- Resource Center
Our platform was designed by two former Qualified Security Assessors to reduce PCI DSS scope and to help satisfy regulatory compliance obligations.
TokenEx's GRC and security programs operate in compliance with a range of well-known standards and regulations, and our compliance reports are available to clients upon request. Additionally, TokenEx regularly performs due diligence on the security controls we have in place.
TokenEx is a PCI Certified Level 1 Service Provider, and the TokenEx Cloud Security Platform is designed to help you achieve PCI compliance.
An assessment of TokenEx’s control environment is performed by independent service auditors on a regular basis. The SOC (Service Organization Controls) 2 and 3 reports examine the controls TokenEx maintains over its infrastructure, software, networks, people, procedures, and processes. Based on the Trust Services Criteria, the reports confirm:
TokenEx is compliant with the General Data Protection Regulation (GDPR), legislation enacted by the European Union (EU) to help fortify data protection for all individuals within the EU. The goal of the regulation is to protect the personal data of all EU citizens by regulating how their data is shared, stored, and managed. It also addresses the export of personal data outside of the EU. Moreover, it is designed to standardize data privacy laws across the EU with the main goal to “protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.”
The TokenEx platform is used by clients worldwide, including clients in the vast majority of EU nations, to secure and protect both PCI and personal data sets. TokenEx’s tokenization process is a well-recognized and accepted form of pseudonymization, making compliance with the privacy requirements of GDPR more certain, less costly, and much simpler.
The HITRUST Common Security Framework (CSF) provides organizations with a comprehensive approach to compliance and risk management. The HITRUST CSF combines key regulations and standards into a single overarching framework, including those applicable to PCI, PHI, and PII.
TokenEx’s control environment is aligned with the HITRUST CSF, and TokenEx includes the HITRUST controls as part of our SOC2+HITRUST audit.
TokenEx complies with both the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information to and from the European Union, the United States, the member countries, and Switzerland, as applicable to each framework.
TokenEx has certified to the Department of Commerce that it adheres to both the Privacy Shield Principles and the Swiss-U.S. Privacy Shield.
The Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies that use STAR follow best practices and validate the security posture of their cloud offerings.
The STAR registry documents the security and privacy controls provided by popular cloud-computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions. TokenEx completes an annual Cloud Controls Matrix self-assessment.
Although TokenEx is not in scope for NACHA certification, we have reviewed the NACHA Operating Rules and NACHA Operating Guidelines and comply with the applicable security requirements. TokenEx encrypts all data in transit and at rest. We continuously monitor our platform, validate our security controls, and assess risks to the environment. Additionally, TokenEx is a member of the NACHA affiliate program.
Data is only as secure as the platform protecting it. That’s why TokenEx's cloud-based tokenization model is built for maximum security and reliability.
Keeping our customers’ data safe is our highest priority, so we exercise rigorous security measures throughout all levels of our organization and our processes. That security starts with our people. Throughout our Human Resources lifecycle, TokenEx ensures that:
Background checks are carried out on all new employees.
Nondisclosure agreements are in place with employees and critical vendors.
Security awareness training is administered to employees upon hire and regularly throughout the year.
Policies, processes, and procedures are in place throughout the organization to manage risk and to ensure the security and availability of TokenEx services.
Formal governance structures are in place to oversee the security, compliance, and privacy of the organization.
Management and technical risk assessments are performed to continuously monitor risks to the environment.
TokenEx has a vendor management program to assess vendors prior to implementation and periodically throughout the year.
TokenEx encrypts all customer data in transit and at rest using industry standards and best practices. The Advanced Encryption Standard (AES) algorithm with a key size of 256 bits is used for data at rest. TLS 1.2 protects data in transit, helping to secure network traffic.
Access to the TokenEx environment requires multifactor authentication, and the use of strict password controls is enforced. Audit logging is enabled to capture logon attempts and activity. Inactive user sessions are automatically timed out. Access is granted on the premise of least privilege. A privileged access management system is in place to provide role-based access and session recordings of all admin activity.
TokenEx has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of our environment. Proactive security procedures, such as perimeter defense and intrusion-detection systems, have been implemented.
Extensive monitoring and logging are in place and so are processes for detecting, reporting, and responding to any incidents. Clients can access the portal to monitor and manage their TokenEx vaults, as well as securely communicate with TokenEx client services.
System security is maintained through TokenEx’s vulnerability management program, which includes anti-malware and patch management. Assets are maintained throughout the lifecycle to ensure security of all TokenEx systems.
Vulnerability scans and penetration tests of TokenEx networks and systems are performed regularly and after significant changes. Any exploitable findings are promptly remediated and retested.
TokenEx contracts with a third-party security firm to perform application, internal network, and external network penetration testing.
Automated vulnerability management toolsets and manual processes are used to identify and verify known vulnerabilities and misconfigurations. Common attack techniques such as those listed in the SANS Top 20 and the OWASP Top 10 are verified. Any findings are reviewed, and a risk profile with impact and likelihood metrics is determined.
