Security you can audit
Financial data deserves financial-grade protection. Here is how TOOX safeguards your workspace, end to end.
Data protection
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Daily encrypted backups with restore drills
- Separate database schemas per environment
Account security
- Passwords hashed with bcrypt (cost factor 12)
- Session hardening with rotation on privilege change
- Rate limiting on authentication endpoints
- Two-factor authentication (TOTP) on Growth and Enterprise plans
Application security
- Server-side authorisation checks on every route
- Input sanitisation and output escaping on all user content
- Prepared statements on every database query
- Database-level double-entry integrity triggers — unbalanced journals are rejected before storage
Operational security
- Principle of least privilege for internal access
- Audit logs for sensitive operator actions
- Incident response runbook with 24-hour disclosure commitment
Reporting a vulnerability
If you believe you have found a security issue, email security@toox.app. We respond within one business day and offer coordinated disclosure for verified reports.