It’s Cybersecurity Awareness Month—a fitting time to take a step back and reflect on your organization’s security posture.
At Softdocs, data security is our top priority all year long. In fact, we’ve achieved several security certifications that confirm our dedication to keeping your data safe.
If your eyes are glazing over at the sight of those acronyms, we don’t blame you. What do they mean? How do they overlap? Who are they for? Do they even matter? Is this something I need to worry about?
Spoiler alert: they matter.
To help you and your team stay up to speed, here is a jargon-free breakdown of each certification and its impact on your daily work.
What Are Security Certifications?
Security certifications are formal validations and verifications that prove an organization follows strict standards on data and system protection.
Security certifications are awarded by independent third parties after a detailed audit. They confirm that the company has the right controls, policies, and processes in place to prevent data breaches, maintain privacy, and manage risk. They also assure customers that the company is not taking shortcuts. Compromised security is no security.
Certifications (as well as the effort to undergo the actual certification process, which is complicated in itself) are proof and a proclamation that an organization seriously prioritizes security.
Why Do Security Certifications Matter for You?
At Softdocs, certification requirements become guideposts for our overarching security philosophy. Working in the public sector, we are entrusted with the data of students, citizens, staff, and the organizations themselves. Evidence of a strong security-first mentality gives every Softdocs customer peace of mind that we don’t just talk the talk but walk the walk.
For example, within the SOC 2 audit, the five Trust Services Criteria (TSC) measured are Security, Availability, Processing Integrity, Confidentiality, and Privacy. They directly evaluate our controls for managing customer data. In more detail:
- Security: This ensures systems are protected from unauthorized access, disclosure, or damage. This includes using firewalls, intrusion detection, and access controls.
- Availability: This ensures that the system, product, or service is available for use and operation as agreed upon. For example, the Softdocs cloud systems boast an uptime of 99.9995%.
- Processing Integrity: This means that how the system processes information is complete, valid, accurate, timely, and authorized to meet the organization's objectives.
- Confidentiality: This criterion focuses on protecting confidential information from unauthorized disclosure throughout its lifecycle.
- Privacy: This specifically applies to personal information, verifying it is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies and Generally Accepted Privacy Principles (GAPP).
The SOC 2 framework enables Softdocs to manage risk proactively. We conduct risk assessments throughout the year to stay ahead of threats. We also focus on continuous improvement, whether it’s testing new spam filtering tools or updating staff training.
While security certifications are nice window dressing, we’re focused on practical, proactive security that actually keeps our clients safe.
What Each Security Logo Means
Understanding the nuts and bolts of each security certification gives you a better grasp of the standards we’ve met and maintained. So, let’s take a look at each in detail.
NIST 800-53
NIST 800-53 (National Institute of Standards and Technology Special Publication 800-53) is a comprehensive framework of cybersecurity controls, guidelines, and requirements. There are more than 1,000 criteria. Think of it as a big cybersecurity rulebook.
It was developed to help organizations manage risk and protect sensitive information across a wide range of systems. NIST 800-53 guides our security decisions, giving us confidence that our systems and processes not only meet some of the most rigorous cybersecurity standards in the industry, but actively protect customer data.
SOC 2 Type II
SOC 2 Type II (short for Service Organization Control 2 Type II) is a comprehensive, roughly year-long observation and audit of how we manage customer data.
The “2” distinguishes it from SOC 1, which focuses on financial controls, while Type II means the audit verifies that our controls are designed correctly and that we consistently follow them over time.
As noted above, SOC 2 is based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. It reviews every policy and procedure we’ve put in place over the year—everything from our disaster recovery plan to access controls, antivirus, and antimalware protocols. Our auditor doesn’t just check that the policies exist—they verify that we actually followed them in practice.
SOC 2 Type II aligns with the NIST cybersecurity framework. To achieve a SOC 2 Type II certification, Softdocs needed to implement over 80 specific controls from the NIST publication.
We worked with a third-party auditor who conducted a thorough gap analysis and helped us identify opportunities to strengthen our program. After a full year of preparation and review, we successfully completed the SOC 2 Type II audit and received a formal letter of attestation from our auditor, KirkpatrickPrice.
In the last seven years of audits, Softdocs has never had an exception.
Our commitment is clear: we’ve passed with flying colors without ever being downgraded for an error or oversight.
SOC 3
SOC 3 (Service Organization Control 3) is a public-facing summary of SOC 2 Type II.
Because the full SOC 2 Type II report contains detailed and sensitive information about our policies, procedures, and internal controls, it’s only shared with clients or partners under a signed NDA. SOC 3, on the other hand, provides a high-level overview of our compliance and security practices without revealing confidential details, making it safe to share publicly.
This allows organizations like yours to see that Softdocs meets rigorous security standards without exposing the inner workings of our security program.
TX-RAMP Level 2
TX-RAMP (Texas Risk and Authorization Management Program) is a state-level framework designed to ensure that cloud services used by Texas government agencies meet strict security standards. It’s similar in structure to federal programs like FedRAMP and GovRAMP, which are also built on the NIST 800-53 cybersecurity framework.
Softdocs has achieved TX-RAMP Level 2, which means our systems and processes meet the state’s requirements for confidential and high-impact data—information that, if compromised, could have a significant effect on operations, assets, or individuals.
Softdocs’ platform is hosted on Microsoft Azure Government Cloud, which is GovRAMP and FedRAMP certified, giving additional assurance that our infrastructure aligns with federal standards.
Security Beyond Symbols
Security certifications aren’t just symbols on a website—they’re evidence of the processes, controls, and ongoing vigilance that keep your data secure.
Each logo reflects Softdocs’ proactive, year-round commitment to security.
Whether you’re a college or university, K-12 district, or government organization, you can have full confidence that our security philosophy isn’t just about compliance and certifications—it’s about doing the right thing for your data, your systems, and the people who rely on them every day.
Tags