External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, authenticated internal vulnerability network and system scans are performed to identify potential weaknesses and inconsistencies with general system security policies.
TokenEx has formal change-management and system-development processes that document, test, and approve changes prior to implementation. Particular focus is paid to the OWASP Top 10. The SDLC process includes an in-depth security risk assessment and review. Static source code analysis is performed to help integrate security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
TokenEx follows a rigorous change-management process. Prior to implementation, changes are tested in the test environment, documented in our system of record with implementation and rollback plans, and then reviewed and approved. Clients are notified via the portal as well as via email of updates to the platform. Releases that might directly impact client usage of the platform are communicated directly to the affected clients by the TokenEx Client Success team.
TokenEx employs redundancy at every layer possible in our infrastructure, and our platform is designed to accommodate operating failures to ensure availability.
TokenEx replicates data offsite to geographically diverse locations. Monitoring is in place to detect issues with the replication process. Failover testing is conducted regularly.
TokenEx has a documented business-continuity and disaster-recovery plan, which is reviewed, updated, and tested regularly.
The TokenEx platform is hosted in fully redundant, high-performance data center facilities across the world. Secure access controls and monitoring, redundant power and connectivity, generators, UPS, and fire suppression are in place at all data centers used by TokenEx. All access to data centers is highly restricted and regulated.
We adhere to technical and organizational security measures to ensure compliance with applicable privacy laws and regulations.
The TokenEx Privacy Program takes a global approach to ensure that TokenEx complies with all applicable data privacy laws and regulations, including the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR) and the Cloud Security Alliance GDPR Code of Conduct. TokenEx has instituted the required technical and organizational security measures under applicable privacy laws and regulations to safeguard the protection of the rights of data subjects.
TokenEx will assist our customers to ensure compliance with legal obligations related to security of processing; notification of a personal data breach to the Supervisory Authority; communication of a personal data breach to the data subject; and, data protection impact assessment, taking into account the nature of processing and the information available to the processor. As required, TokenEx will make available to our customers, agencies having jurisdiction, and Supervisory Authorities all information necessary to demonstrate compliance.
TokenEx has promulgated and has in place policies and procedures to demonstrate compliance by TokenEx and our subprocessors with applicable data privacy regulations, including GDPR, and the terms of the Cloud Security Alliance GDPR Code of Conduct. To demonstrate compliance, TokenEx is able to provide the evidence listed below, and in addition, customer audits or assessments in accordance with our standard terms (tokenex.com/legal).
STAR self-assessment available on the Cloud Security Alliance website
SOC2/3 report (requires an NDA)
Privacy Shield status
Information Security Policy and supporting Policies (requires an NDA)
Uptime status monitoring: status.tokenex.com
Privacy Notice: legal.tokenex.com
GDPR Compliance/Standard Terms of Service: tokenex.com/legal
Additional evidence may be provided upon request, subject to customer providing an NDA and an agreement on timing.
TokenEx has a designated Data Protection Officer and a Privacy Committee to manage privacy obligations, review policies and processes, and ensure alignment of those policies and processes with legal requirements and industry best practices. If a material change occurs in applicable laws or regulations, TokenEx’s privacy resources will review and ensure that our processes comply with all such revisions. Various TokenEx employees hold privacy certifications including CIPM, CIPT, and CIPP/E/US. TokenEx conducts regular security and privacy awareness training.
Any changes concerning relevant cloud services will be communicated to customers through mail, email, our Customer Portal, or our Client Success team.
Questions regarding TokenEx’s privacy policies and processes may be addressed to our DPO:
Bob Pezold, General Counsel and Data Protection Officer
PO Box 521068
Tulsa, OK 74152-1068
Our EU representative is:
The Document Warehouse
Document Park, Castle Road, Sittingbourne, Kent, ME10 3JP
+44 (0)208 092 4555
TokenEx’s subprocessors are listed in our DPA. Each subprocessor is accountable and responsible for the fulfilment of its data protection obligations. TokenEx’ sub-processors are bound by the same or substantially similar data protection duties that TokenEx owes to its customers. TokenEx only engages those sub-processors which pass its vendor review process and guarantee sufficient technical and organizational measures to comply with applicable data protection laws. TokenEx will share the agreements entered into with our sub-processors, in part, upon customer request, where needed to demonstrate compliance. TokenEx remains liable to our customers for the performance of our subprocessors’ obligations.
TokenEx will only engage another subprocessor upon full compliance with our contractual commitments to our customers. In the event of an addition or replacement of a sub-processor, customers will be notified in accordance with their respective agreements and, where appropriate, advised of their opportunity to respond, again in accordance with their respective agreements. In the event of termination by a customer, the customer will be afforded sufficient time to procure an alternative service provider or solution, subject to agreed conditions and duration. During the established transition period, an agreed-upon level of services will continue to be provided to the customer, in accordance with the provisions of their respective agreements.
TokenEx is considered a data processor under the GDPR. Data is only processed under explicit instructions from customers. Any processing of data is controlled and initiated by the customer via API or MFT.
