Security Policy
Last Updated: 21st January 2025
How we protect your data at Tofi.Ai
Privacy Practices
At Tofi Technologies Pvt. Ltd., we are committed to safeguarding your personal information and data.
- No Renting or Selling of Data: We will never rent or sell your information or data to anyone.
- No Use for Advertising: We never use or transfer your data for serving ads, including retargeting, personalized, or interest-based advertising.
- Data Sharing: We will never provide any part of your information to anyone unless explicitly agreed by you.
For more detailed information, please refer to our Privacy Policy.
Cloud Infrastructure
Tofi.Ai is hosted on a Virtual Private Cloud on Amazon Web Services (AWS), providing a secure and scalable technology platform to ensure we can deliver our services securely and reliably.
Our infrastructure is launched in compliance with the AWS Well-Architected Framework and incorporates best practices from the AWS Cloud Adoption Framework from a security perspective.
Secure Communication
We use the HTTPS protocol for our website and mobile applications (collectively referred to as the "Platform").
All communication between the Platform and our servers is protected via 256-bit encrypted HTTPS protocol. This prevents Man-in-the-Middle (MITM) attacks, ensuring that the connection between us and our users is fully secure.
Network Security
We have strict network segmentation and isolation of environments and services in place to enhance security.
Host Security
We utilize industry-leading solutions for:
- Anti-Virus and Anti-Malware: Protection against viruses and malware threats.
- Intrusion Prevention and Detection Systems: Continuous monitoring to prevent and detect unauthorized access.
- File Integrity Monitoring and Application Control: Ensuring that all applications and files remain secure and unaltered.
- Audit Log Aggregation and Automated Patching: Regular auditing and timely updates to maintain security integrity.
All our servers are launched using the Center for Internet Security (CIS) Benchmarks for Amazon Linux, ensuring compliance with industry-recognized security standards.
Data Security
User Authentication
User login is based on One-Time Password (OTP) authentication on the Tofi.Ai website and mobile application.
Data Encryption
All user data and internal stored data are protected by encryption at rest, with sensitive data further protected by application-level encryption.
Access Control
We employ separation of environments and segregation of duties, with strict role-based access control on a documented, authorized, and need-to-use basis.
Key Management
We use key management services to limit access to data, with access restricted to authorized personnel only.
Data Resilience and Reliability
We use data replication for data resiliency and disaster recovery, snapshotting for data durability, and backup/restore testing for data reliability.
Analytics and Business Intelligence
We only use anonymized and aggregated data for internal analytics and business intelligence purposes.
Incident and Change Management
Change Management Process
We have implemented mature processes around Change Management, enabling us to release thoroughly tested features both reliably and securely, ensuring you enjoy the Tofi.Ai experience with maximum assurance and security.
Incident Management System
We maintain an aggressive stance on Incident Management for both system downtime and security. Our Network and Security Operations Center and Information Security Management System are in place to quickly react, remediate, or escalate any incidents arising from planned or unplanned changes.
- Quick Reaction Time
- Continuous Monitoring
- Rapid Response
- Proactive Security
Vulnerability Assessment and Penetration Testing
Comprehensive Security Testing
We collaborate with a network security team that uses industry-leading products to conduct manual and automated Vulnerability Assessment and Penetration Testing (VA/PT) activities, including penetration testing of all applications and endpoints.
Static Application Security Testing
SAST is integrated into our continuous integration and deployment pipeline for thorough code analysis.
Dynamic Application Security Testing
DAST is performed during deployment to identify security vulnerabilities in running applications.
External Auditing
We leverage CERT-IN certified auditors to perform periodic external testing and audits. Regular security assessments and compliance checks.
Annual Security Assessment
Third Party Assessment
We undergo an annual security assessment from a designated third party to ensure compliance with industry standards and best practices.
- Industry Standard Compliance
- Best Practice Implementation
- Regular Updates
Regular Updates
We keep our security assessments updated regularly or as per instructions from relevant authorities and will publish the "Letter of Assessment" on the Tofi.Ai website and mobile applications when applicable.
- Regular Updates
- Published Assessment Letters
Responsible Disclosure
At Tofi Technologies Pvt. Ltd., we are committed to our users' data security and privacy.
Security Commitment
We integrate security at multiple steps within our products using state-of-the-art technology to ensure our systems maintain strong security measures.
Defensive Design
Our overall data and privacy security design allows us to defend our systems from various attacks.
Reporting Vulnerabilities
If you are a security enthusiast or researcher and have found a possible security vulnerability on Tofi.Ai, we encourage you to report the issue to us responsibly.
How to Report
You can submit a bug report to us at security@tofi.ai with detailed steps required to reproduce the vulnerability.
Our Commitment
We will make our best efforts to investigate and fix legitimate issues in a reasonable timeframe, while requesting you not to publicly disclose the vulnerability until it is resolved.
We take your trust seriously and are dedicated to continually improving our security measures to protect your data.
Related Policies
Please also review our: Privacy Policy and Terms of Service
