TokenEx Security and Trust

As a tokenization provider, security is our product. Learn more about the controls we follow to ensure the protection of our clients' sensitive data.

Request Free Demo

Industry and Legislative Compliance

Our platform was designed by two former Qualified Security Assessors to reduce PCI DSS scope and to help satisfy regulatory compliance obligations.

GRC and Due Diligence

TokenEx's GRC and security programs operate in compliance with a range of well-known standards and regulations, and our compliance reports are available to clients upon request. Additionally, TokenEx regularly performs due diligence on the security controls we have in place.

Certifications and Compliances

PCI Certified Level 1 Service Provider

TokenEx is a PCI Certified Level 1 Service Provider, and the TokenEx Cloud Security Platform is designed to help you achieve PCI compliance.


SSAE 18 SOC 2 and 3

An assessment of TokenEx’s control environment is performed by independent service auditors on a regular basis. The SOC (Service Organization Controls) 2 and 3 reports examine the controls TokenEx maintains over its infrastructure, software, networks, people, procedures, and processes. Based on the Trust Services Criteria, the reports confirm:

  • Security – the system is protected against unauthorized access (both physical and logical).
  • Availability – the system is available for operation and use as committed or agreed.
  • Confidentiality – information designated as confidential is protected as committed or agreed.

General Data Protection Regulation

TokenEx is compliant with the General Data Protection Regulation (GDPR), legislation enacted by the European Union (EU) to help fortify data protection for all individuals within the EU. The goal of the regulation is to protect the personal data of all EU citizens by regulating how their data is shared, stored, and managed. It also addresses the export of personal data outside of the EU. Moreover, it is designed to standardize data privacy laws across the EU with the main goal to “protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy.”

The TokenEx platform is used by clients worldwide, including clients in the vast majority of EU nations, to secure and protect both PCI and personal data sets. TokenEx’s tokenization process is a well-recognized and accepted form of pseudonymization, making compliance with the privacy requirements of GDPR more certain, less costly, and much simpler.

HITRUST Compliant

The HITRUST Common Security Framework (CSF) provides organizations with a comprehensive approach to compliance and risk management. The HITRUST CSF combines key regulations and standards into a single overarching framework, including those applicable to PCI, PHI, and PII. 

TokenEx’s control environment is aligned with the HITRUST CSF, and TokenEx includes the HITRUST controls as part of our SOC2+HITRUST audit.


Privacy Shield (EU-U.S. and Swiss-U.S.)

TokenEx complies with both the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information to and from the European Union, the United States, the member countries, and Switzerland, as applicable to each framework.

TokenEx has certified to the Department of Commerce that it adheres to both the Privacy Shield Principles and the Swiss-U.S. Privacy Shield.


Cloud Security Alliance's Security, Trust & Assurance Registry

The Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies that use STAR follow best practices and validate the security posture of their cloud offerings. 

The STAR registry documents the security and privacy controls provided by popular cloud-computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions. TokenEx completes an annual Cloud Controls Matrix self-assessment.

NACHA Affiliate Program



Although TokenEx is not in scope for NACHA certification, we have reviewed the NACHA Operating Rules and NACHA Operating Guidelines and comply with the applicable security requirements. TokenEx encrypts all data in transit and at rest. We continuously monitor our platform, validate our security controls, and assess risks to the environment. Additionally, TokenEx is a member of the NACHA affiliate program.

Certifications and Compliances

Organizational Security

Data is only as secure as the platform protecting it. That’s why TokenEx's cloud-based tokenization model is built for maximum security and reliability.

Security and Controls

Keeping our customers’ data safe is our highest priority, so we exercise rigorous security measures throughout all levels of our organization and our processes. That security starts with our people. Throughout our Human Resources lifecycle, TokenEx ensures that:

  • Background checks are carried out on all new employees.

  • Nondisclosure agreements are in place with employees and critical vendors.

  • Security awareness training is administered to employees upon hire and regularly throughout the year.

Governance, Risk, and Management

Policies, processes, and procedures are in place throughout the organization to manage risk and to ensure the security and availability of TokenEx services. 

  • Formal governance structures are in place to oversee the security, compliance, and privacy of the organization.

  • Management and technical risk assessments are performed to continuously monitor risks to the environment.

  • TokenEx has a vendor management program to assess vendors prior to implementation and periodically throughout the year.

Data Encryption

TokenEx encrypts all customer data in transit and at rest using industry standards and best practices. The Advanced Encryption Standard (AES) algorithm with a key size of 256 bits is used for data at rest. TLS 1.2 protects data in transit, helping to secure network traffic.

Logical Security

Access to the TokenEx environment requires multifactor authentication, and the use of strict password controls is enforced. Audit logging is enabled to capture logon attempts and activity. Inactive user sessions are automatically timed out. Access is granted on the premise of least privilege. A privileged access management system is in place to provide role-based access and session recordings of all admin activity. 

Network Security

TokenEx has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of our environment. Proactive security procedures, such as perimeter defense and intrusion-detection systems, have been implemented.

Extensive monitoring and logging are in place and so are processes for detecting, reporting, and responding to any incidents. Clients can access the portal to monitor and manage their TokenEx vaults, as well as securely communicate with TokenEx client services.

Vulnerability Management

System security is maintained through TokenEx’s vulnerability management program, which includes anti-malware and patch management. Assets are maintained throughout the lifecycle to ensure security of all TokenEx systems. 

Vulnerability scans and penetration tests of TokenEx networks and systems are performed regularly and after significant changes. Any exploitable findings are promptly remediated and retested.

Penetration Testing

TokenEx contracts with a third-party security firm to perform application, internal network, and external network penetration testing. 

Automated vulnerability management toolsets and manual processes are used to identify and verify known vulnerabilities and misconfigurations. Common attack techniques such as those listed in the SANS Top 20 and the OWASP Top 10 are verified. Any findings are reviewed, and a risk profile with impact and likelihood metrics is determined.

Vulnerability Scans

External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, authenticated internal vulnerability network and system scans are performed to identify potential weaknesses and inconsistencies with general system security policies.

Application Security and Change Management

TokenEx has formal change-management and system-development processes that document, test, and approve changes prior to implementation. Particular focus is paid to the OWASP Top 10. The SDLC process includes an in-depth security risk assessment and review. Static source code analysis is performed to help integrate security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.

TokenEx follows a rigorous change-management process. Prior to implementation, changes are tested in the test environment, documented in our system of record with implementation and rollback plans, and then reviewed and approved. Clients are notified via the portal as well as via email of updates to the platform. Releases that might directly impact client usage of the platform are communicated directly to the affected clients by the TokenEx Client Success team.

Business Continuity

TokenEx employs redundancy at every layer possible in our infrastructure, and our platform is designed to accommodate operating failures to ensure availability.

  • TokenEx replicates data offsite to geographically diverse locations. Monitoring is in place to detect issues with the replication process. Failover testing is conducted regularly.

  • TokenEx has a documented business-continuity and disaster-recovery plan, which is reviewed, updated, and tested regularly.

Physical Security & Environmental Controls

The TokenEx platform is hosted in fully redundant, high-performance data center facilities across the world. Secure access controls and monitoring, redundant power and connectivity, generators, UPS, and fire suppression are in place at all data centers used by TokenEx. All access to data centers is highly restricted and regulated.

Industry-Leading Tokenization Services

Users of the TokenEx Cloud Security Platform can benefit from:
  • Data-centric security
  • Resiliency and redundancy
  • Proven reliability
  • 24/7 risk management

Have questions about TokenEx's security controls or how our platform can integrate with your existing systems?

See Tokenization in Action