Tonic.ai understands how important it is to protect your information, which is why we've gone above and beyond to establish a robust security posture for our cloud-based products, including Tonic Structural, Tonic Ephemeral, and Tonic Textual.
Tonic.ai exceeds both the stringent controls mandated by the AICPA SOC 2, and the security and privacy controls of the US Health Insurance Portability and Accountability Act (HIPAA).
Security architecture and infrastructure
The cornerstone of our secure environment is a meticulously designed security architecture and infrastructure. This section delves into the core principles that guide our infrastructure design, including:
- Secure deployment practices
- Robust data encryption at rest and in transit
- Comprehensive backup strategies
- Rigorous operational procedures
This comprehensive approach ensures the confidentiality, integrity, and availability of your data throughout its lifecycle within our system.
Three-tier architecture model
We built our cloud-based products from scratch using a three-tier architecture model.
Three-tier architecture is a well-established software application architecture that organizes applications into the following three tiers or layers:
- Presentation
- Application
- Data
Communication between tiers is strictly defined on a default-deny basis.
This makes it more difficult to reach the data layer, which creates a layered defense that significantly reduces the risk of successful attacks and data breaches.
Secure storage
We store our core application data in Amazon Relational Database Service (Amazon RDS) instances.
Amazon RDS uses an Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys. This industry-standard encryption method uses a unique key to scramble the data, which renders the data unreadable without authorization.
Encrypted backups
Regular backups are critical to any data protection strategy.
We use the same AES-256 encryption standard to encrypt our backups, which ensures additional peace of mind in case of unforeseen events.
We generate and rotate backups automatically to ensure that data is retained only as long as needed for disaster and business continuity.
Application-level encryption
An extra layer of security is applied through application-level encryption of files that are stored in the cloud. This adds another level of protection for sensitive documents and data that are stored in the application.
Tonic Structural and Textual encrypt any uploaded data before it is stored in the database.
With this extra layer of protection:
- Database administrators cannot view the data
- The data does not appear in other tools that might connect to the data
- The data cannot be used from manual backups
Next-generation anti-malware and behavioral analysis
Tonic.ai uses next-generation anti-malware software on all of its cloud servers. The software uses both:
- Signature-based scanning to identify known malware
- Behavioral analysis to detect unusual processes and zero-day exploits
Tonic.ai uses both regular scanning of instances and real-time protection to catch potential malware that might be hidden deep in inactive files or archives. It also uses real-time protection to monitor system activity and analyze files, programs, and network traffic.
Communications and network security
A robust network infrastructure is the foundation of our secure communication architecture.
This section details the key components that safeguard data transmission, including:
- Firewalls for access control
- TLS encryption for data confidentiality
- Load balancing for optimal performance
- Comprehensive network monitoring for continuous vigilance
This combination ensures secure and reliable communication channels for all data transfers within our system.
Transport Layer Security
Our cloud applications use TLS 1.3 and 1.2 to enforce the encryption of ingress traffic. Tonic Structural uses AWS Application Load Balancing security policy ELBSecurityPolicy-TLS13-1-2-2021-06. For details about the supported ciphers, go to https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
By default, egress traffic from our cloud applications also uses TLS encryption to communicate between the application and customer resources.
To maintain compatibility with different database vendors and versions, our cloud offerings are more permissive on the protocols and ciphers that are allowed for egress traffic.
Firewalls
Our cloud applications use both stateful and stateless firewalls that are configured to default-deny all traffic other than traffic that is explicitly expected between different systems on specific ports.
These firewalls also track and monitor the state of active network connections. They analyze incoming traffic and look for potential traffic and data risks.
We use web application firewalls to block request patterns that are associated with discovery and exploitation of vulnerabilities. The firewalls also use up-to-date commercial threat intelligence to block sources that are associated with botnets or other known threat actors.
Load balancing
Our cloud applications use high-availability load balancers to balance traffic over multiple instances. This ensures that our service is available even if a single piece of hardware fails.
Intrusion detection
To continuously monitor our services, our cloud applications use intrusion detection software that incorporates:
- Anomaly detection
- Machine learning
- Behavioral modeling
- Commercial threat intelligence
Identity and access management
A robust Identity and Access Management (IAM) system lies at the core of our secure environment.
This section delves into the processes that govern how users are:
- Identified (authentication)
- Authorized to perform specific actions (authorization)
- Managed throughout their time with our system (user lifecycle)
- Monitored for activity (auditing)
These practices ensure that only authorized users have access to the appropriate resources, and that all actions are traceable for enhanced security and accountability.
Centrally-managed Identity
Tonic.ai uses a centrally managed Identity Provider to provision and manage authentication and authorization to cloud resources. This allows Tonic.ai to enforce authentication policies that include:
- Strong passwords
- Multi-factor authentication
- Geographic and risk-based access
To access administrative resources (user interfaces and dashboards) and network resources, Tonic.ai staff who have roles that grant them access to our cloud infrastructure must use our identity provider to authenticate.
Audit logging
Tonic.ai maintains detailed audit logs of our administrators’ access to cloud resources. This includes:
- Their sign-ins
- Type of access (for example, console or VPN)
- The type of device used
- The IP address of the connection
These logs are immediately transferred to a separate AWS account that only security and auditing staff can access.
Security assessment and testing
The security of your data is paramount.
This section dives into the comprehensive security assessments that we conduct throughout the development lifecycle and ongoing operation of our application. We use a multi-layered testing approach to identify and address vulnerabilities before they can be exploited.
Static application security testing
During the Tonic.ai software development lifecycle (SDLC), the pull request process includes static application security testing (SAST). This ensures that changes to our codebase do not introduce potential vulnerabilities.
Vulnerability and dependency scanning
As part of the Tonic.ai SDLC, we use commercial and open-source container scanning of our finished builds. This ensures that Tonic.ai does not release code with known exploits into our cloud environments.
Runtime scanning
Within our cloud environment, to identify suspicious network activity and prevent leaks of sensitive data, Tonic.ai uses:
- Network threat detection
- Next-generation anti-malware scanning
- Data loss prevention software
External testing
To proactively discover security weaknesses in our applications and networks, we leverage external manual penetration testing, where ethical hackers simulate real-world attacks to identify and remediate vulnerabilities.
Compliance and privacy
In our commitment to safeguard your data and to maintain the highest security standards, we undergo regular audits and adhere to recognized certifications.
This section details our compliance framework, outlining the independent assessments and certifications that verify the security and privacy controls that we use to protect your information.
SOC 2 Type II
Tonic.ai undergoes an annual SOC 2 audit that is performed through an independent auditing firm. The audit verifies our adherence to industry-standard security controls that safeguard customer data.
SOC 2 audits focus on a set of criteria that include security, availability, processing integrity, confidentiality, and privacy.
AWS Qualified Software
Our cloud infrastructure has gone through the AWS Foundational Technical Review to ensure that our solution:
- Is well-architected
- Follows industry best practices
- Follows Amazon’s guidance for using their cloud infrastructure securely
GDPR
Tonic.ai is committed to meeting and upholding the principles of the GDPR.
Our cloud applications use industry standard contractual and technical controls to meet GDPR's strict privacy requirements.
Tonic.ai monitors and ensures that our sub-processors meet the same legal and technical standards that we employ.
HIPAA
Structural uses industry-standard administrative and technical controls to meet HIPAA's strict security and privacy requirements.