Cybersecurity
Policy + Procedure + People + Management + Technology
Core principles
At Tokeny, we take security and privacy very seriously. All developers work to best security practices whilst working on projects, such as access control and the security of information. We make sure passwords are protected and shared on a need-to-know basis.
Infrastructure
We rely on AWS security protocols. All our HTTP calls are done using a TLS connection, making sure data is not sent in plain text between our applications.
Our back-ends are located in separate Virtual Private Networks and therefore are not accessible from the internet.
APIs
Our APIs rely on signed JWT access-control. The authentication is delegated to trusted third parties depending on our customer's internal architecture. We make sure to restrict the HTTP verbs used to only expose what is necessary.
Data is validated on every call to make sure the correct types are sent, and our ORM prevents SQL injections.
Applications
Security best practices are followed by each developer during the development process. Dependencies are checked for vulnerabilities at build time. Production deployments are regulated, and only a few developers have the ability to do so.
Private key management
Tokeny never uses the issuer or investors' wallets. Our software helps to prepare blockchain transactions and triggers the smart contracts on behalf of its users. Transactions are signed by the relevant stakeholders involved in these transactions. Tokeny is not acting as an operator or signing transactions on behalf of its customers. Directly during the deployment, the ownership of the smart contracts is given to the issuer.
Private keys (gas tank, etc.) are stored encrypted in an SSM variable. Only AWS administrators and consuming services can access them. We are also currently building a centralized service to securely manage the signatures needed for transactions on the blockchain; this securely manages the access control to Tokeny’s private keys. Those keys are only used to perform operations on the blockchain on Tokeny's name, such as the OnchainID issuance and claims emissions. Customers are still the owners of their own private keys, allowing them to emit transactions on the blockchain by themselves.
Fiat funds and Crypto-currencies
Tokeny never touches the funds or crypto-currencies of the investors or the issuers. These are the responsibilities of our customers.
T-REX Smart Contracts
Our T-REX Smart Contracts were audited by Kaspersky (v3) and Hacken (v4) and received green marks. You can review the whole audit here.
Certifications
SOC2 Type I
Tokeny is SOC2 Type I certified as of the 31st of July 2023. You can check the whole report here.
Updated 1 day ago