Government Third Party Authorization &

Compliance Explained

The GovQA Security Triangle

All Security Controls Documented & Tested (Audit Required)
Criminal Justice Controls Documented & Tested (Audit Required)
Health Information Controls Documented (Audit Required)
Controls Tested, Voluntary (Audit Required)
Controls Documented, Voluntary
Financial Controls, voluntary


Several key government organizations set the standards for properly executing software solutions in the best interest of the public. When a software solution complies with these standards, the purchasing group can have confidence that the product has been vetted.

But GovQA goes further.

Our compliance is not a one-time event and certification. We don’t “map” our software to the standards and call it a day. We are committed to strict, ongoing, compliance day to day, month to month, year to year and we prove this with annual (and more frequent) 3rd party audits of our platform.

…And we go further still.

GovQA’s employees, building, and company systems and procedures are also compliant. We have extensive SETA (Security Education Training Awareness) programs in place, state-of-the-art building security, and strictly enforce CJIS and HIPAA staff training, certification, and annual recertification.

Security at GovQA is not just a box to check, it is truly ingrained in our culture. GovQA can provide Letters of Attestation to confirm we have met all compliance requirements.

Learn More About Security


Compliance with the Criminal Justice Information Services (CJIS) Security Policy is ongoing. This includes GovQA data infrastructure and maintenance, product development, and relevant employee background checks.  GovQA is audited and attested annually by a third party auditor as fully compliant.


The HIPAA Security Rule establishes national standards requiring appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. GovQA’s compliance means we adhere to all HIPAA rules relevant to our business including privacy, security, enforcement, and breach notification. We are audited and attested annually by a 3rd party auditor as fully compliant.


FISMA (the Federal Information Systems Act) requires government agencies to effectively manage risk; and NIST (National Institute of Standards and Technology) issues specific guidance for complying with FISMA.  The goal is to protect information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to ensure the integrity, confidentiality, and availability of sensitive information.  FISMA requirements include categorization according to risk level, maintenance of a system security plan, security controls implementation, risk assessments, certification, and accreditation and continuous monitoring.


SOC (Service and Organizational Controls) audits are based on CPA requirements and are performed by accounting firms. SOC 1 are primarily financial audits; SOC 2 audits are also largely financial with some data security controls relating to Security, Availability, Processing, Confidentiality, and Privacy.  These audits focus on how client data is stored and protected.

  • SOC 1: financial audit for potential investors
  • SOC 2 Type 1: controls verified to be in place at a single point in time
  • SOC 2 Type 2: mature, comprehensive auditing over time

GovQA only engages with fully SOC compliant, audited, and attested data centers and hosting providers which have compliance and gap letters on file.

See GovQA In Action

Interested in how GovQA can help you reduce request volume using our industry-leading security? Contact GovQA today to schedule a personalized demo of our platform!

Request Demo

Drowning in Public Records Requests?  Click the stormy sea to read the article.

This Sunlight Foundation report shines a light on request volume increases