Tork is AI agent governance middleware that sits between AI agents and the tools they call. It scans every interaction for PII, enforces configurable policies, and generates cryptographic compliance receipts.

Does Tork work with MCP?

Yes. Tork provides 48 MCP governance tools and a published MCP server that works with Claude, Cursor, Windsurf, and any MCP-compatible client.

What AI frameworks does Tork support?

Tork supports 116+ framework adapters including LangChain, CrewAI, AutoGen, OpenAI Agents, LlamaIndex, Semantic Kernel, Haystack, and more across 11 programming languages.

How much latency does Tork add?

Tork adds approximately 20ms per governance check via the cloud API. PII detection runs locally at sub-millisecond speeds via the Gravity Field engine.

How does Tork detect PII?

Tork detects 50+ PII types including emails, phone numbers, SSNs, credit cards, Medicare numbers, and regional formats across 13 countries. Detection uses a hybrid regex + NER approach running locally with sub-millisecond latency. Detected PII is redacted before reaching AI models.

Yes. Tork's core SDK is MIT licensed and available on GitHub. The open source core includes policy enforcement, PII detection, and local audit logs. Tork Cloud adds centralised dashboards, team management, SSO, and enterprise features.

How do I install Tork?

Install via your language's package manager: pip install tork (Python), npm install @tork-network/tork-js (JavaScript), go get github.com/torkjacobs/tork-go-sdk (Go), gem install tork-ruby (Ruby), cargo add tork-rust (Rust). Add 3 lines of code to start governing your AI agents.

NIST G-5.1

Security Policy & Responsible Disclosure

Tork Network takes security seriously. We welcome responsible disclosure of vulnerabilities and are committed to working with the security community to protect our users.

Reporting a Vulnerability

Report vulnerabilities to

security@tork.network

Please encrypt sensitive reports using our PGP key available at tork.network/.well-known/security.txt

What to Include in Your Report

Detailed description of the vulnerability

Steps to reproduce the issue

Impact assessment and potential severity

Your contact information for follow-up

Proof of concept (if available)

Affected components or endpoints

Response SLAs

Severity	Initial Response	Triage	Resolution
Critical	24 hours	72 hours	7 days
High	24 hours	72 hours	7 days
Medium	24 hours	72 hours	30 days
Low	24 hours	72 hours	90 days

Scope

In Scope

tork.network

Main website and web application

api.tork.network

Governance API endpoints

Admin Dashboard

Organization management console

SDKs

Python, JavaScript, Go, Ruby, Rust, .NET, Java, Kotlin, PHP, Swift, Elixir

MCP Server

@torknetwork/mcp-server package

Guardian

@torknetwork/guardian package

Out of Scope

Third-party services (Supabase, Vercel, Stripe)

Social engineering attacks against employees or users

Denial-of-service (DoS/DDoS) attacks

Physical security of offices or data centers

Attacks requiring physical access to user devices

Spam or phishing campaigns

Safe Harbor

We will not pursue legal action

Tork Network will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, following the guidelines outlined in this policy.

We ask researchers to:

Avoid accessing, modifying, or deleting user data

Avoid disrupting or degrading Tork services

Do not disclose the vulnerability publicly before a fix is released

Provide sufficient detail for us to reproduce and verify the issue

Act in good faith to avoid privacy violations and data destruction

Recognition

We believe in recognizing the valuable contributions of security researchers. For valid vulnerability reports:

Researchers are credited on our security acknowledgments page (with permission)

We provide public recognition for significant findings

Detailed feedback on the vulnerability and remediation steps taken

Security Practices

Encryption

TLS 1.3 for all data in transit
AES-256 encryption at rest
API keys hashed with SHA-256 (never stored in plaintext)

Compliance

SOC 2 Type II controls implemented
GDPR and CCPA compliant data handling
Regular third-party penetration testing

Monitoring

A+ security headers rating (Mozilla Observatory)
Real-time anomaly detection
Governance DNA fingerprinting for audit trails

CI/CD Security

Gitleaks secret scanning on every commit
CodeQL static analysis
SBOM generation for supply chain transparency
Dependency vulnerability scanning

Contact

For security vulnerabilities and responsible disclosure, contact our security team directly.

security@tork.network General inquiries

For a comprehensive overview of our security architecture, visit the Security and Trust Center pages.