Back to Security

Security FAQs

masthead-innerpage-graphic-top masthead-innerpage-graphic-bottom

FAQs—security, privacy, and compliance.

Our platform, FTR Justice Cloud, meets or exceeds multiple government-grade and industry-recognized frameworks that safeguard justice data:

  • NIST 800-53 Rev. 5 — A U.S. federal cybersecurity framework with more than 1,200 controls across encryption, identity management, logging, incident response, and zero-trust architecture. Federal compliance programs such as FedRAMP use NIST 800-53 Rev. 5 as the baseline for its security control guidance.
  • SOC 2 Type 2 — An independent, time-bound audit verifying that For The Record maintains secure, reliable operations over an extended period—covering security, availability, confidentiality, processing integrity, and privacy.
  • CJIS Security Policy — FBI-level requirements for handling criminal justice information, including encryption, access controls, audit logs, background checks, and signed security addenda.
  • Cloud Security Alliance Cloud Controls Matrix (CCM) — A comprehensive cloud security framework with 197 controls across 17 domains, providing guidance on governance, risk management, data protection, and security responsibilities for cloud service providers and customers.
  • UK Cyber Essentials — A UK government-backed certification ensuring basic cyber hygiene, covering access controls, firewalls, patch management, malware protection, and secure configuration of devices and software.

Together, these certifications demonstrate layered protection across business, technical, and justice environments.

Courts and justice agencies operate under different standards. Each framework plays a distinct role:

  • CJIS ensures compliance for agencies handling criminal justice information.
  • SOC 2 Type 2 validates that our security practices operate effectively over time.
  • NIST 800-53 Rev. 5 establishes the most comprehensive federal-level baseline for cyber resilience.

By maintaining compliance with all three, For The Record provides verifiable, end-to-end assurance across justice and public-sector domains.

Security is enforced at every layer:

  • Encryption: All recordings and transcripts are encrypted both in transit (TLS 1.2+) and at rest (AES-256).
  • Zero-Trust Architecture: No device, user, or network segment is inherently trusted. Every access request is verified.
  • Role-Based and Least-Privilege Access: Only authorized users can view or manage data, limited strictly to their court roles.
  • Segregated Tenancy: Each customer’s data is logically isolated to prevent cross-access.
  • Continuous Monitoring: Systems are monitored 24/7 for unauthorized activity, anomalies, or attempted intrusions.
  • Penetration Testing & Vulnerability Scanning: Independent security specialists conduct regular penetration tests and code reviews. Internal vulnerability scanning occurs continuously.

Access to customer data is strictly limited and tightly controlled, with the court ultimately able to control access to their environments. For The Record staff may access customer environments for implementation, onboarding and training purposes, as well as to provide support and maintenance services. All access is recorded, auditable, and subject to strict internal policy and background check requirements.

Absolutely not.

Customer data—including recordings, transcripts, and metadata—is never used to train generative-AI systems or shared externally for model development. Data is processed exclusively to deliver court-related functionality, consistent with contractual and compliance obligations.

FTR Justice Cloud is hosted within Amazon Web Services and Microsoft Azure Commercial cloud environment, depending on customer requirements. These data centers are:

  • Located in the United States (for U.S. courts) or region-specific for other jurisdictions.
  • Certified for FedRAMP Moderate, ISO 27001, and CJIS compliance.
  • Protected by Azure’s built-in redundancy, encryption, and continuous monitoring.

Data residency and sovereignty options are available to meet local regulations.

We believe transparency strengthens trust. Through our Trust Center, customers can:

  • Review our SOC 2 Type 2 attestation report
  • Access summary documentation on NIST and CJIS compliance
  • View security policies, incident-response frameworks, and audit details

Independent validation, continuous monitoring, and annual audits ensure accountability.

If a potential incident is detected:

  1. Immediate containment procedures isolate affected systems.
  2. Investigation and forensic analysis determine scope and impact.
  3. Notification follows all applicable legal and contractual obligations.
  4. Remediation actions are documented, reviewed, and incorporated into system hardening.

We operate with the principle of defense in depth—minimizing the likelihood and impact of any single event.

Courts increasingly face risks from synthetic or altered digital media. For court records specifically, For The Record invests in preventative and forensic capabilities, including:

  • Cryptographic digital signatures and provenance metadata to verify authenticity
  • Chain-of-custody logging to detect tampering
  • Anomaly detection and behavioral monitoring to flag suspicious access or uploads
  • Ongoing collaboration with cybersecurity experts to anticipate new threats

 

  • Annual independent audits for SOC 2 and NIST compliance
  • Continuous monitoring for intrusion and performance anomalies
  • Quarterly vulnerability scans and patch management
  • Penetration testing by third-party specialists
  • Mandatory security training for all employees
  • Governance reviews aligning to NIST 800-53 Rev. 5 control families

Security isn’t static—it’s a continuous process of validation, refinement, and resilience.

tab-slider-bg