Infrastructure Security
| Control | Detail | Status |
|---|---|---|
| Cloud Provider | DigitalOcean (SOC 2 Type II, ISO 27001 certified) | Active (DO) |
| Data Center Region | US-based data centers (NYC / SFO regions) | Active (DO) |
| Physical Security | DigitalOcean-managed; biometric access controls, 24/7 on-site security, CCTV monitoring | Active (DO) |
| Network Firewall | DigitalOcean Cloud Firewall with allowlist-only ingress rules | Active (DO) |
| DDoS Protection | Volumetric DDoS mitigation included with DigitalOcean infrastructure | Active (DO) |
| Infrastructure Redundancy | Redundant networking and power within DigitalOcean data centers | Active (DO) |
| Automated Backups | Daily database snapshots retained for 30 days | Active (Torgix) |
| Backup Encryption | Backups encrypted at rest using AES-256 | Active (Torgix) |
| Disaster Recovery | RTO target < 4 hours; RPO target < 24 hours; annual DR test | Active (Torgix) |
| Vulnerability Scanning | Automated infrastructure vulnerability scanning (quarterly) | Planned |
| Penetration Testing | Third-party penetration test (annual) | Planned |
Data Encryption
| Control | Detail | Status |
|---|---|---|
| Encryption at Rest | AES-256 encryption for all stored data including database volumes and backups | Active (DO) |
| Encryption in Transit | TLS 1.2 minimum, TLS 1.3 preferred, for all client-server communication | Active (Torgix) |
| SSL / TLS Certificates | Let's Encrypt certificates with auto-renewal; A+ rating target on SSL Labs | Active (Torgix) |
| Key Management | Encryption keys managed by DigitalOcean; application secrets managed via environment variables | Active (DO) |
| Password Hashing | User passwords hashed using bcrypt with salt (minimum cost factor 12) | Active (Torgix) |
| Customer-Managed Keys (CMK) | Option for enterprise customers to supply their own encryption keys | Planned |
| Field-Level Encryption | Selective field-level encryption for highly sensitive data fields | Planned |
Access Controls
| Control | Detail | Status |
|---|---|---|
| Role-Based Access Control (RBAC) | Granular roles (Admin, Manager, Technician, Viewer) enforced at API and UI layer | Active (Torgix) |
| Multi-Tenant Data Isolation | Each customer's data is logically isolated; cross-tenant queries are architecturally prevented | Active (Torgix) |
| Session Management | Secure, time-limited session tokens; automatic timeout after inactivity | Active (Torgix) |
| API Key Management | Scoped API keys with per-key permissions, expiration, and revocation | Active (Torgix) |
| Multi-Factor Authentication (MFA) | TOTP-based MFA available for all user accounts | Planned |
| SSO / SAML Integration | Enterprise SSO via SAML 2.0 / OIDC (Okta, Azure AD, Google Workspace) | Planned |
| Privileged Access Management | Just-in-time access for production infrastructure; access logged and time-limited | Planned |
| IP Allowlisting | Enterprise option to restrict platform access to approved IP ranges | Planned |
Product & Application Security
| Control | Detail | Status |
|---|---|---|
| Input Validation | All API inputs validated and sanitized; parameterized queries to prevent SQL injection | Active (Torgix) |
| OWASP Top 10 Mitigation | Development practices and code review aligned to OWASP Top 10 risks | Active (Torgix) |
| Dependency Scanning | Automated scanning of third-party libraries for known CVEs (GitHub Dependabot) | Active (Torgix) |
| Secure SDLC | Security review integrated into sprint planning and pull request process | Active (Torgix) |
| Rate Limiting & Throttling | API rate limiting to prevent abuse; per-key and per-IP throttling | Active (Torgix) |
| Static Application Security Testing (SAST) | Automated SAST scanning integrated into CI/CD pipeline | Planned |
| Bug Bounty Program | Managed bug bounty program for responsible disclosure of security vulnerabilities | Planned |
| WAF (Web Application Firewall) | WAF deployment to filter malicious HTTP traffic | Planned |
Monitoring & Incident Response
| Control | Detail | Status |
|---|---|---|
| Infrastructure Monitoring | 24/7 uptime and performance monitoring with automated alerting | Active (DO) |
| Application Error Monitoring | Real-time error tracking and alerting for application exceptions | Active (Torgix) |
| Audit Logging | All user actions and API calls logged with timestamp, user ID, and IP; retained 90 days | Active (Torgix) |
