Security
Latest revision: April 21, 2026
Security is built into the fabric of Toyon Associates, Inc. and the healthcare organizations we serve. We take our commitments seriously and have established policies and controls that follow industry best practices in order to meet — and exceed — the needs of our clients.
Toyon maintains an independently audited SOC 2 Type 2 attestation against the AICPA Trust Services Criteria and handles Protected Health Information (PHI) in accordance with HIPAA and the HITECH Act.
SOC 2 Type 2 — Toyon maintains an annual SOC 2 Type 2 attestation issued by an independent CPA firm, covering the AICPA's Trust Services Criteria for Security. Our most recent SOC 2 report is available under NDA through the Toyon Trust Center.
HIPAA & HITECH — Toyon handles Protected Health Information (PHI) in accordance with the HIPAA Privacy and Security Rules and the HITECH Act, and implements administrative, physical, and technical safeguards to protect PHI.
Continuous compliance monitoring — Security and compliance posture is continuously monitored through our governance platform, with automated evidence collection and SLA tracking against our control framework.
Data is encrypted in transit using TLS 1.2 or higher.
Data is encrypted at rest using AES-256.
Encryption keys are managed through a centralized key management service with documented lifecycle controls (creation, rotation, expiration, and retirement).
Encryption keys are rotated on a defined schedule, and access to key management functions is restricted to designated key custodians.
Sensitive data is classified, handled, and retained in accordance with Toyon's Information Classification, Handling and Exchange Policy and Data Retention Policy.
Media and data are securely sanitized or destroyed at end of life in accordance with Toyon's Data Disposal and Sanitization Policy.
Independent penetration testing — Annual application and network penetration tests are conducted by a qualified third-party security firm. Summary reports are available to customers under NDA.
Continuous vulnerability scanning — Internal and external vulnerability scans run on a recurring basis against production infrastructure and web applications.
Static and dynamic code analysis — Application code is scanned using SAST and DAST tooling, and third-party libraries are evaluated for known vulnerabilities through software composition analysis before deployment.
Defined remediation SLAs — Critical vulnerabilities are remediated within 15 days, high within 30 days, medium within 45 days, and low within 90 days.
Secure development lifecycle — Toyon follows documented secure-by-design and privacy-by-design principles, with separated development, test, and production environments and formal change management.
Cloud & hosting — Toyon's production applications are hosted on Amazon Web Services (AWS), with supporting infrastructure at a SOC 2–audited colocation facility. Physical security at these facilities includes CCTV monitoring, electronic access control, 24/7 on-site personnel, fire detection and suppression, redundant power, and environmental controls.
Identity & access — Access to production systems is role-based and enforces least-privilege principles. Multi-factor authentication is required for administrative and remote access, and user access is reviewed on a recurring basis.
Network security — Production networks are segmented, protected by high-availability firewalls, and monitored by intrusion detection and prevention systems (IDS/IPS).
Logging & monitoring — Security and system events are aggregated into a centralized SIEM with 24/7 monitoring, alerting, and log retention aligned to regulatory requirements.
Endpoint protection — Company endpoints run managed anti-malware and endpoint detection and response (EDR) tooling with centralized monitoring.
Patch management — Operating systems, applications, and infrastructure components are patched within defined SLAs based on severity.
Backup & recovery — Production data is backed up on a defined schedule, and restoration capabilities are tested at least annually. Toyon maintains documented Business Continuity and Disaster Recovery plans.
Toyon is committed to treating information of employees, customers, stakeholders, and other interested parties with the utmost care and confidentiality. We collect personal information transparently, use it only for lawful business purposes, and protect it against unauthorized access.
Service providers and sub-processors
Toyon engages third-party service providers and sub-processors to deliver our services and operate our business. Categories of vendors include cloud hosting, analytics, email and communications, customer and IT support, and similar operational functions. Vendors that handle Toyon information are bound by written agreements that require them to maintain security and privacy controls equivalent to Toyon’s own, to use information only for the purposes for which it was disclosed, and — where applicable — to enter into Business Associate Agreements covering Protected Health Information. Vendor selection, onboarding, and ongoing oversight are governed by Toyon’s Third-Party Risk Management Policy.
