BetaJoin our early access program — 1 year free for founding members.Apply Now →
Technical
7 min read

MonitorWorkspace Receives TX-RAMP Provisional Certification from Texas DIR

MonitorWorkspace has been granted TX-RAMP provisional certification by the Texas Department of Information Resources, allowing Texas state agencies to contract for Google Workspace governance and monitoring tooling immediately.

announcementsecuritycompliancegovernmenttexastx-rampit-admin

MonitorWorkspace has been granted provisional certification under Texas Risk and Authorization Management Program (TX-RAMP) Level 2 by the Texas Department of Information Resources (DIR).

This certification permits Texas state agencies to contract for MonitorWorkspace immediately — without waiting for the full certification cycle to complete. It is a meaningful milestone for any government IT team evaluating Google Workspace™ governance tooling, and we want to explain clearly what it means, what it covers, and what comes next.

What TX-RAMP Is

TX-RAMP is Texas's state-level cloud security authorization framework, established under Texas Government Code Chapter 2054, Subchapter L. It requires that cloud service providers seeking contracts with Texas state agencies demonstrate compliance with a defined set of security controls before those agencies can use the service.

The program operates at two levels:

TX-RAMP Level 1 covers lower-risk cloud services — typically Software as a Service tools that do not process sensitive or regulated data. The security requirements are based on a subset of NIST SP 800-53 controls.

TX-RAMP Level 2 applies to cloud services that process sensitive data — which the program defines broadly to include any data that is regulated, personally identifiable, or critical to agency operations. Google Workspace administration tooling — which involves domain-wide delegation and access to employee email, chat, group membership, and user directory data — falls squarely into Level 2 scope.

The Texas DIR maintains a public list of TX-RAMP certified cloud products. MonitorWorkspace is listed on that registry as of May 2026.

What Provisional Certification Means

Provisional certification is a defined TX-RAMP pathway that allows agencies to begin contracting with a cloud provider while the provider completes the full assessment process. The Texas DIR grants provisional status after reviewing the vendor's initial security posture and determining that the product is eligible for the full Level 2 assessment.

A provisional certification:

  • Is valid for up to 12 months from the date of issuance
  • Appears on the official TX-RAMP Certified Cloud Products list, enabling contracts
  • Does not expire if the full assessment is completed within the 12-month window
  • Requires the vendor to complete the Acknowledgement and Inventory (A&I) questionnaire delivered through the Archer Engage assessment platform

For a Texas state agency evaluating MonitorWorkspace, this means: you can contract today. The certification is not a promise — it is an active authorization.

Why TX-RAMP Level 2

MonitorWorkspace operates using domain-wide delegation (DWD). When you connect your Google Workspace™ to MonitorWorkspace, you authorize a service account to impersonate domain users for the purpose of reading directory data, monitoring Gmail™ activity, auditing Google Chat™ spaces, managing group membership, and offboarding employees.

That is a broad level of access — intentionally so, because it is the access required to govern a domain effectively. It also means that any state agency using MonitorWorkspace is entrusting the platform with sensitive employee and organizational data.

TX-RAMP Level 2 is the appropriate certification tier for this access profile. It is not a lesser version of the standard — it is the tier designed for exactly this category of cloud service.

What the Assessment Covers

TX-RAMP Level 2 is based on NIST SP 800-53 Revision 5 moderate-baseline controls. The assessment evaluates security practices across:

Access Management. How users are authenticated, how permissions are provisioned and deprovisioned, and how administrative access is separated from end-user access. For MonitorWorkspace, this includes the Google OAuth 2.0 authentication model, role-based feature gating, and the strict separation between platform admin and customer-tenant operations.

Configuration Management. How software changes are controlled, tested, and deployed. MonitorWorkspace uses a gated CI/CD pipeline — every production deployment requires passing lint, type checks, and a 25-gate security verification script before a deploy tag is issued.

Incident Response. Whether the provider has a documented plan for detecting, containing, and recovering from security incidents. MonitorWorkspace's Incident Response Plan (POL-004) defines severity classifications, containment playbooks, external notification timelines, and post-incident review processes.

Audit and Accountability. Whether access to sensitive data is logged and whether those logs are available to customers. MonitorWorkspace records 72+ distinct audit event types — every user-facing action, from inbox views to group membership changes to license modifications — in an append-only audit log.

