# Security you can trust

Here at Tonic.ai, we utilize the principle of least privilege to protect data. Tonic.ai employees will never access your customer data—and the Tonic platform doesn’t store that data either.

Rest assured that we take security seriously.

Our security controls include the following.

## Secure by design

When we connect to customers' environments, we use least privilege, with access scoped only to what is needed to satisfy the control.

## Access management

To restrict employee access, Tonic.ai uses the principle of least privilege, to ensure that employees have access only to what they need to perform their specific roles.

## External validation

Tonic.ai uses an independent auditor to maintain a SOC 2 report, to ensure adherence to industry standards for security and privacy.

<div><figure><img src="/files/keoSdc2ppinH0JRY4xn6" alt="" width="85"><figcaption></figcaption></figure> <figure><img src="/files/paVMs0ELZty4GsQZNHNf" alt="" width="90"><figcaption></figcaption></figure> <figure><img src="/files/UJzQrW6PyKd5idkjpR4L" alt="" width="85"><figcaption></figcaption></figure> <figure><img src="/files/7ZXuEEbowxKqt3XIDeYT" alt="" width="90"><figcaption></figcaption></figure></div>

## 3rd-party pen testing

Tonic.ai engages a qualified assessor to complete an annual third-party static code analysis and manual penetration tests.

## Manual and automated testing

As part of every release, Tonic.ai uses a combination of:

* Manual testing
* Automatic unit and integration tests
* Security scanning

## Monitoring

Tonic.ai uses multiple logging and monitoring tools to ensure that the software we build and deploy is:

* Free of defects
* Configured securely

## Security and risk management team

Tonic.ai employs staff who have industry knowledge and experience in:

* Secure infrastructure
* Application management
* Risk
* Operations

## Device management

Tonic.ai uses centrally managed endpoint management solutions to ensure that all employee and BYOD devices:

* Are configured securely
* Receive proper updates
* Remain compliant with Tonic.ai requirements while in use

## Annual security training

Our annual security training covers:

* Security hygiene
* Phishing
* Data protection
* New threats that employees might encounter
* General best practices


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/trust-center/readme.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.