| Incident Response Plan | Documented IRP with defined severity levels, escalation paths, and communication templates | Active (Torgix) |
| Breach Notification | Affected customers notified within 72 hours of confirmed breach detection | Active (Torgix) |
| SIEM Integration | Security Information and Event Management platform for correlated threat detection | Planned |
| Security Operations Center (SOC) | 24/7 SOC monitoring for enterprise tier customers | Planned |
| Tabletop Exercises | Annual incident response tabletop exercise with cross-functional team | Planned |
Organizational Security
| Control | Detail | Status |
|---|---|---|
| Security Policies | Documented information security policies reviewed and approved annually | Active (Torgix) |
| Acceptable Use Policy | AUP covering company systems, data handling, and customer data access restrictions | Active (Torgix) |
| Security Awareness Training | Annual mandatory security training for all employees; phishing simulation training | Planned |
| Background Checks | Background screening for all new employees prior to access provisioning | Planned |
| NDAs & Confidentiality | All employees and contractors sign confidentiality agreements upon engagement | Planned |
| Vendor Risk Management | Security review of third-party vendors and sub-processors with access to customer data | Planned |
| Offboarding Procedures | Automated deprovisioning of access within 24 hours of employee departure | Planned |
| Security Committee | Cross-functional security committee with quarterly review cadence | Planned |
| Cyber Insurance | Cyber liability insurance policy in force | N/A |
Data Handling & Privacy
| Control | Detail | Status |
|---|---|---|
| Data Classification Policy | Four-tier classification: Public, Internal, Confidential, Restricted, with handling requirements per tier | Active (Torgix) |
| Customer Data Ownership | Customers retain full ownership of their data; Torgix uses it only for service delivery | Active (Torgix) |
| Data Retention | Customer data retained for the contract term plus 30 days post-termination, then securely purged | Active (Torgix) |
| Right to Deletion | Customers may request full data deletion; fulfilled within 30 days of verified request | Active (Torgix) |
| Data Portability | Customers can export all their data in standard formats (CSV, JSON) at any time | Active (Torgix) |
| Privacy Policy | Published privacy policy covering data collection, use, retention, rights, and third-party sharing | Active (Torgix) |
| Sub-Processor Disclosure | List of sub-processors maintained and disclosed to customers upon request | Active (Torgix) |
| CCPA Compliance | Processes to honor CCPA rights requests (access, deletion, opt-out of sale) | Planned |
| GDPR / Data Processing Agreement (DPA) | DPA available for EU customers; standard contractual clauses for international data transfers | Planned |
Compliance & Certifications
SOC 2 Type II Active (DO)
DigitalOcean infrastructure is SOC 2 Type II certified, covering security, availability, and confidentiality trust service criteria.
ISO 27001 Active (DO)
DigitalOcean holds ISO 27001 certification for its information security management system.
PCI DSS Active (DO)
DigitalOcean infrastructure is PCI DSS compliant for payment card data environments.
GDPR Active (DO)
DigitalOcean is GDPR compliant with data processing agreements and EU Standard Contractual Clauses available.
| Certification / Framework | Scope | Status |
|---|---|---|
| SOC 2 Type II (Torgix) | Torgix platform-level SOC 2 audit covering security and availability trust service criteria | Planned |
| HIPAA | Business Associate Agreements and HIPAA-required safeguards for healthcare customers | Planned |
| FedRAMP | FedRAMP authorization for US federal government customers | Planned |
| NIST CSF Alignment | Internal controls mapped to NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) | Planned |
📩 Report a Security Issue
We take security reports seriously. If you discover a potential vulnerability in Torgix, please contact us at security@torgix.ai.
- Acknowledgement within 48 hours
- Status update within 5 business days
- We do not pursue legal action against good-faith researchers
📞 Security & Privacy Contacts
Security issues: security@torgix.ai
Privacy requests: privacy@torgix.ai
Infrastructure trust: DigitalOcean Trust Center ↗
This document is reviewed quarterly or upon material change.
Last reviewed: May 2026 • Torgix, Inc. • Privacy Policy • Terms of Service