Security & Compliance

TheRecordXchange® is SOC 2 Type II certified. Court records require the highest standard of data protection — TRX was built and independently audited to meet it.

What Is SOC 2 Type II Certification?

SOC 2 Type II certification means an independent, accredited auditor examined a service organization's security controls over a sustained period — typically six to twelve months — and confirmed those controls operated effectively throughout that period. It is not a self-assessment.

The American Institute of Certified Public Accountants (AICPA) defines the SOC 2 framework around five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. A Type II audit tests not only whether controls exist but whether they functioned as designed over the full audit window.

For courts evaluating software vendors, SOC 2 Type II is the meaningful benchmark. A vendor claiming SOC 2 compliance without specifying Type II has completed only a point-in-time assessment — not a sustained operational audit. TheRecordXchange holds SOC 2 Type II certification and can provide the report to courts undergoing procurement review.

What SOC 2 Type II Means for Your Court

Certification translates to four concrete protections for court records held within TRX.

Data Encrypted at Rest and in Transit

Court records stored in TRX are encrypted at rest using industry-standard AES-256 encryption. All data in transit is protected by TLS. Records are never exposed in plaintext outside the audited environment.

Strict Access Controls

TRX enforces role-based access controls. Only authorized court personnel can view, manage, or export records. Every access event is logged and attributable to a specific user — meeting the audit trail requirements courts need.

Comprehensive Audit Logs

Every action taken within TRX — record access, download, status change, or user modification — is written to an immutable audit log. Courts can produce complete access histories for compliance reviews or legal proceedings.

Availability Guarantees

SOC 2 Type II certification includes the Availability Trust Service Criterion, meaning TRX's uptime and recovery processes were independently verified. Courts can request uptime SLA terms as part of the procurement process.

How Browser-Based Access Protects Court Data

Because TRX is browser-based, there is no software installed on court staff workstations — and no local attack surface for those workstations to introduce. Court records never touch a local hard drive.

Every TRX session runs entirely within the browser. When a user closes the tab, no residual data remains on the device. This eliminates an entire category of vulnerability common to installed software: local file exposure, unpatched client-side applications, and unauthorized local copies of court records.

How the Browser-Based Security Model Works

  1. Authentication: Users authenticate through TRX's access-controlled login. Multi-factor authentication is available. Every login attempt is logged with timestamp, IP address, and outcome.

  2. Encrypted transmission: All data between the browser and TRX servers travels over TLS-encrypted connections. No record content is transmitted in plaintext.

  3. Centralized access control: Administrators manage permissions from a single location. Revoking access for a departed employee takes effect immediately across all devices — there is no installed software to de-authorize separately.

  4. Full session audit trail: TRX logs every action taken during a session. Record views, downloads, edits, and status changes are attributed to the authenticated user with a precise timestamp.

Compliance FAQ

What does SOC 2 Type II certification cover?

SOC 2 Type II certification means an independent auditor examined TheRecordXchange's security controls over a sustained period — typically six to twelve months — and confirmed they operated effectively. The audit covers five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. For courts, the most critical criteria are security (access controls, encryption, intrusion detection) and confidentiality (how sensitive records are handled and stored).

Is TRX approved for government use?

TheRecordXchange is used by courts across Indiana, Louisiana, Georgia, and Minnesota, among others. TRX's SOC 2 Type II certification and browser-based architecture are designed to meet the security and procurement requirements common to government environments. Courts evaluating TRX for procurement may request a copy of the SOC 2 Type II report and security documentation through the contact page.

How is court data protected in transit?

All data transmitted between a user's browser and TRX is encrypted using TLS 1.2 or higher. No court record content travels over unencrypted connections. Because TRX is browser-based, there is no client-side software that stores data locally — records exist only within the audited TRX platform, and all access is logged.

Request Our Security Documentation

Courts undergoing procurement review can request TRX's SOC 2 Type II report, security questionnaire responses, and supporting compliance documentation.

Request Security Documentation