Torq Security and Compliance

Built and operated by enterprise cyber security professionals, Torq complies with the industry leading security, privacy and reliability standards and practices.

SOC 2 Type II Compliant

  • Built with a security mindset from the foundation up, Torq platform and its operations comply with the industry-leading standards. Our operations are monitored continuously to ensure that all controls are enforced at all times
  • SOC 2 Type 2 compliance covers the AICPA’s Trust Services Principles and Criteria for Security, Availability, Confidentiality, and Privacy
  • Compliance reports produced periodically by external auditors are available upon request

ISO 27001 Certified

  • ISO/IEC 27001 is an international standard on managing information security. The standard was published and revised jointly by the International Organization for Standardization and the International Electrotechnical Commission
  • Torq’s architecture and operations fully comply with the requirements of the standard, demonstrating the strict adherence to information security management best practices
  • Information on Torq’s ISO 27001 certification is available upon request

HIPAA Compliant

  • Torq’s infrastructure and operations is being externally and internally audited and was found compliant with the privacy management requirements of Health Insurance Portability and Accountability Act 
  • When engaging with HIPAA covered entities, while Torq never requires access to PHI, we are happy to provide and sign a HIPAA Business Associate Agreement (BAA) to assure the highest level of care for information that is being provided to us

GDPR Compliant

  • Torq’s information handling procedures and privacy operations are compliant with with EU General Data Protection Regulations (GDPR)
  • Torq performs strict due-diligence with its subcontractors and can provide an up-to-date Data Processing Addendum (DPA) for counter signing
  • Our GDPR-compliant and HIPAA-compliant operations model identifies, segregates and encrypts customer data at each stage of the data funnel
  • All privacy-related requests should be addressed to privacy@torq.io

Enterprise-Grade Security Service

  • Enterprise Single SignOn: Torq integrates with leading Enterprise Single Sign-On and Multi-Factor Authentication providers, such as, but not limited to Microsoft Azure AD, Okta, OneLogin, Ping Identity, Google Identity, Duo Security and more.
  • Role-Based Access Control: Our granular Role-based Access Control (RBAC) allows managing permissions inside the automation and orchestration environments on a least-privilege basis, ensuring operational processes that adhere to industry standards in terms of security and privacy.
  • Secure Immutable Infrastructure: Torq service is operated with immutable cloud-based compute components that are continuously aligned to the latest and most secure releases of relevant software packages.
  • Zero Trust Access to Distributed Environments: Torq is leveraging a Zero Trust approach for orchestrating processes taking place in distributed environments, allowing organizations to adopt very strict security requirements while running efficient operations.

Complete Accountability and Transparency

The technical and operations teams at Torq firmly believe in making sure that multiple layers of security awareness exist throughout our software development cycle.

Network and Access Security

Torq solution architecture is built on network isolation of production environments and Zero Trust access with least privileges principle for all services and operators. All activity is being audited and historical records are maintained.

Datacenter Security

Torq relies on leading infrastructure providers, such as GCP and AWS for the hosting of its application infrastructure.  GCP and AWS data centers are subject to very strict physical access control and industrial compliance standards.

Application Security

Our engineering organization has adopted an uncompromising security-first methodology. Beginning with introducing application security reviews on all design and development stages, and following through with executing security tests as a part of CI/CD pipeline.

External Audits & Tests

Our platform and infrastructure are periodically audited and tested to ensure the highest levels of security. Penetration test reports from industry-leading application and infrastructure security specialists are available upon request.