Security FAQ

What platform is used to store PII, HIPA, Financial, or Proprietary data?

We don’t manage PII data. No specific controls for HIPA, Financial or Proprietary. We use Stripe to store PCI data.

Is multifactor authentication required for your employees to access various platforms and services?

Yes, MFA is required for accessing Toric accounts and systems.Username and password (password standard implemented) or SSO required to authenticate into the Toric application, and MFA required for external services. In accordance with the Password Policy, Toric employees should use MFA for any and all systems (external) that provide the option for Multi-Factor Authentication (MFA). MFA Requirements: MFA must be enabled for any and all key Toric systems that provide the option for Multi-Factor Authentication (MFA) - Google, AWS, Github and Slack. MFA is recommended for other systems used by Toric employees.

Data Targets - Physical data products used (Azure/AWS/Google databases-Azure SQL/RDS or data lake?, Snowflake?, other?)

We have an internal Data Table (built on top of SQL) or we can push data to external databases like Azure, Amazon RDS, Redshift, Aurora, GCP (Big Query, MySQL, PostgreSQL, SQL server), Databricks, Snowflake, Maria DB, MySQL, MS SQL, PostgreSQL

Does the application provide the ability for customers to export their data on demand?

Toric supports exports to CSV, XLSX, JSON and Parquet. In addition to export format choice, we support a number of export destinations such as S3, Azure, Dropbox etc. When exporting at the row level we support automated exports to external databases, including BigQuery, MS SQL, MySQL, RDS, and more

Does the provider or applicant maintain multifactor authentication audit processes?

Yes. We’ve undergone SOC2 Type 1 & Type 2 assessment. Toric employs automated tools (Drata) auditing compliance with policy.

Does the provider maintain and enforce disk encryption policies?

Yes, checked daily. Data is persisted in AWS S3. S3 is configured for Advanced Encryption Standard (“AES”) 256 encrypted disks for all data stored at rest. Toric ensures that company-issued laptops have encrypted hard-disks.

Do you supply prebuilt content in one (or more of these tools)?

Yes we have pre-built template workflows and dashboards/reports around BIM (design comparison, 4D - 7D), PM, Cost analysis, etc.

How and where is the technology or service hosted?

Toric stores customer data in a secure production account in Amazon Web Services (AWS), using RDS and S3. Toric hosts on AWS in the us-east-1 (N. Virginia) region by default. Data is replicated across multiple regions for redundancy and disaster recovery

Is the solution multi-tenanted? If so, what (if any) restrictions are there on usage (ex. Limits on number of API calls etc.)?

Toric is a multi-tenanted solution. API usage is limited to 3000 requests/hour, but can be increased if/as needed.

Does the application require the download of any software to users’ PCs (ex. Browser plug-ins)? If so, what are the minimum hardware and/or software requirements?

Toric is a cloud-hosted solution. As such, it does not require any software to be downloaded to the users’ PCs.Integrations against desktop applications may require the installation of a plugin to the integration target. For example, integrating data from Revit, Navisworks, etc. (desktop tools) is accelerated via the installation of Toric provided plugins for these tools.

What are the minimum browser requirements for using the application?

Toric is optimized for the latest Google Chrome, Microsoft Edge & Safari browsers.

Does the application provide the ability to recover and restore accidentally deleted data?

While Toric does not expose a “trash can” at the moment, items in Toric are “soft-deleted” allowing for recovery. Additionally through the connected integrations Toric supports the re-ingestion of delete data if needed.

Does the application (or the applications partner ecosystem) store credit card data? If so, are those applications PCI compliant?

At the product level Toric does not store credit card information. When necessary to accept CC info, (eg. for billing purposes), Toric uses a PCI compliant partner, Stripe.

Are application integrations secured using credentials (ID/Pwd or keys) managed by a customer designated administrator?

Integration credentials are managed via the customer designated administrator. Toric stores credentials encrypted with the passkey managed via AWS secret manager. Encrypted credentials never leave the server environment.

Does the application support the ability to create security groups and roles for controlling access to various application features?

Toric provides role based access control where users are grouped as “Owners”, “Members”, and “Collaborators”; each group maintains their own set of permissions.

Does the service undergo 3^rd party security assessment (vulnerability assessment, pen test, NIST assessment) on a regular basis?

Yes, we are GDPR, SOC 2 Type I & II compliant. In addition, Toric undergoes a yearly penetration test and quarterly vulnerability scans.

Describe your encryption protocols and how they apply to transacted data?

Data at rest - Data at rest in Toric’s production network is encrypted using industry-standard 256-bit Advanced Encryption Standard (AES256), which applies to all types of data at rest within Toric’s systems—relational databases, file stores, database backups, etc. Data in transit - To protect data in transit between our app and our servers, Toric supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients.

Does the service require a minimum complexity for passwords? (If SSO is not supported or required)

Yes, Toric requires a minimum complexity for passwords. Additionally, Toric supports SSO.

Does the service log user activity (customer and vendor)?

Yes. Activity is logged via AWS Cloudwatch.

Does the provider utilize Next Generation Fire Wall (NGFW) or Unified Threat Management (UTM)

We use AWS tools, like Guardduty, for our production environment. In addition, Google also has tools for our accounts. Observed through Drata's automated test that Global WAF ACLs have been created on the AWS infrastructure to determine that web application firewalls protect the application from external threats. Web Application Firewall (WAF): Provide metrics regarding attempted and successful requests to the application.

Does the provider test its incident response and disaster preparedness

Yes, yearly.The incident response plan is tested annually via either tabletop review or an incident simulation.

Does the provider have an RTO (recovery time objective) and RPO (recovery point objective) for specific applications, products or systems?

Yes. For Toric’s product & engineering systems, the RTO & RPO is 24 hours.

Is data segmentation and separation capability between clients provided?

Yes, customer data is logically separated at the database/datastore level using a unique identifier for the customer. The separation is enforced at the API layer where the client must authenticate with a chosen account and then the customer unique identifier is included in the access token and used by the API to restrict access to data to the account. All database/datastore queries then include the account identifier.

Is there a formal process to ensure clients are notified prior to changes being made which may impact their service?

If there are any product updates that may impact the clients' workflows, the customer success team communicates that to the clients and helps maintain the workflow prior and post the updates.

Is there a scheduled maintenance window?

Major updates are released on a monthly schedule with point releases over the same time interval. When needed, Toric published maintenance windows. Typically maintenance and updates are performed with no downtime.

Is standards based federated ID capability available to clients (e.g., SAML, OpenID)?

Currently, Toric supports SSO (Google, Microsoft & Okta). Any other type of federated ID can be scoped and supported if needed.

Are specific response and recovery strategies defined for the prioritized activities?

Yes, while backups are performed daily, recovery is tested on a weekly basis to ensure recoveries are performing to plan.

Are Intrusion Detection/Prevention Systems employed in all sensitive network zones and wherever firewalls are enabled?

Yes, Toric is hosted on AWS and so utilizes AWS Guardduty and Cloudwatch.

Are there controls to prevent one client attempting to compromise another client in a resource pooled environment?

Yes, each client's data is segmented into separate containers in AWS. Each client's API calls in their Toric account are unaffected by another client's API call to the same resource. An example of such a resource is Procore.