Government & Public Sector Compliance
Cloud-only certifications (FedRAMP, ATO) are not applicable to on-premises desktop software — RecordIQ runs on the customer workstation, not in a cloud environment. Architecture designed to minimize data exfiltration risk. Deploy on any workstation — including air-gapped and classified environments.
Why Government Agencies Choose RecordIQ
RecordIQ Enterprise Edition is uniquely suited for government and public sector environments because of one fundamental architectural decision: it operates entirely offline.
- Minimal cloud dependency — internet required only for license activation (30-day offline grace period). All document processing runs entirely offline.
- Cloud-only certifications not applicable — FedRAMP and Authority to Operate (ATO) processes apply to cloud services; RecordIQ runs on the customer workstation, not in a cloud environment
- Significantly reduced data exfiltration risk — offline-first document processing minimizes network-based attack vectors for data leakage
- FIPS-aligned cryptography — AES-256-GCM (FIPS 197), PBKDF2-SHA256 (NIST SP 800-132), Windows DPAPI (FIPS 140-2 Level 1)
- Automatic FIPS mode detection — when deployed on a FIPS-enforced Windows system, RecordIQ detects and logs FIPS mode automatically
Protecting Controlled Unclassified Information
RecordIQ has been mapped against all 110 controls in NIST SP 800-171 Rev 2, the standard for protecting CUI in nonfederal systems. Relevant for organizations handling CUI under contract with the U.S. Department of Defense (DFARS 252.204-7012).
| Control Family | Implemented | Partial | N/A |
|---|---|---|---|
| 3.1 Access Control | 5 | 2 | 15 |
| 3.2 Awareness & Training | 0 | 1 | 2 |
| 3.3 Audit & Accountability | 7 | 2 | 0 |
| 3.4 Configuration Management | 4 | 2 | 3 |
| 3.5 Identification & Authentication | 6 | 1 | 4 |
| 3.6 Incident Response | 1 | 2 | 0 |
| 3.7 Maintenance | 0 | 1 | 5 |
| 3.8 Media Protection | 5 | 0 | 4 |
| 3.9 Personnel Security | 0 | 0 | 2 |
| 3.10 Physical Protection | 0 | 0 | 6 |
| 3.11 Risk Assessment | 1 | 2 | 0 |
| 3.12 Security Assessment | 2 | 2 | 0 |
| 3.13 System & Communications Protection | 6 | 1 | 9 |
| 3.14 System & Information Integrity | 5 | 2 | 0 |
| Total (110 controls) | 42 | 21 | 47 |
47 controls are Not Applicable because RecordIQ is a standalone desktop application with no network, remote access, personnel management, or physical infrastructure components. These controls are the responsibility of the deploying organization.
The full control-by-control mapping is available upon request. Contact sales@recordiq.app for procurement documentation.
FIPS-Aligned Cryptography
RecordIQ's cryptographic implementation aligns with federal requirements:
| Component | Standard | Implementation |
|---|---|---|
| Symmetric encryption | FIPS 197 (AES) | AES-256-GCM via cryptography library |
| GCM mode | NIST SP 800-38D | 96-bit nonces (NIST recommended length) |
| Key generation | NIST SP 800-133 | 256-bit keys via secrets.token_bytes() |
| Key wrapping | FIPS 140-2 Level 1 | Windows DPAPI (CryptProtectData) |
| Password hashing | NIST SP 800-132 | PBKDF2-SHA256, 600,000 iterations |
| Media sanitization | NIST SP 800-88 | 3-pass random overwrite before deletion |
When deployed on a FIPS-enforced Windows system (Group Policy enabled), RecordIQ automatically detects and logs FIPS mode at startup.
Section 508 Accessibility
RecordIQ maintains a Voluntary Product Accessibility Template (VPAT) 2.4 covering WCAG 2.1 Level A/AA and Revised Section 508 (2017). Key accessibility features:
- Keyboard navigation — all core functionality accessible via keyboard (Tab, Enter, Space, Arrow keys)
- Screen reader compatible — PyQt6 widgets expose roles, states, and names to Windows UI Automation API
- Light and dark themes — user-selectable themes; respects Windows display scaling
- No audio dependency — all information conveyed visually through text
- Configurable timeouts — session timeout adjustable (5 to 90 minutes)
- Confirmation dialogs — destructive operations require explicit user confirmation
The full VPAT document is available upon request. Contact sales@recordiq.app.
Security Boundary Model
RecordIQ is a desktop application. The following clarifies the security boundary between RecordIQ and the deploying organization:
RecordIQ Provides
Access Control: PIN authentication, session lock, 5-attempt lockout
Audit: Tamper-evident HMAC-chained trail, 6-year retention
Encryption: AES-256-GCM at rest, DPAPI key protection
Incident Response: Security event logging, DR drills, breach notification
Media: NIST SP 800-88 secure deletion, encrypted backups
Organization Provides
Network: Network access control, firewalls, VPN
Physical: Facility security, workstation placement, clean desk policy
Personnel: Background checks, security training, termination procedures
Disk Encryption: BitLocker, TLS/VPN for network transfers
IR Plan: Incident response team, notification procedures
Regulatory Coverage
RecordIQ maintains compliance documentation for the following frameworks:
HIPAA
Business Associate Agreement and full Security Rule safeguard mapping (see Security Whitepaper)
NIST SP 800-171
110-control mapping to support CUI/DFARS compliance efforts (available upon request)
FIPS 197 / 140-2
AES-256-GCM encryption with DPAPI key wrapping
Section 508
VPAT 2.4 covering WCAG 2.1 Level A/AA (available upon request)
PIPEDA
Data Processing Agreement and Privacy Policy with full PIPEDA principles mapping
Quebec Law 25
CCPA/CPRA
California consumer privacy rights documented in Privacy Policy and Data Processing Addendum
CCPA/CPRA
Privacy rights documented in Privacy Policy
SOC 2 Type I (not yet certified)
Control documentation (CC5, CC8, A1) covering trust service criteria
Government Procurement
RecordIQ is available for government procurement through standard channels:
- Micro-purchases — available for direct purchase under the simplified acquisition threshold
- Volume licensing — enterprise pricing available for 10+ seats
- Deployment — standard Windows installer (.exe); no cloud infrastructure required; no internet connection needed for document processing; license activation requires internet (30-day offline grace)
- Documentation — full NIST 800-171 mapping, VPAT, security whitepaper, and BAA available upon request
Ready for Procurement?
Contact us for volume licensing, compliance documentation, or procurement support.