Infrastructure Security
| Control | Detail | Status |
|---|---|---|
| Cloud Provider | DigitalOcean (SOC 2 Type II, ISO 27001 certified) | Active (DO) |
| Data Center Region | US-based data centers (NYC / SFO regions) | Active (DO) |
| Physical Security | DigitalOcean-managed; biometric access controls, 24/7 on-site security, CCTV monitoring | Active (DO) |
| Network Firewall | DigitalOcean Cloud Firewall with allowlist-only ingress rules | Active (DO) |
| DDoS Protection | Volumetric DDoS mitigation included with DigitalOcean infrastructure | Active (DO) |
| Infrastructure Redundancy | Redundant networking and power within DigitalOcean data centers | Active (DO) |
| Automated Backups | Daily database snapshots retained for 30 days | Active (Torgix) |
| Backup Encryption | Backups encrypted at rest using AES-256 | Active (Torgix) |
| Disaster Recovery | RTO target < 4 hours; RPO target < 24 hours; annual DR test | Active (Torgix) |
Data Encryption
| Control | Detail | Status |
|---|---|---|
| Encryption at Rest | AES-256 encryption for all stored data including database volumes and backups | Active (DO) |
| Encryption in Transit | TLS 1.2 minimum, TLS 1.3 preferred, for all client-server communication | Active (Torgix) |
| SSL / TLS Certificates | Let's Encrypt certificates with auto-renewal; A+ rating target on SSL Labs | Active (Torgix) |
| Key Management | Encryption keys managed by DigitalOcean; application secrets managed via environment variables | Active (DO) |
| Password Hashing | User passwords hashed using bcrypt with salt (minimum cost factor 12) | Active (Torgix) |
Access Controls
| Control | Detail | Status |
|---|---|---|
| Role-Based Access Control (RBAC) | Granular roles (Admin, Manager, Technician, Viewer) enforced at API and UI layer | Active (Torgix) |
| Multi-Tenant Data Isolation | Each customer's data is logically isolated; cross-tenant queries are architecturally prevented | Active (Torgix) |
| Session Management | Secure, time-limited session tokens; automatic timeout after inactivity | Active (Torgix) |
| API Key Management | Scoped API keys with per-key permissions, expiration, and revocation | Active (Torgix) |
Product & Application Security
| Control | Detail | Status |
|---|---|---|
| Input Validation | All API inputs validated and sanitized; parameterized queries to prevent SQL injection | Active (Torgix) |
| OWASP Top 10 Mitigation | Development practices and code review aligned to OWASP Top 10 risks | Active (Torgix) |
| Dependency Scanning | Automated scanning of third-party libraries for known CVEs (GitHub Dependabot) | Active (Torgix) |
| Secure SDLC | Security review integrated into sprint planning and pull request process | Active (Torgix) |
| Rate Limiting & Throttling | API rate limiting to prevent abuse; per-key and per-IP throttling | Active (Torgix) |
Monitoring & Incident Response
| Control | Detail | Status |
|---|---|---|
| Infrastructure Monitoring | 24/7 uptime and performance monitoring with automated alerting | Active (DO) |
| Application Error Monitoring | Real-time error tracking and alerting for application exceptions | Active (Torgix) |
| Audit Logging | All user actions and API calls logged with timestamp, user ID, and IP; retained 90 days | Active (Torgix) |
| Incident Response Plan | Documented IRP with defined severity levels, escalation paths, and communication templates | Active (Torgix) |
| Breach Notification | Affected customers notified within 72 hours of confirmed breach detection | Active (Torgix) |
Organizational Security
| Control | Detail | Status |
|---|---|---|
| Security Policies | Documented information security policies reviewed and approved annually | Active (Torgix) |
| Acceptable Use Policy | AUP covering company systems, data handling, and customer data access restrictions | Active (Torgix) |
Data Handling & Privacy
| Control | Detail | Status |
|---|---|---|
| Data Classification Policy | Four-tier classification: Public, Internal, Confidential, Restricted, with handling requirements per tier | Active (Torgix) |
| Customer Data Ownership | Customers retain full ownership of their data; Torgix uses it only for service delivery | Active (Torgix) |
| Data Retention | Customer data retained for the contract term plus 30 days post-termination, then securely purged | Active (Torgix) |
| Right to Deletion | Customers may request full data deletion; fulfilled within 30 days of verified request | Active (Torgix) |
| Data Portability | Customers can export all their data in standard formats (CSV, JSON) at any time | Active (Torgix) |
| Privacy Policy | Published privacy policy covering data collection, use, retention, rights, and third-party sharing | Active (Torgix) |
| Sub-Processor Disclosure | List of sub-processors maintained and disclosed to customers upon request | Active (Torgix) |
Compliance & Certifications
SOC 2 Type II Active (DO)
DigitalOcean infrastructure is SOC 2 Type II certified, covering security, availability, and confidentiality trust service criteria.
ISO 27001 Active (DO)
DigitalOcean holds ISO 27001 certification for its information security management system.
PCI DSS Active (DO)
DigitalOcean infrastructure is PCI DSS compliant for payment card data environments.
GDPR Active (DO)
DigitalOcean is GDPR compliant with data processing agreements and EU Standard Contractual Clauses available.
📩 Report a Security Issue
We take security reports seriously. If you discover a potential vulnerability in Torgix, please contact us at security@torgix.ai.
- Acknowledgement within 48 hours
- Status update within 5 business days
- We do not pursue legal action against good-faith researchers
📞 Security & Privacy Contacts
Security issues: security@torgix.ai
Privacy requests: privacy@torgix.ai
Infrastructure trust: DigitalOcean Trust Center ↗
This document is reviewed quarterly or upon material change.
Last reviewed: June 2026 • Torgix, Inc. • Privacy Policy • Terms of Service