BetaJoin our early access program — 1 year free for founding members.Apply Now →

MonitorWorkspace

Security

Our commitment to protecting your organization's data.

Certifications & Compliance

TX-RAMP Level 2 — Texas Department of Information Resources

TX-RAMP Level 2 — Texas Risk and Authorization Management Program

Provisionally Certified

Provisional certification granted by the Texas Department of Information Resources (DIR), listing MonitorWorkspace on the official DIR certified cloud products registry. Texas state agencies, K–12 districts, and higher education institutions can contract for MonitorWorkspace immediately — no waiting for the full assessment cycle. Assessed against NIST SP 800-53 Rev 5 Moderate baseline (125 controls documented).

Issued May 2026  ·  Issuing authority: Texas DIR  ·  Level 2 (Moderate baseline)  ·  Full A&I assessment in progress

CASA Tier 2 Certified — App Defence Alliance

CASA Tier 2 — Cloud Application Security Assessment

Certified

Lab-tested and verified by TAC Security, an App Defence Alliance authorized lab. All 14 OWASP ASVS Level 1 categories passed — input validation, authentication, session management, access control, cryptography, error handling, and data protection.

Cert ID: 57dbae42  ·  Issued April 2026  ·  Valid through April 2027  ·  TAC Security / App Defence Alliance

Google Workspace Marketplace — Listed Application

Google Workspace™ Marketplace — Verified Application

Listed

MonitorWorkspace is listed on the Google Workspace™ Marketplace and has passed Google's review process for OAuth scope justification, data handling practices, branding compliance, and security requirements.

Listed on Google Workspace™ Marketplace  ·  Verified by Google  ·  OAuth 2.0 compliant

Security Assessment

  • DOC

    Timestamped evidence and control documentation maintained. Assessment artifacts are available upon request for procurement and due diligence reviews.

Infrastructure Security

  • GCP

    Cloud Run (gen 2). Serverless container runtime on Google Cloud Platform. No persistent servers — each request runs in an isolated execution environment.

  • DB

    Cloud SQL PostgreSQL. Encrypted storage at rest (AES-256). Automated backups, IAM-controlled access, private VPC networking.

  • TLS

    Encryption in transit. All data transmitted over TLS 1.2 or higher. No unencrypted connections accepted.

  • SM

    GCP Secret Manager. All credentials and API keys are stored in Secret Manager. No hardcoded secrets in source code or container images.

  • DWD

    Keyless domain-wide delegation. Service account authentication uses workload identity federation. No private key files are stored or distributed.

Access & Authentication

  • OAuth

    Google OAuth 2.0. Authentication is handled entirely through Google's OAuth 2.0 consent flow. MonitorWorkspace never stores user passwords.

  • JWT

    Session management. Sessions are managed using industry-standard JSON Web Tokens (JWT) with server-side validation on every request.

  • RBAC

    Role-based access control. Feature access is gated by subscription tier and role. Admin routes are isolated and require separate authorization checks.

  • MT

    Multi-tenant isolation. Each organization's data is logically isolated by tenant ID. All queries enforce tenant-scoped row-level filtering.

Policies in Place

  • Information Security Policy
  • Access Control Policy
  • Change Management Policy
  • Incident Response Plan
  • Vendor Management Policy
  • Data Classification Policy
  • Acceptable Use Policy
  • Business Continuity Plan

Audit & Monitoring

  • 72+

    Auditable event types. Every user-initiated action — page views, configuration changes, data exports, and offboarding operations — is recorded in an append-only audit log.

  • GCL

    GCP Cloud Logging. Structured, machine-readable log output routed to GCP Cloud Logging. Logs are queryable, filterable, and retained per GCP policy.

  • CI

    Dependency scanning in CI/CD. Vulnerability monitoring and dependency scanning run as part of the Cloud Build pipeline on every deployment.

Security Contact

Security documentation available upon request

For procurement reviews, vendor questionnaires, penetration test reports, or TX-RAMP evidence packages, contact our security team directly.

[email protected]

Last reviewed: May 2026