System and Communications Protection. Encryption in transit (TLS 1.2+, HSTS preload), encryption at rest (AES-256 via GCP Cloud SQL GMEK), and network controls for the production environment running on Google Cloud Run gen2.

Identification and Authentication. Service account management, credential storage, and the keyless domain-wide delegation architecture — MonitorWorkspace uses IAM Credentials API signJwt to sign DWD tokens server-side, eliminating stored private keys from the architecture.

How MonitorWorkspace Prepared

The path to TX-RAMP began with CASA Tier 2 certification, completed in April 2026 through TAC Security — an App Defence Alliance authorized lab.

CASA evaluates applications against OWASP ASVS Level 1 across all 14 security categories. Because both assessments trace back to the same foundational controls — NIST, OWASP, and ISO 27001 — the CASA certification provided strong evidence for the TX-RAMP Level 2 provisional review.

In addition, MonitorWorkspace maintained a formal security policy suite (8 policies covering access control, change management, incident response, vendor management, data classification, business continuity, and acceptable use), a risk register with 10 documented risks and mitigations, and evidence logs for quarterly access reviews and compliance verification runs.

None of this was theatre for the certification. These controls were built because MonitorWorkspace operates with delegated access to employer-owned Workspace data, and the organizations trusting us with that access deserve to be able to evaluate our controls rigorously.

What This Means If You Work for a Texas State Agency

If you are an IT administrator or compliance officer at a Texas state agency evaluating Google Workspace™ management tooling, the TX-RAMP provisional certification changes your procurement equation in a meaningful way.

The contract pathway is open. You are not waiting for certification to complete. MonitorWorkspace is on the DIR-approved list.

The security posture is documented. Between the CASA Tier 2 evidence package, the SOC 2 policy suite, and the TX-RAMP assessment artifacts, there is substantive documentation behind every security claim. These are available to procurement teams under NDA upon request.

The access model is transparent. The exact OAuth scopes MonitorWorkspace requests, why each scope exists, and how they are separated by feature phase are published on our security page. There are no hidden permissions, no background syncs you did not authorize, and no use of customer data for any purpose other than the explicit operations you initiate.

Keyless DWD eliminates private key risk. Many IT security teams are rightly concerned about third-party tools holding service account private keys. MonitorWorkspace does not store private keys in production. The DWD architecture uses GCP IAM Credentials API to sign tokens server-side — the key never leaves Google's infrastructure.

What Comes Next

The provisional certification pathway requires completing a full Acknowledgement and Inventory (A&I) questionnaire through the Archer Engage platform. This questionnaire documents the system boundary, data flows, and control implementations in the format required for the full Level 2 authorization.

The target is to complete full TX-RAMP Level 2 certification well within the 12-month provisional window. Once full certification is achieved, MonitorWorkspace will remain on the DIR registry without a time limit on the certification status.

We will publish an update when the full certification is complete.

For Procurement Teams

If you are completing a vendor security questionnaire or procurement review for MonitorWorkspace, the following documents are available:

  • CASA Tier 2 certificate — Cert ID 57dbae42, issued by TAC Security / App Defence Alliance
  • TX-RAMP provisional certification — Texas DIR, May 2026
  • CASA evidence package — 25-gate automated verification + deep code analysis artifacts
  • Security policy suite — 8 policies (POL-001 through POL-008), effective March 2026
  • Architecture documentation — Keyless DWD architecture, data flow diagrams, scope disclosure
  • SOC 2 readiness documentation — TSC gap analysis, risk register, access review records

All security documentation is available upon request at [email protected]. Reference the TX-RAMP certification in your subject line and we will respond within one business day.


MonitorWorkspace is built by Lokentra and supported by BuzzClan, Platinum Partner. For enterprise deployments or custom procurement timelines, contact us through the support page.

Google Workspace™, Gmail™, Google Chat™, and Google Admin™ are trademarks of Google LLC. MonitorWorkspace is not affiliated with or endorsed by Google LLC.

Google Workspace™, Gmail™, Google Chat™, Google Drive™, Google Groups™, and Google Vault™ are trademarks of Google LLC. MonitorWorkspace is not affiliated with or endorsed by Google LLC.

Ready to simplify Google Workspace management?

Free for up to 50 users. Setup in 10 minutes. No credit card required.

Google Workspace™, Gmail™, Google Chat™, Google Drive™, Google Groups™, and Google Vault™ are trademarks of Google LLC. MonitorWorkspace is not affiliated with or endorsed by Google LLC.