Tork is AI agent governance middleware that sits between AI agents and the tools they call. It scans every interaction for PII, enforces configurable policies, and generates cryptographic compliance receipts.

Does Tork work with MCP?

Yes. Tork provides 48 MCP governance tools and a published MCP server that works with Claude, Cursor, Windsurf, and any MCP-compatible client.

What AI frameworks does Tork support?

Tork supports 116+ framework adapters including LangChain, CrewAI, AutoGen, OpenAI Agents, LlamaIndex, Semantic Kernel, Haystack, and more across 11 programming languages.

How much latency does Tork add?

Tork adds approximately 20ms per governance check via the cloud API. PII detection runs locally at sub-millisecond speeds via the Gravity Field engine.

How does Tork detect PII?

Tork detects 50+ PII types including emails, phone numbers, SSNs, credit cards, Medicare numbers, and regional formats across 13 countries. Detection uses a hybrid regex + NER approach running locally with sub-millisecond latency. Detected PII is redacted before reaching AI models.

Yes. Tork's core SDK is MIT licensed and available on GitHub. The open source core includes policy enforcement, PII detection, and local audit logs. Tork Cloud adds centralised dashboards, team management, SSO, and enterprise features.

How do I install Tork?

Install via your language's package manager: pip install tork (Python), npm install @tork-network/tork-js (JavaScript), go get github.com/torkjacobs/tork-go-sdk (Go), gem install tork-ruby (Ruby), cargo add tork-rust (Rust). Add 3 lines of code to start governing your AI agents.

🇪🇺

Standard Contractual Clauses (SCCs)

EU-Approved Safeguards for International Data Transfers

Last updated: January 17, 2026

What are Standard Contractual Clauses?

Standard Contractual Clauses (SCCs) are pre-approved legal contracts published by the European Commission. They provide a lawful mechanism for transferring personal data from the European Union (EU) or European Economic Area (EEA) to countries that don't have an "adequacy decision" from the EU—including the United States.

Think of SCCs as a standardized "promise" that ensures your data receives GDPR-level protection, even when it crosses borders. Both the data exporter (you) and the data importer (Tork) sign these clauses, creating binding legal obligations.

View the official EU Commission SCC decision →

When Do SCCs Apply?

SCCs are required when personal data is transferred from the EU/EEA to a "third country" without an adequacy decision. In the context of Tork:

SCCs Apply When:

• You are established in the EU/EEA (or subject to GDPR)
• You send personal data to Tork for processing
• That data is processed in Tork's US-based infrastructure

SCCs May Not Be Needed When:

• You are not subject to GDPR (e.g., US-only operations)
• No personal data is being transferred (anonymized data only)
• Future: Using Tork's EU-region deployment (coming 2026)

Tork's SCC Implementation

Tork uses the June 2021 SCCs adopted by the European Commission, which are specifically designed to address post-Schrems II requirements. We implement two modules depending on the transfer scenario:

Module 2: Controller to Processor

For most Tork customers

This module applies when you (the customer) are the data controller and Tork is the data processor. This is the standard relationship for most customers using Tork to evaluate their AI outputs.

Your Company (Controller) → Tork (Processor)

Module 3: Processor to Processor

For sub-processor transfers

This module applies when Tork transfers data to our sub-processors (Vercel, Supabase, Resend). We have Module 3 SCCs in place with each of our sub-processors.

Tork (Processor) → Sub-processors (Sub-processor)

How to Execute SCCs with Tork

Enterprise

Included in DPA Annex

For Enterprise customers, SCCs are automatically included as Annex 3 to your Data Processing Agreement. When you sign the DPA, you're also executing the SCCs. Your Customer Success Manager will provide the pre-signed documents.

Contact Enterprise Sales

Self-Service

Request via Email

For Starter and Professional plan customers, you can request our DPA with SCCs by emailing legal@tork.network. We'll send you the documents for electronic signature within 2 business days.

Request DPA with SCCs

Download SCC Template: You can download a template of our SCCs for review before signing.

Supplementary Measures

Following the Schrems II decision and EDPB recommendations, SCCs alone may not be sufficient. Tork implements the following supplementary measures to ensure EU personal data is adequately protected:

Technical Measures

Encryption in Transit

All data transmitted to and from Tork is protected using TLS 1.3, the latest transport layer security protocol.

Perfect forward secrecy enabled, strong cipher suites only

Encryption at Rest

All persistent data is encrypted using AES-256, a military-grade encryption standard.

Keys managed via cloud provider KMS with automatic rotation

Data Minimization

API request content is processed in-memory only and never written to persistent storage.

Only metadata required for audit logs is retained

Pseudonymization

Where possible, personal identifiers are replaced with pseudonymous identifiers.

Audit logs use hashed request IDs, not user identifiers

Organizational Measures

Access Controls

Strict role-based access controls limit who can access customer data.

Principle of least privilege enforced, MFA required

Audit Logging

All access to customer data is logged and monitored.

Logs retained for security review, anomaly detection enabled

Staff Training

All staff with data access receive GDPR and security training.

Annual recertification required

Vendor Assessment

Sub-processors undergo security and privacy assessments before engagement.

Annual reviews and contractual protections required

Contractual Measures

Sub-processor SCCs

All sub-processors have executed SCCs or equivalent safeguards.

Vercel, Supabase, and Resend all maintain SCCs

Data Processing Agreements

Binding DPAs in place with all sub-processors.

GDPR Article 28 compliant terms

Incident Notification

Contractual commitment to notify of breaches within required timeframes.

72-hour notification for personal data breaches

Audit Rights

Customers have contractual rights to audit our compliance.

Annual third-party audits available upon request

Transfer Impact Assessment

Tork has conducted a Transfer Impact Assessment (TIA) as required by the new SCCs. Our assessment evaluated US law and its application to the personal data we process. Key findings:

Minimal Data Exposure

API request content is processed in-memory only and never persisted. This means even in the event of a government request, Tork has no substantive content to produce. Only account metadata and audit log metadata is stored.

Strong Encryption

All stored data is encrypted with AES-256. Even if data were accessed, it would be unreadable without the encryption keys, which are managed by cloud provider KMS with strict access controls.

Legal Protections

Tork commits to challenging any government request we believe is unlawful or overly broad. We will notify affected customers unless legally prohibited, and we will exhaust all available appeals before complying with requests we disagree with.

Our full TIA is available to Enterprise customers upon request under NDA.

Sub-processors Covered by SCCs

All of Tork's sub-processors have executed SCCs (or equivalent transfer mechanisms) and implement their own supplementary measures:

Sub-processor	Location	Purpose	SCC Status
Vercel Inc.	United States	Application hosting and edge delivery	SCCs in place SOC 2 Type II, ISO 27001, encryption at rest and in transit
Supabase Inc.	United States	Database hosting and authentication	SCCs in place SOC 2 Type II, HIPAA BAA available, AES-256 encryption
Resend Inc.	United States	Transactional email delivery	SCCs in place SOC 2 Type II, TLS encryption, minimal data retention

Frequently Asked Questions

SCC & Legal Inquiries

For questions about SCCs, to request a copy of our DPA with SCCs, or for any legal inquiries related to data transfers, contact our legal team.

legal@tork.network