TokenEx ensures that personnel authorized to process all personal data have signed non-disclosure agreements.
TokenEx maintains a record of processing activities carried out on behalf of a controller and will make those records available to agency regulators and/or a Supervisory Authority upon request. The records contain:
Customers are responsible for complying with any regulations or laws that require notice, disclosure, and/or obtaining consent prior to transferring data to TokenEx. Data subjects who seek access, or who seek to correct, amend, or delete inaccurate data, should direct their query to TokenEx’s customer (the data controller). Data subjects may request through the data controller that their data not be processed via the TokenEx platform. TokenEx does not interact directly with the data subjects. TokenEx will cease processing personal data when so directed by the controller.
TokenEx uses an IaaS provider for data center hosting. Hosting locations are listed in our DPA. Data is replicated between the primary and DR sites in each region that we utilize. Backup and replication process details can be found in TokenEx’s SOC2 report which is available upon request.
Customer data will reside in only agreed locations. Any changes would be communicated to customers who would be given the opportunity to object. In the event that an objection cannot be satisfactorily resolved between the TokenEx and the customer, the customer will be allowed in terminate its contract and will be afforded sufficient time to procure an alternative service provider or solution. During this established transition period, an agreed-upon level of services will continue to be provided.
TokenEx will process personal data only upon documented instructions from our customers, including transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which TokenEx is subject. In those instances, TokenEx will inform the affected customer of that legal requirement before processing, unless that law prohibits such information on some legal basis.
Customers initiate all interactions with their data, including transfers to third parties and deletion. All third-party transfers, including cross-border transfers, are performed under explicit approval and instruction from the customer.
To assure interoperability and portability, TokenEx uses API and batch to allow customers to interface with other digital services and/or if needed to migrate to other providers offering similar services. TokenEx uses these methods to return customer data upon request from an approved user. Requests to return data to the data subjects will be addressed through the customer (data controller).
As the processor TokenEx will only process data at the explicit instruction of the controller. TokenEx will address all data subject requests through our customers, who are the controllers. Taking into account the nature of the processing, TokenEx will assist our customers by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of their obligation to respond to requests for exercising the data subject's rights.
Data subject requests received by TokenEx will be assigned to our Legal team. The associated TokenEx customer will be notified of the request via their listed contact information. Customers will then have the ability to issue processing instructions through API or batch to address the request. TokenEx will process the data according to instructions given by our customers through API or batch.
To ensure data subject requests can be addressed, TokenEx API calls can be issued to delete, verify, return or modify data. Per the API section of our API docs (docs.tokenex.com), the following calls can be made:
By default, data is protected, and the rights of the data subject are respected. TokenEx encrypts all data at rest and in transit. TokenEx will only transfer data to third parties if explicitly authorized by the customer. To further reduce risk and respect privacy rights, by default customers are not given permissions to detokenize data, this permission must be explicitly requested by the customer.
As previously stated, TokenEx has implemented all technical and organizational security measures to ensure that our services are covered by an appropriate level of security, considering the potential risks to the interests, rights and freedoms of data subjects.
TokenEx adheres to the European Union Agency for Network and Information Security (ENISA) security framework. TokenEx maintains a sophistication level 3 for all controls and has implemented the associated control requirements.
While TokenEx ensures the security of the data we store and process, our customers are responsible for the content and accuracy of the data they provide to TokenEx. TokenEx conducts formal risk management exercises, which include an assessment of the impact of data privacy policies, technical advances and systems. Where required, TokenEx will prepare requests for consultation with supervisory authorities as a result of a data protection impact assessment regarding new products or supplements to existing products. TokenEx has detection, response, and reporting processes in place to promptly respond to security incidents. As TokenEx is software as a service, our customers are not required to install additional software or hardware.
Questions regarding information security can be addressed to TokenEx’s GRC Manager:
TokenEx has relevant insurance policies in place with reputable insurance providers including Commercial General Liability, Technology Errors and Omissions Liability, and Cyber Risk. Upon request and with an NDA in place, TokenEx will make available relevant insurance policies held, their scope, coverage, relevant exclusions and other applicable details.
Any storage or processing of data, including deletion, is controlled and initiated by our customers via API or MFT. Authorized users can request through the customer portal that TokenEx delete all customer records. Automatically upon receiving an authorized batch or API call or manually upon written instruction from an authorized customer representative, TokenEx will delete customer data in the database via a database delete command. Customers are responsible for implementing customer-specific data retention policies. TokenEx will only delete customer data under explicit instruction from customers or 30 days after the termination of the agreement, in accordance with our standard terms (tokenex.com/legal). TokenEx will return data in a standard format to the customer (data controller) upon request at no additional cost. TokenEx manages the systems within our environment, therefore our subprocessors do not retain data beyond our retention processes. Once customers have triggered the deletion of their data, the data will be deleted from the production environment. As backups are immutable, the data will reside in backup format for 14 days, which is the defined backup retention period. Backup data is not immediately accessible.