Security · Toutmark

Platform-level protections

Built on Cloudflare Workers, KV, D1, and R2. Every layer encrypted, every access scoped, every change logged.

🔒

Encryption at rest

All customer data — KV, D1, R2 — encrypted at rest using AES-256 (Cloudflare-managed keys). Sensitive fields (OAuth tokens, API keys) get a second envelope encryption with our application-level KV_CRYPTO_KEY stored as a Cloudflare Secret.

🔐

Encryption in transit

TLS 1.3 on every public endpoint. HSTS preloaded on toutmark.com. Internal worker-to-worker calls happen over Cloudflare's encrypted backbone. No customer data ever crosses an unencrypted hop.

🪪

Scoped access tokens

OAuth tokens for customer CMS connections (WordPress, Shopify, Webflow, etc.) are stored encrypted, scoped to the minimum permissions needed, and never logged. We never see or store passwords or 2FA codes.

🪐

Edge-only key handling

API keys for AI engines (Claude, GPT, Gemini, Perplexity) and integrations are injected into requests at the edge by our gateway and stripped from memory on response. Agents never receive raw keys.

📜

Tamper-evident audit log

Every action — agent draft, customer approval, configuration change, settings update — is recorded with timestamp, actor, and change diff. Hash-chained for tamper evidence. Exportable as JSON or CSV. Retained 90 days for all customers, 7 years for regulated.

↩️

Snapshotted everything

Every customer-facing change snapshotted before publish. Per-row revert + global revert from one button. CDN cache invalidates within ~5 minutes; full revert lands within 24 hours.

Access control

Who sees what, why, and what they can do with it.

Customer data

Visible to: customer's own team (per-seat permissions), Toutmark's Owner during incident response only. No agent has direct read access to customer PII.

OAuth tokens

Stored encrypted. Worker injects them at request time, drops from memory on response. Never logged. Never visible in any UI.

API keys (AI engines, integrations)

Visible only to Owner (River). Agents see balance + usage metadata, never raw keys. Spend Manager monitors balances; gateway injects keys per request.

Customer passwords

We never store passwords in plaintext. Bcrypt-hashed at signup. Magic-link login is the recommended path. Toutmark agents are explicitly prohibited from requesting, accepting, or reading customer passwords.

Audit log access

Customers see their own audit log in their dashboard at any time. Owner has read-only access for support and incident response. Auditors get read access on regulated accounts on request.

Operational protections

Safeguards baked into how we work, not just what we build.

🚦

Approval-gated by default

Nothing publishes to your site, your social, your reviews, or any external surface without your explicit approval. Per-feature auto-publish is opt-in. Editor's compliance gate runs on every draft regardless.

🛡️

Off-menu-ask review gate

If a review on G2, Capterra, or Google asks for anything not on your site (refund, custom feature, scope expansion), the response always queues for your approval — regardless of any auto-publish setting.

🚫

Banned-action enforcement

Agents can't delete files, modify security permissions, share documents, or initiate financial transactions on your behalf. Hard-coded in the worker. Even with a misbehaving agent, those actions structurally cannot fire.

⚖️

Regulated-mode hard rules

For financial services, legal, healthcare customers: two-layer compliance review, 7-year audit retention, CCO approval queue, custom disclaimers, no cold solicitation. See regulated-firm details →

🔁

Daily backups

D1 (CRM) snapshotted daily to R2, retained 30 days. Hot recovery <1 hour. Cross-region replication for the production database.

📡

Incident response

Owner is paged on any worker error rate spike, sub-processor outage, or unauthorized-access alert. Customers notified within 72 hours of any confirmed breach affecting their data, per our security policy.

Compliance posture

Where we stand on the major frameworks. We're transparent about what we do and don't have today.

SOC 2

Type II in progress · target 2026 Q4

GDPR

Compliant · DPA available →

CCPA

Compliant · privacy controls in dashboard

HIPAA

Available on Scale for healthcare customers · BAA on request

FINRA / SEC

Regulated-mode features support recordkeeping rules · Scale tier

FTC §5

AI disclosure baked into every published surface

Honest framing: Toutmark is early. We're a small US-based company in California, founder-led, working toward SOC 2 Type II in 2026. We don't claim certifications we don't have. If you need a specific framework attestation we don't yet offer, email hello@toutmark.com with your requirement and we'll tell you straight whether we can meet it today, plan to meet it, or recommend you wait until we ship that posture.

Sub-processors

The third-party services that touch any customer data, what they do, and where they sit.

Cloudflare

Hosting, edge compute, KV/D1/R2 storage. US + global edge. Primary infrastructure.

Anthropic (Claude)

LLM provider for content drafting + compliance review. US. Customer data sent for processing only; no training opt-in.

OpenAI (GPT)

LLM measurement only — never sees customer drafts. US.

Google (Gemini)

LLM measurement + image generation. US.

Perplexity

Citation search + measurement. US.

Stripe

Payments. PCI-DSS Level 1. Customer card data never touches our servers.

Mailrelay

Transactional email. Customer email content stored 30 days for delivery troubleshooting.

Composio

Third-party OAuth + integration broker. Holds refresh tokens for customer CMS / social connections.

Full list with addresses + DPA references: /legal/subprocessors.

How we protect your data and brand.