There’s a version of this page that every software company writes. It usually says something about “taking security seriously” and leaves it at that. We’d rather show you what we actually do.

Redrock Software Corporation was founded as a family business, and TracCloud was built to serve one purpose: helping educational institutions support student success. That’s it. We have never, and will never monetize customer data. We don’t sell it, rent it, trade it, or use it for advertising. We don’t train AI models on it. We don’t treat the information your students and staff trust you with as a commodity, and we never will. That’s not a policy footnote, it’s the reason we exist.

TracCloud serves several hundred universities, which means we operate in one of the most heavily regulated spaces in software. Student data is governed by FERPA at the federal level, student privacy statutes across 38 states, and international frameworks including UK GDPR, Canada’s PIPEDA, and Quebec’s Law 25, among many others. Our customers span jurisdictions from Texas to Kuwait, and we maintain documented compliance requirements for every one of them.

We don’t outsource this to a consultant who shows up once a year. Our security program is built and maintained internally, aligned to NIST SP 800-53 Rev 5 (High Baseline), and mapped across multiple frameworks: CMMC, CIS Controls v8.1, FedRAMP, TX-RAMP, CSA CAIQ, and HECVAT. We maintain a comprehensive library of security policies and procedures covering access control, incident response, physical and environmental protection, personnel security, and many more that we review and update on a defined cycle. Every document has a revision history, an owner, and a reason for existing. When a university sends us a HECVAT or security questionnaire, we’re not scrambling to figure out the answers. We already know.

TracCloud is a multi-tenant SaaS platform hosted on AWS. We implement tenant isolation at the database, network, and application layers. Not just logically, but with purpose-built controls that ensure one institution’s data never crosses paths with another’s.

Access to our systems follows the principle of least privilege. Every account is justified, reviewed, and auditable. Privileged access is tightly controlled, monitored, and restricted to defined personnel. We enforce strong authentication, role-based access controls, and session management policies that include automatic lockout and termination. Failed login attempts are limited and tracked. Remote access is encrypted, routed through managed access points, and logged.

Data is encrypted in transit using TLS and at rest using AES-256. We use cryptographic integrity verification and maintain a key management program through AWS KMS. We’re also keeping an eye on post-quantum cryptographic developments, not because it’s trendy, but because our obligation to protect student records doesn’t have an expiration date.

No security program is worth much if it only works on a good day. We maintain documented incident response plans covering security breaches, data loss, ransomware, and system failures. These aren’t theoretical either. They include specific detection indicators, containment procedures, evidence preservation steps, notification requirements, and post-incident review processes.

Our infrastructure is built for resilience: automated scaling, defined failover regions, backup plans with regular validation, source code mirroring, and continuous monitoring through AWS CloudWatch and SNS alerting. We conduct regular security audits, including annual independent assessments, and remediate findings in accordance with auditor recommendations.

When we operate as a school official under FERPA, we take that designation seriously. It means we use education records solely for the purposes the institution authorized. We don’t re-disclose personally identifiable information. We implement and maintain the administrative, technical, and physical safeguards that FERPA requires. And when a service agreement ends, we return or securely destroy the records.

This goes beyond contractual language, it reflects how we actually handle data, every day, for every institution we serve.

We’re not a large enterprise with a sprawling security department. We’re a focused team that takes ownership of every layer of our security posture, from the code we write to the infrastructure we manage to the policies we enforce. Our security documentation isn’t generated by a template mill; it’s written by the people who build and operate the platform, because those are the people who understand where the real risks are.

We believe the best security comes from people who treat it as an engineering discipline, not a compliance exercise. Frameworks and certifications matter. We pursue them rigorously, but they’re the floor, not the ceiling. The ceiling is doing right by the institutions and students who depend on us, in every way we can.