Tork is AI agent governance middleware that sits between AI agents and the tools they call. It scans every interaction for PII, enforces configurable policies, and generates cryptographic compliance receipts.

Does Tork work with MCP?

Yes. Tork provides 48 MCP governance tools and a published MCP server that works with Claude, Cursor, Windsurf, and any MCP-compatible client.

What AI frameworks does Tork support?

Tork supports 116+ framework adapters including LangChain, CrewAI, AutoGen, OpenAI Agents, LlamaIndex, Semantic Kernel, Haystack, and more across 11 programming languages.

How much latency does Tork add?

Tork adds approximately 20ms per governance check via the cloud API. PII detection runs locally at sub-millisecond speeds via the Gravity Field engine.

How does Tork detect PII?

Tork detects 50+ PII types including emails, phone numbers, SSNs, credit cards, Medicare numbers, and regional formats across 13 countries. Detection uses a hybrid regex + NER approach running locally with sub-millisecond latency. Detected PII is redacted before reaching AI models.

Yes. Tork's core SDK is MIT licensed and available on GitHub. The open source core includes policy enforcement, PII detection, and local audit logs. Tork Cloud adds centralised dashboards, team management, SSO, and enterprise features.

How do I install Tork?

Install via your language's package manager: pip install tork (Python), npm install @tork-network/tork-js (JavaScript), go get github.com/torkjacobs/tork-go-sdk (Go), gem install tork-ruby (Ruby), cargo add tork-rust (Rust). Add 3 lines of code to start governing your AI agents.

Privacy Policy

Last updated: February 8, 2026

This Privacy Policy describes how JCorp Australia Pty Ltd, trading as Tork ("Tork", "we", "us", or "our"), collects, uses, and protects your personal information when you use our AI governance platform and related services.

1. What We Collect

Account Information:

• Email address, name, and company details when you register for an account
• Billing information (processed securely by Stripe; we do not store full payment card details)
• Account preferences and configuration settings

Technical Data:

• IP addresses (for rate limiting and security; not used for tracking)
• Browser type, operating system, and device information
• Referral URLs and pages visited on our marketing website

Usage & Governance Data:

• API call counts, timestamps, and error rates for billing and performance monitoring
• Audit log metadata (timestamps, decisions, rule matches) per your plan — content is processed in memory only
• Policy configurations and governance rule definitions you create

2. What We DON'T Store

• Content of API evaluations: The raw text or data you send for evaluation is processed in real-time in memory and is NOT retained after the evaluation is complete.
• Personal data from your end users: We do not collect or store persistent profiles of your end users.
• PII detected during scans: Any PII identified during processing is flagged/redacted in-memory and not persisted.

3. How We Use Data

• To provide and maintain our services
• To communicate with you about service updates, billing, and security alerts
• To improve our detection algorithms (using aggregated, anonymized metadata only)
• To comply with legal obligations and enforce our terms
• To prevent fraud, abuse, and unauthorized access to the service

4. Data Security

• Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256.
• Access Control: Strict internal access controls ensure only authorized personnel can access account metadata.
• API Key Security: API keys are stored using one-way cryptographic hashes (SHA-256). We cannot retrieve your raw key after creation.
• Audits: We perform regular security audits and vulnerability scans.
• Incident Response: We maintain an incident response plan and will notify affected users of security incidents as required by law (see Section 12).

5. Your Rights by Jurisdiction

Depending on your location, you have the following rights regarding your personal data:

GDPR (EU/EEA Residents):

• Lawful Basis: We process personal data under legitimate interests (service provision), contract performance, and consent where applicable.
• Right of access, rectification, erasure ("right to be forgotten"), restriction, and data portability
• Right to object to processing and right to withdraw consent at any time
• Right to lodge a complaint with your local Data Protection Authority
• Right not to be subject to automated individual decision-making, including profiling
• International Transfers: Data is transferred to the US under Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
• Data Protection Impact Assessments: We conduct DPIAs for high-risk processing activities as required under Article 35 of the GDPR.

UK GDPR (United Kingdom Residents):

• UK residents have equivalent rights to those listed above under UK GDPR and the Data Protection Act 2018
• International transfers rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
• Complaints may be lodged with the Information Commissioner's Office (ICO): ico.org.uk

Australian Privacy Act 1988:

• We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth)
• You may access and correct your personal information by contacting us
• You may complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs: oaic.gov.au
• We will take reasonable steps to notify you if a data breach is likely to result in serious harm (Notifiable Data Breaches scheme)

United States Privacy Laws:

CCPA/CPRA (California):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by us
• Right to opt-out of the sale of personal information. We do not sell personal information.
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

Additional US State Laws: We also respect the rights of residents under the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), and Montana Consumer Data Privacy Act (MCDPA). Residents of these states may exercise their applicable rights by contacting us at privacy@tork.network.

