Frequently Asked Question (FAQs)

Yes, customers using Structural Cloud, Ephemeral Cloud or Textual Cloud have a DPA included as part of our standard terms of service.

For a copy of our standard DPA, our sub-processor list, and our technical organizational measures (TOMs), go to www.tonic.ai/terms/dpa.

Tonic uses a variety of sub-processors to deliver Tonic Cloud services. These include organizations, such as Amazon Web services, that provide the underlying infrastructure of our applications, and other vendors for:

• Account management

• Customer support,

• Application development

• User research

• Credit card processing

Our DPA includes a list of Tonic's sub-processors for Tonic Cloud applications. To view the DPA, go to www.tonic.ai/terms/dpa.

To sign up for notifications of new, changed, or removed sub-processors for any Tonic product (Structural, Ephemeral, Textual), complete the form at https://forms.gle/sYCTVGJiVJdHAQDA6.

Tonic.ai uses the principle of least privilege to grant access to infrastructure.

Tonic.ai has defined roles that grant employees access to Tonic Cloud infrastructure and applications. These roles are based on pre-defined need.

Staff that can access Tonic Cloud infrastructure and data stores include:

• Solutions architects

• Platform engineers

• Security staff

Other staff who have incidental access include:

• Engineering staff who have specific expertise in specific components

Tonic.ai does not use contractors to manage infrastructure.

Tonic.ai employees access Tonic Cloud infrastructure through the AWS Console or through a VPN connection.

Both AWS and the VPN require users to authenticate through our Identity Provider, which enforces multi-factor authentication.

Some Tonic.ai staff are granted access to the infrastructure that hosts Tonic.ai applications or have access management consoles.

However, during their regular job duties, Tonic staff can never see data that is processed or stored by Tonic.ai applications.

Tonic.ai staff can see the data related to the organization, end-user accounts, and configuration of the application.

Tonic.ai uses an Identity Provider that automatically grants, updates, and revokes access to:

• Business applications

• Infrastructure

• Software development resources

• Other internal tooling

Tonic.ai uses the principle of least privilege to grant access to infrastructure.

Tonic.ai uses defined roles to grant employees access to Tonic Cloud infrastructure and applications based on pre-defined need.

At least once a year, Tonic also manually reviews access for vital resources.

All Tonic.ai staff, both employees and contractors, complete initial and annual training in:

• Security

• Compliance

• Privacy awareness

To complete this training, they use an online LMS platform that verifies completion and comprehension.

This training includes:

• Information security best practices (passwords, MFA, phishing, social engineering)

• Incident response information (what to look for, who to contact)

• Data handling and privacy (relevant privacy laws, data classification and handling, disposal)

• New and relevant security advisories (new threats that employees should be extra vigilant about)

Tonic.ai uses a variety of administrative, technological, and physical controls to monitor our employees' compliance with our privacy and security policies.

These include:

• Network Monitoring

• Video Surveillance

• Data Loss Prevention

• Regular Security Awareness Training

• Access Controls

• Incident Reporting

• Internal and external auditing

Tonic.ai performs annual risk assessments of our security and privacy programs.

Tonic.ai conducts annual application penetration tests on each of our products.

Application penetration testing proactively identifies and addresses vulnerabilities in each application, which benefits both Tonic Cloud and on-premise customers.

To ensure the highest level of application security, our development process incorporates rigorous testing at every stage.

To identify potential security weaknesses early in the development cycle, we automatically perform both SAST and container vulnerability scanning on every pull request and build.

Tonic staff are required to complete security and privacy, including specific training related to HIPAA, as part of onboarding. This training includes:

• Security best practices (includes passwords, multi-factor authentication, and other operational security practices)

• Privacy regulations that affect Tonic (for example, GPDR and HIPAA)

• Data classification and handling

• Advisories on new security threats that staff should be aware of

• Incident procedures (includes what to report, who to report it to, how quickly to report it)

Tonic.ai applications can either be deployed as a service (Tonic Cloud) or self-hosted by the customer. The following applies to hosted applications on Tonic Cloud.

