- Resource Center
Our platform was designed by two former Qualified Security Assessors to reduce PCI DSS scope and to help satisfy regulatory compliance obligations.
TokenEx's GRC and security programs operate in compliance with a range of well-known standards and regulations, and our compliance reports are available to clients upon request. Additionally, TokenEx regularly performs due diligence on the security controls we have in place.
TokenEx is a PCI Certified Level 1 Service Provider, and the TokenEx Cloud Security Platform is designed to help you achieve PCI compliance.
An assessment of TokenEx’s control environment is performed by independent service auditors on a regular basis. The SOC (Service Organization Controls) 2 and 3 reports examine the controls TokenEx maintains over its infrastructure, software, networks, people, procedures, and processes. Based on the Trust Services Criteria, the reports confirm:
TokenEx is compliant with the General Data Protection Regulation (GDPR), legislation enacted by the European Union (EU) to help fortify data protection for all individuals within the EU. The goal of the regulation is to protect the personal data of all EU citizens by regulating how their data is shared, stored, and managed. It also addresses the export of personal data outside of the EU. Moreover, it is designed to standardize data privacy laws across the EU with the main goal to “protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.”
The TokenEx platform is used by clients worldwide, including clients in the vast majority of EU nations, to secure and protect both PCI and personal data sets. TokenEx’s tokenization process is a well-recognized and accepted form of pseudonymization, making compliance with the privacy requirements of GDPR more certain, less costly, and much simpler.
The HITRUST Common Security Framework (CSF) provides organizations with a comprehensive approach to compliance and risk management. The HITRUST CSF combines key regulations and standards into a single overarching framework, including those applicable to PCI, PHI, and PII.
TokenEx’s control environment is aligned with the HITRUST CSF, and TokenEx includes the HITRUST controls as part of our SOC2+HITRUST audit.
TokenEx complies with both the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information to and from the European Union, the United States, the member countries, and Switzerland, as applicable to each framework.
TokenEx has certified to the Department of Commerce that it adheres to both the Privacy Shield Principles and the Swiss-U.S. Privacy Shield.
The Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies that use STAR follow best practices and validate the security posture of their cloud offerings.
The STAR registry documents the security and privacy controls provided by popular cloud-computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions. TokenEx completes an annual Cloud Controls Matrix self-assessment.
Although TokenEx is not in scope for NACHA certification, we have reviewed the NACHA Operating Rules and NACHA Operating Guidelines and comply with the applicable security requirements. TokenEx encrypts all data in transit and at rest. We continuously monitor our platform, validate our security controls, and assess risks to the environment. Additionally, TokenEx is a member of the NACHA affiliate program.
Data is only as secure as the platform protecting it. That’s why TokenEx's cloud-based tokenization model is built for maximum security and reliability.
Keeping our customers’ data safe is our highest priority, so we exercise rigorous security measures throughout all levels of our organization and our processes. That security starts with our people. Throughout our Human Resources lifecycle, TokenEx ensures that:
Background checks are carried out on all new employees.
Nondisclosure agreements are in place with employees and critical vendors.
Security awareness training is administered to employees upon hire and regularly throughout the year.
Policies, processes, and procedures are in place throughout the organization to manage risk and to ensure the security and availability of TokenEx services.
Formal governance structures are in place to oversee the security, compliance, and privacy of the organization.
Management and technical risk assessments are performed to continuously monitor risks to the environment.
TokenEx has a vendor management program to assess vendors prior to implementation and periodically throughout the year.
TokenEx encrypts all customer data in transit and at rest using industry standards and best practices. The Advanced Encryption Standard (AES) algorithm with a key size of 256 bits is used for data at rest. TLS 1.2 protects data in transit, helping to secure network traffic.
Access to the TokenEx environment requires multifactor authentication, and the use of strict password controls is enforced. Audit logging is enabled to capture logon attempts and activity. Inactive user sessions are automatically timed out. Access is granted on the premise of least privilege. A privileged access management system is in place to provide role-based access and session recordings of all admin activity.
TokenEx has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of our environment. Proactive security procedures, such as perimeter defense and intrusion-detection systems, have been implemented.
Extensive monitoring and logging are in place and so are processes for detecting, reporting, and responding to any incidents. Clients can access the portal to monitor and manage their TokenEx vaults, as well as securely communicate with TokenEx client services.
System security is maintained through TokenEx’s vulnerability management program, which includes anti-malware and patch management. Assets are maintained throughout the lifecycle to ensure security of all TokenEx systems.
Vulnerability scans and penetration tests of TokenEx networks and systems are performed regularly and after significant changes. Any exploitable findings are promptly remediated and retested.
TokenEx contracts with a third-party security firm to perform application, internal network, and external network penetration testing.
Automated vulnerability management toolsets and manual processes are used to identify and verify known vulnerabilities and misconfigurations. Common attack techniques such as those listed in the SANS Top 20 and the OWASP Top 10 are verified. Any findings are reviewed, and a risk profile with impact and likelihood metrics is determined.
External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, authenticated internal vulnerability network and system scans are performed to identify potential weaknesses and inconsistencies with general system security policies.
TokenEx has formal change-management and system-development processes that document, test, and approve changes prior to implementation. Particular focus is paid to the OWASP Top 10. The SDLC process includes an in-depth security risk assessment and review. Static source code analysis is performed to help integrate security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
TokenEx follows a rigorous change-management process. Prior to implementation, changes are tested in the test environment, documented in our system of record with implementation and rollback plans, and then reviewed and approved. Clients are notified via the portal as well as via email of updates to the platform. Releases that might directly impact client usage of the platform are communicated directly to the affected clients by the TokenEx Client Success team.
TokenEx employs redundancy at every layer possible in our infrastructure, and our platform is designed to accommodate operating failures to ensure availability.
TokenEx replicates data offsite to geographically diverse locations. Monitoring is in place to detect issues with the replication process. Failover testing is conducted regularly.
TokenEx has a documented business-continuity and disaster-recovery plan, which is reviewed, updated, and tested regularly.
The TokenEx platform is hosted in fully redundant, high-performance data center facilities across the world. Secure access controls and monitoring, redundant power and connectivity, generators, UPS, and fire suppression are in place at all data centers used by TokenEx. All access to data centers is highly restricted and regulated.