TorkTORK

Resources

Security

Security practices, compliance certifications, and data protection at Tork.

Security Overview

Tork is built with security as a foundational principle. We implement industry-leading security practices to protect your data and help meet compliance requirements.

SOC 2 Type II

Security controls (in progress)

Encryption

AES-256 at rest, TLS 1.3 in transit

Privacy

GDPR and CCPA compliant

API Key Security

Best practices for managing your API keys:

Use Environment Variables

Never hardcode API keys in source code

Rotate Keys Regularly

Rotate production keys every 90 days

Scope Permissions

Use the minimum permissions required

Monitor Usage

Set up alerts for unusual API activity

Separate Environments

Use different keys for dev, staging, and production

python
import os
from tork_governance import TorkClient

# Good: Load from environment
client = TorkClient(api_key=os.environ["TORK_API_KEY"])

# Bad: Hardcoded key
# client = TorkClient(api_key="tork_sk_...")  # Never do this!

Data Handling

How we handle your data:

Data TypeRetentionEncryption
Audit Logs90 days (configurable)AES-256
Policy ConfigsUntil deletedAES-256
Agent MetadataUntil deletedAES-256
Content (if stored)24 hoursAES-256
PII (detected)Not storedN/A

Content passing through Tork is processed in memory and not persisted unless explicitly configured for audit purposes.

Network Security

Infrastructure security measures:

Infrastructure

  • AWS/GCP with SOC 2 certified infrastructure
  • VPC isolation for all services
  • Regular penetration testing
  • WAF and DDoS protection

Compliance

  • SOC 2 Type II (in progress)
  • GDPR compliant
  • CCPA compliant
  • Annual third-party audits

IP Allowlisting

Restrict API access to specific IP addresses:

python
# Configure IP allowlist via API
client.security.set_ip_allowlist(
    ips=[
        "203.0.113.0/24",    # Office network
        "198.51.100.42/32",  # Production server
    ],
    enabled=True
)

# Or configure in dashboard:
# Settings > Security > IP Allowlist

Webhook Security

Secure your webhook endpoints:

python
import hmac
import hashlib
from datetime import datetime, timedelta

def verify_webhook(payload: bytes, signature: str, timestamp: str, secret: str) -> bool:
    # Check timestamp to prevent replay attacks
    webhook_time = datetime.fromisoformat(timestamp)
    if datetime.utcnow() - webhook_time > timedelta(minutes=5):
        return False

    # Verify HMAC signature
    expected = hmac.new(
        secret.encode(),
        f"{timestamp}.{payload.decode()}".encode(),
        hashlib.sha256
    ).hexdigest()

    return hmac.compare_digest(signature, f"sha256={expected}")

Security Incidents

If you discover a security vulnerability:

Responsible Disclosure

Please report security vulnerabilities to:

security@tork.network

We respond to all reports within 24 hours and aim to resolve critical issues within 72 hours.

Request Audit Reports: Enterprise customers can request SOC 2 reports and security questionnaires from security@tork.network.

Documentation

Learn to integrate TORK

Upgrade Plan

Current: free

Support

Get help from our team