Ingress web traffic

End-users interact with Tonic.ai applications primarily through web interfaces and consoles. Tonic Cloud applications receive this traffic through high-availability load balancers that terminate all ingress traffic. These load balancers enforce the use of specific protocols and selected strong cipher suites. Specifically, Tonic.ai supports the following TLS protocols:

• TLS 1.3

• TLS 1.2

Tonic Cloud supports the following cipher suites:

• TLS_AES_128_GCM_SHA256

• TLS_AES_256_GCM_SHA384

• TLS_CHACHA20_POLY1305_SHA256

• ECDHE-ECDSA-AES128-GCM-SHA256

• ECDHE-RSA-AES128-GCM-SHA256

• ECDHE-ECDSA-AES256-GCM-SHA384

• ECDHE-RSA-AES256-GCM-SHA384

These protocols and cipher suites currently rank as A or higher by Qualys SSL Labs testing (View the results: Structural, Textual, Ephemeral, Validate)

Tonic uses ciphers and algorithms defined by AWS as ELBSecurityPolicy-TLS13-1-2-Res-2021-06 and ELBSecurityPolicy-TLS13-1-3-2021-06. For more information about these, to go to the AWS documentation.

Ingress SSH traffic

Some Tonic.ai applications, such as Ephemeral, might create ingress SSH tunnels that allow end-users and customer applications to access Tonic Cloud resources that require connection using other protocols. For example, to connect to a database.

For ingress SSH connections, Tonic.ai supports the following SSH ciphers:

• chacha20-poly1305@openssh.com

• aes128-ctr

• aes192-ctr

• aes256-ctr

• aes128-gcm@openssh.com

• aes256-gcm@openssh.com

Egress traffic

To retrieve the data needed to process and to load data into other systems, as configured by customers, Tonic.ai applications connect to:

• Databases

• Applications

• Data warehouses

• File storage systems

• Other external resources

Tonic.ai applications supports a wide variety of databases, applications, and data connectors. They support many versions of each. To maintain support for older connector drivers and different customer configurations, Tonic Cloud does not disable older, broken, or less secure ciphers and modes that might not be recommended for use.

Customers should ensure the systems that connect to Tonic Cloud applications have encryption policies in place that enforce protocols and ciphers that meet your organization's security policies.

Tonic applications can either be deployed as a service (Tonic Cloud) or self-hosted by the customer. The following applies to applications that are hosted on Tonic Cloud.

Tonic Cloud applications are deployed behind high-availability load balancers. The load balancers are configured with both network and web application firewalls.

Tonic Cloud uses both stateful and stateless network firewalls. To minimize the network attack risk, they are configured with "default deny". Traffic is allowed only on pre-defined ports from specified locations.

Tonic.ai also uses web application firewalls to:

• Protect against common web exploits

• Reduce bot traffic

• Filter out traffic from known malicious resources

Tonic.ai updates its web application firewalls regularly using rulesets and threat intelligence from both commercial vendors and open source threat intelligence.

Tonic Cloud uses Amazon Web Services global infrastructure to host all Tonic Cloud services. Currently Tonic Cloud is deployed in two data tenancies.

United States tenancy

Tonic Cloud uses AWS US East (N. Virginia) as our primary data center in the US. It uses US West (Oregon) for out-of region backups and disaster recovery.

Tonic Cloud hosts the following services in the United States:

• Structural

• Ephemeral

• Textual

• Validate

European tenancy

Tonic Cloud uses AWS Europe (Frankfurt) as our primary data center in Europe. It uses Europe (Stockholm) for out-of region backups and disaster recovery.

Tonic Cloud hosts the following services in Europe:

• Structural

Tonic Cloud services are backed up automatically every 24 hours.

We store a copy of these daily backups in the primary region.

For disaster recovery situations, we send another copy to a geographically different region.

Tonic Cloud stores customer data in AWS-managed resources during the lifetime of the contract.

At the end of the contract, Tonic.ai deletes the data from AWS resources. When the device is removed from service, AWS handles the destruction of the physical media.

For information about the AWS security and compliance posturing, go to the AWS Compliance site.