How can we help?

Search

Security Grade

Netanel Hugi
Netanel Hugi
  • Updated
Torii Identity

Introduction

Torii's Security Grade gives IT and security teams a standardized way to understand the security and compliance posture of SaaS applications in their environment. By aggregating publicly available vendor security signals using AI agents and translating them into a single, easy-to-compare grade, the Security Grade helps teams quickly assess risk, prioritize reviews, and make informed governance decisions across their SaaS stack.

Note
Available for customers on the IGA Enterprise plan.

How is data collected?

Torii uses specialized AI agents to research and extract evidence-backed security and compliance signals from publicly available vendor sources.

  • The collected information is being reviewed and updated continuously to reflect changes in vendor disclosures.
  • When supporting evidence is identified, Torii provides a direct reference to the original source for transparency and verification.

What data can Torii provide me?

Data Security

This group focuses on how an application protects customer data and supports secure access, including:

  • Single Sign-On (SSO)
  • Multi-Factor Authentication (MFA)
  • Encryption in transit
  • Encryption at rest
  • AI privacy: Specific detection of whether customer data is used to train AI/LLM models.

These signals represent foundational security controls and are used in the Security Grade calculation.

Note
We assess whether the application supports these features, not whether they are actively enabled for the customer.

Certifications & Compliance

This group includes widely recognized compliance and legal indicators, such as:

  • SOC 2
  • ISO 27001
  • GDPR
  • HIPAA
  • CSA STAR
  • CSA STAR for AI
  • Privacy Policy
  • User Terms
  • Data Processing Agreement (DPA)

These signals reflect the vendor's alignment with regulatory and compliance standards and are used in the Security Grade calculation.

Vendor Profile

This group provides additional context about the application vendor, including:

  • Company description and category
  • Company location
  • Number of employees
  • Data center locations
  • AI features

Vendor Profile data is intended to support broader vendor evaluation and governance discussions.

This information is not used in the Security Grade calculation.

How is the Grade calculated?

The Security Grade is a standardized score between 0 and 100, which translates into a letter grade from A to D.

  • A (80–100): Great security posture with robust certifications and data protection.
  • B (60–79): Good; meets most standard compliance requirements.
  • C (40–59): Fair; may lack specific certifications or detailed data security disclosures.
  • D (0–39): Poor; significant gaps in public security documentation.

It's a weighted calculation where:

  • Critical Security Controls (like Encryption and AI Training policies) have the highest impact on the score.
  • Core Identity Features (SSO and MFA) provide significant boosts to the grade.
  • Compliance Certifications (SOC 2, ISO, etc.) add additional layers of trust to the final result.

This ensures that the grade is objective, consistent, and reflective of the actual security evidence found for that vendor.

Where can I see this information?

Security fields can be found in several areas in Torii:

  • Applications Table: The security-related fields can be found in columns in the Applications table.

    • Each security signal consists of two separate components:
      • Status field: Indicates whether the specific security standard is met
      • Reference Link field: Directing to the source evidence, providing transparency for the assessment.
    Screenshot 2026-02-23 at 11.11.09.png

  • Security Grade Tab: Inside any specific application page, a dedicated tab displays the full breakdown of signals, checkmarks for met requirements, and clickable links to the source evidence.

    Screenshot 2026-02-23 at 11.11.51.png

  • Overview & Info: High-level security grade and score are visible on the main app overview.

    Screenshot 2026-02-23 at 11.04.21.png

  • Application Certifications & Compliance report: This report includes all compliance and certifications fields.
  • Workflows: Security-related fields are available both as conditions and personalization tokens within the App Meets Criteria workflow trigger.

  • Settings: Security-related fields and groups are managed under Settings → Application Details.

    Screenshot 2026-02-23 at 11.20.13.png
  • Dashboards: The Security & Compliance Dashboard has been updated with metrics for ongoing visibility into SaaS risk, and the security and compliance fields can be used to build custom dashboard widgets.

What can I use this data for?

Centralized security and compliance data in Torii enables IT and security teams to gain consistent visibility into the security posture of their SaaS environment, differentiate between applications, and focus governance and review efforts where they are most needed.

Here are some examples of how to use this information to maximize your benefit from it:

  • Application security visibility: View security and compliance signals for every SaaS application in Torii to understand each application's overall security posture across the organization.
  • Security-driven prioritization: Use the standardized Security Grade to differentiate between applications and prioritize which ones require deeper security review or follow-up.
  • Shadow IT exposure identification: Identify discovered applications with weaker security posture and focus investigation and mitigation efforts on high-exposure shadow IT.

Some best practice recommendations to maximize this data:

  1. Security posture filtering: Filter your application list to identify sanctioned applications with lower Security Grades (for example, C or D) and review whether mitigation or follow-up is required.
  2. Automated governance workflows: Create workflows that trigger when an application's Security Grade falls below your organization's threshold, such as notifying the security team or opening a Jira ticket for review.
  3. Clear security communication: Use security fields as personalization tokens in automated emails or messages to clearly explain why an application requires review or approval.
  4. Ongoing visibility and reporting: Export the Certifications & Compliance Report or use the Security Dashboard to maintain ongoing visibility into your organization's overall security posture.

Q&A

Q: Does Torii calculate a Security Grade for all applications?

A: No. The Security Grade is not calculated for applications that were added manually to the catalog.

Q: Does a "Yes" for SSO or MFA mean my organization is secure?

A: Not necessarily. This signal indicates that the application supports these features.



 

For any further questions, please contact Torii Support.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request