Tobin Square’s Security Framework
Security is not an optional feature — it’s the foundation of our architecture. Every system at Tobin Square is built with Security by Design, combining technology, governance, and compliance to deliver verifiable trust.
01. Information Security Management System (ISMS)
Tobin Square operates under an ISO/IEC 27001:2013-based ISMS, automating risk assessments across access, storage, processing, and destruction.
Regular External Audits
Independent audits twice per year with remediation tracked to closure.
Internal Governance
CISO-led Security Committee; owned risk register and change control.
Policy Lifecycle Updates
Continuous updates aligned with regulatory and technical changes.
02. Access Control Architecture
All access follows RBAC and MFA with least-privilege permissions. Every action is captured in an immutable audit trail.
Policy-Driven Permissions
Granular roles, approval workflows, and just-in-time elevation.
Session Integrity
Anti-fixation, auto-timeout, and reauthentication policies.
Anomaly Detection
Real-time signals for unauthorized or unusual access attempts.
03. Data Encryption & Protection
End-to-end encryption across the entire data lifecycle with HSM-backed key management.
At Rest (AES-256)
Server-side encryption for assets and credentials.
In Transit (TLS 1.3)
All communications secured with the latest TLS.
HSM Key Management
Hardware-isolated key generation, storage, and rotation.
04. Audit Trail & Integrity
All activities are recorded as immutable events and verified by cryptographic hashing to guarantee integrity.
Real-Time Hash Validation
Integrity checks prevent tampering or unauthorized modification.
Behavioral Analytics
Real-time anomaly detection for users and systems.
Retention Governance
Periodic internal audits and lifecycle-based retention.
05. Infrastructure Security
Distributed architecture eliminates single points of failure and integrates automated recovery for resilience.
Global Redundancy
Multi-region failover for continuous availability.
DDoS & API Protection
Edge WAF and adaptive rate limiting at the perimeter.
Zero-Trust Network
Identity-based segmentation across internal services.
06. Risk Engine 2.0
Predictive analysis, real-time detection, and autonomous recovery form a self-healing security core.
Predictive Risk Modeling
Early indicators identified before impact.
Real-Time Anomaly Response
Automatic isolation and mitigation of abnormal activity.
Self-Healing Mechanisms
Automatic rollback and restoration to maintain uptime.
07. Privacy & Compliance
Personal data is handled in accordance with GDPR and PIPA with explicit consent and encrypted, segregated storage.
GDPR & PIPA Compliance
Global privacy standards governing processing.
Explicit Consent Framework
Purpose limitation, minimal collection, and controlled retention.
Data Sovereignty
Encrypted, region-specific storage with restricted access paths.