate and supported by the relevant infrastructure.
  • Access controls based on least privilege, including restricted administrative access and separation of duties where appropriate.
  • Logical separation between development, staging, and production environments, with controls to reduce the risk of unauthorised access and data exposure.
  • Technical and organisational measures to detect and mitigate abuse and attacks, such as rate limiting, bot mitigation, and replay protection where applicable.
  • Monitoring, logging, and alerting to support security operations, incident detection, and troubleshooting, with access to logs restricted to authorised personnel and service processes.
  • Secure software development practices, including code review and automated testing aimed at identifying security and reliability issues.
  • Protection of Launch Partner participation data and related administrative data in secured systems with access limited to authorised personnel and service processes.

We regularly review and, where appropriate, update our technical and organisational measures in line with evolving risks and changes to the service.

For security reasons, we do not publicly disclose sensitive details of specific controls, configurations, or detection mechanisms.

GDPR and EU Data Protection Principles

Our service is designed with EU data protection principles in mind, including data minimisation, purpose limitation, integrity, confidentiality, and storage limitation.

Where technically feasible and appropriate to the selected functionality, the service is designed to reduce unnecessary long-term retention of personal data and to avoid reliance on identity-centric profiles as a default.

Further information about the processing of personal data, including retention, transfers, and data subject rights, is provided in our Privacy Policy. Where Toqen processes personal data on behalf of a partner, the relationship is governed by the Data Processing Addendum (DPA) and applicable data protection agreements.

Appropriate technical and organisational measures are implemented to support security of processing in accordance with Article 32 of the GDPR.

Responsible Disclosure

If you believe you have discovered a security vulnerability affecting Toqen, please report it to hi@toqen.app and include sufficient detail to allow us to reproduce and investigate the issue.

We review reports submitted in good faith under a responsible disclosure approach and aim to acknowledge valid reports within a reasonable timeframe. We may request additional information or coordination to reduce risk to users and partners.

Safe harbor: We will not initiate legal action against individuals who engage in security research in good faith, provided that they (i) comply with applicable law, (ii) avoid privacy violations, destruction of data, and service disruption, (iii) do not access, collect, retain, use, or disclose data beyond what is necessary to demonstrate the vulnerability, (iv) promptly report the vulnerability to us and give us a reasonable opportunity to remediate it, and (v) do not publicly disclose the vulnerability or related exploit details before remediation or before we agree on a coordinated disclosure timeline.

Infrastructure and Service Providers

We rely on established infrastructure and service providers to operate and secure the service. Where personal data is processed by such providers, they act as processors or subprocessors under appropriate contractual terms, including data protection and security commitments as required by applicable law.

Security controls are implemented through layered technical and organisational measures. While we do not disclose sensitive implementation details, we aim to communicate security practices in a clear, accurate, and non-misleading manner.