Canada — PIPEDA:

• We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (e.g., Alberta PIPA, British Columbia PIPA, Quebec Law 25)
• You have the right to access and challenge the accuracy of your personal information
• We obtain meaningful consent for the collection, use, and disclosure of personal information
• Complaints may be filed with the Office of the Privacy Commissioner of Canada

Brazil — LGPD (Lei Geral de Proteção de Dados):

• Brazilian residents have rights to: confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and the right to revoke consent
• Our legal basis for processing includes contract performance, legitimate interests, and consent where applicable
• Complaints may be filed with the Autoridade Nacional de Proteção de Dados (ANPD)

South Africa — POPIA:

• We comply with the Protection of Personal Information Act (POPIA)
• You have the right to access, correct, and delete your personal information
• You have the right to object to processing and to lodge a complaint with the Information Regulator
• We will notify the Information Regulator and affected data subjects of any security compromise as required by Section 22 of POPIA

Japan — APPI (Act on Protection of Personal Information):

• We comply with the APPI including the 2022 amendments
• You have the right to request disclosure, correction, cessation of use, and deletion of your personal information
• Cross-border transfers are made under consent or to countries recognized by the Personal Information Protection Commission (PPC) as having adequate protections, or under appropriate safeguards

Singapore — PDPA (Personal Data Protection Act):

• We comply with the PDPA including the 2021 amendments
• You have the right to access and correct your personal data
• You may withdraw consent for the collection, use, or disclosure of your personal data
• We will notify the Personal Data Protection Commission (PDPC) and affected individuals of significant data breaches as required under the Notification Obligation

India — Digital Personal Data Protection Act 2023:

• We comply with the Digital Personal Data Protection (DPDP) Act 2023
• You have the right to access, correct, and erase your personal data
• You have the right to nominate another person to exercise your rights
• We process data based on consent or legitimate uses as defined under the DPDP Act
• Grievances may be directed to the Data Protection Board of India

6. International Data Transfers

Tork's primary data processing infrastructure is located in the United States. If you access our services from outside the US, your personal data will be transferred to the US for processing. We implement the following safeguards for international transfers:

• EU/EEA: Standard Contractual Clauses (SCCs) per European Commission Decision 2021/914. See our SCCs page.
• UK: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
• Australia: Compliance with APP 8 (cross-border disclosure of personal information)
• Brazil: Transfer under SCCs or adequate safeguards as recognized by the ANPD
• Other jurisdictions: We rely on applicable adequacy decisions, standard contractual protections, or consent as required by local law

7. Sub-Processors

We use the following third-party sub-processors to deliver our services:

• Supabase (Database & authentication) — US
• Vercel (Hosting & edge compute) — Global edge network
• Upstash (Redis / rate limiting) — US
• Resend (Transactional email) — US
• Better Stack (Logging & monitoring) — EU
• Stripe (Payment processing) — US, PCI DSS Level 1 certified

We will notify customers of any changes to sub-processors at least 30 days in advance. Enterprise customers may object to new sub-processors under their DPA terms.

8. Data Retention

• Account data: Retained while your account is active and for 30 days after deletion request
• Audit logs: Retained per your plan settings (7 days free, 30 days starter, 90 days pro, up to 7 years enterprise)
• API evaluation content: Not retained — processed in memory only
• Usage analytics: Aggregated, anonymized data retained for up to 2 years for service improvement
• Billing records: Retained for 7 years to comply with tax and financial reporting obligations
• Security logs: Retained for 12 months for security monitoring and incident investigation

9. Cookies & Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

• Essential cookies: Required for authentication and session management. Cannot be disabled.
• Analytics: Collected via Vercel Web Analytics, which does not use cookies and is privacy-compliant. No personally identifiable data is collected.
• No advertising cookies: We do not use any advertising, retargeting, or cross-site tracking technologies.

10. Children's Privacy

Tork is a B2B service designed for use by businesses and developers. Our service is not directed at children.

• COPPA (US): We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete it.
• GDPR (EU): We do not knowingly process data of individuals under 16 (or the applicable age of consent in their member state). Parental consent is required for processing personal data of children under the applicable age.
• General: If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@tork.network.

11. Automated Decision-Making

Tork's governance evaluations (PII detection, policy enforcement, content filtering) are automated processes that operate on content you submit via the API. These evaluations do not constitute automated individual decision-making about natural persons within the meaning of GDPR Article 22. If you use Tork in a context where automated decisions significantly affect individuals, you are responsible for ensuring appropriate human oversight and providing a mechanism for affected individuals to challenge such decisions.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• GDPR: Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33). Notify affected individuals without undue delay where the breach is likely to result in a high risk (Article 34).
• Australian NDB Scheme: Notify the OAIC and affected individuals as soon as practicable after becoming aware of an eligible data breach under the Notifiable Data Breaches scheme.
• US State Laws: Notify affected individuals and relevant state attorneys general as required by applicable state breach notification laws (including California, New York, and other state requirements).
• PIPEDA (Canada): Report breaches to the Office of the Privacy Commissioner and notify affected individuals where the breach creates a real risk of significant harm.
• POPIA (South Africa): Notify the Information Regulator and affected data subjects as soon as reasonably possible.
• All Jurisdictions: We will notify affected customers via email to the account contact on file and, where appropriate, via our status page.

13. EU & UK Representatives

As required by GDPR Article 27 and UK GDPR, we are in the process of appointing representatives in the EU and UK for data protection matters:

• EU Representative: Appointment in progress. In the meantime, EU data subjects may contact our DPO at privacy@tork.network
• UK Representative: Appointment in progress. In the meantime, UK data subjects may contact our DPO at privacy@tork.network

This section will be updated once representatives are formally appointed.

14. Contact & DPO

For privacy-related questions, data subject requests, or to contact our Data Protection Officer, email us at privacy@tork.network

We aim to respond to all data subject requests within 30 days (or within the timeframe required by applicable law). For complex requests, we may extend the response time by up to 60 additional days with prior notification to you.

JCorp Australia Pty Ltd, registered in New South Wales, Australia. Data Protection Officer: privacy@tork.network