Healthcare information and HIPAA
Toyon provides services to healthcare-provider and health-plan clients and processes Protected Health Information (PHI) on their behalf as a Business Associate under HIPAA. Any PHI that Toyon processes on behalf of a covered-entity client is governed by the applicable Business Associate Agreement and the HIPAA Privacy and Security Rules — not by the consumer-facing notice in this section. Individuals seeking to exercise rights with respect to PHI (such as access, amendment, or accounting of disclosures) should contact the covered entity that is the controller of the data; Toyon will work with that client to respond. See also the note below regarding information held on behalf of our clients.
California residents — your rights under the CCPA/CPRA
The rights and intake methods in this section apply to personal information that Toyon collects directly from you, for example, when you fill out a form on our website, create an App account, apply for a position, sign up for our communications, or otherwise contact us. They do not apply to Protected Health Information that Toyon processes on behalf of a healthcare-provider or health-plan client as a Business Associate; for those requests, see Section 5, above.
To protect your information and prevent fraudulent requests, Toyon will take reasonable steps to verify your identity before processing a rights request. Depending on the nature and sensitivity of the request, verification may include:
Matching information you provide with information Toyon already holds about you (for example, your name, email address, and the nature of your relationship with Toyon or a Toyon client);
For clients and workforce members, verification through your existing authenticated account or through your organization's designated point of contact;
For more sensitive requests (such as deletion or access to specific records), additional information or a signed declaration under penalty of perjury may be required.
We will not use information collected for verification for any other purpose.
If you are a California resident, California law grants you the following rights regarding personal information Toyon holds about you:
Right to Know / Access — You may request confirmation of whether Toyon processes your personal information, and request a copy of that information along with the categories of sources, the purposes for collection, and the categories of third parties with whom it has been shared.
Right to Delete — You may request that Toyon delete personal information we have collected from you, subject to certain exceptions required or permitted by law (for example, information we are required to retain to comply with HIPAA, tax, audit, or other legal obligations).
Right to Correct — You may request that Toyon correct inaccurate personal information we maintain about you.
Right to Data Portability — You may request a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
Right to Opt Out of Sale or Sharing — Toyon does not sell personal information and does not share personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information — You may request that Toyon limit the use of sensitive personal information to purposes permitted under the CCPA/CPRA.
Right to Non-Discrimination — Toyon will not discriminate against you for exercising any of these rights.
How to submit a request
To exercise any of the rights above, please contact us using one of the methods below:
Email: privacy@toyonassociates.com
Phone: 1-888-514-9312 (toll-free)
Mail: Toyon Associates, Inc., Attn: HR, 1800 Sutter Street, Suite 600, Concord, CA 94520
You may also designate an authorized agent to submit a request on your behalf. Authorized agent requests must include written permission signed by you.
How we verify your identity
To protect your information and prevent fraudulent requests, Toyon will take reasonable steps to verify your identity before processing a rights request. Depending on the nature and sensitivity of the request, verification may include:
Matching information you provide with information Toyon already holds about you (for example, your name, email address, and the nature of your relationship with Toyon or a Toyon client);
For clients and workforce members, verification through your existing authenticated account or through your organization's designated point of contact;
For more sensitive requests (such as deletion or access to specific records), additional information or a signed declaration under penalty of perjury may be required.
We will not use information collected for verification for any other purpose.
Response timing
Toyon will acknowledge verifiable requests within 10 business days and respond substantively within 45 calendar days, with the possibility of a single 45-day extension where permitted by law. If we cannot verify your identity or are otherwise unable to act on your request, we will notify you and explain why.
A note about information held on behalf of our clients
Much of the personal information and Protected Health Information Toyon processes is handled on behalf of our healthcare-provider clients as a service provider or Business Associate. If your request concerns information Toyon holds on behalf of a provider or health plan, we will work with that client to respond, and we may direct you to that client to submit your request to the controller of the data.
Toyon maintains a documented Incident Response Plan covering preparation, detection, containment, eradication, recovery, and post-incident review.
Security events are monitored 24/7 through our SIEM and endpoint tooling.
In the event of a confirmed security incident affecting customer data or PHI, Toyon will notify affected clients in accordance with contractual, HIPAA Breach Notification, and applicable state-law timelines.
Security concerns, suspected vulnerabilities, or suspected incidents involving Toyon can be reported to security@toyonassociates.com.
If you have any questions about Toyon's Security or Privacy policies and controls, you can contact Toyon Associates, Inc. by telephone at 1-888-514-9312 (toll-free), by e-mail at info@toyonassociates.com, or for privacy-specific matters at privacy@toyonassociates.com.