private beta · limited accessSign inStart free →
LegalSOC 2
← Back

SOC 2

Certification: SOC 2 Type IIAudit period: Jan–Dec 2025Auditor: Prescient Assurance
Core Privacy Principle

Tokenistt's SOC 2 Type II certification covers the cloud analytics backend only. The local MCP server — which processes all prompt content — runs entirely on your machine and is outside the audit scope by design, because your data never reaches our infrastructure in the first place.

Trust Service Criteria

CriteriaStatusNotes
Security (CC)✓ CertifiedAccess controls, encryption, vulnerability management
Availability (A)✓ Certified99.9% uptime SLA, incident response procedures
Confidentiality (C)✓ CertifiedData classification, DLP controls, NDA with staff
Processing Integrity (PI)✓ CertifiedInput validation, anomaly detection, audit trails
Privacy (P)In scopeGDPR, CCPA alignment; covered in Privacy Policy

What is in scope

  • Cloud analytics ingestion pipeline (receives token count metadata)
  • Dashboard API and web application
  • Authentication and authorization systems (via Clerk)
  • Cloud database storing performance metadata
  • Internal access controls and employee provisioning
  • Encryption at rest and in transit for all stored metadata
  • Incident detection, response, and notification procedures

What is explicitly out of scope

  • The local Tokenistt MCP server process running on your machine — it never sends data to our infrastructure except anonymized metadata
  • Your prompt content, source code, LLM inputs and outputs — these never reach our servers
  • Third-party LLM provider infrastructure (Anthropic, OpenAI, etc.)

Key controls implemented

Encryption

  • TLS 1.3 for all data in transit between MCP server and analytics endpoint
  • AES-256 encryption for all metadata at rest
  • Column-level encryption for workspace and email data

Access controls

  • Zero-trust network access to production infrastructure
  • MFA required for all internal engineer access
  • Least-privilege IAM roles; access reviewed quarterly
  • Production database accessible only via short-lived credentials with full audit trail

Vulnerability management

  • Annual third-party penetration test (most recent: March 2026)
  • Automated dependency scanning on every deployment
  • Bug bounty program at security@tokenistt.com
  • Critical CVEs patched within 24 hours; high within 7 days

Requesting the full report

The complete SOC 2 Type II report is available to Enterprise customers and prospective Enterprise customers under NDA. Contact security@tokenistt.com to request access.