Compliance & auditing

Where to find what you need when an auditor, insurer, or board member asks "show me how you're handling cybersecurity training."

What TSNC tracks for you

  • Training completion โ€” every staff member, every assigned module, with timestamps
  • Phishing simulation results โ€” campaign-by-campaign catch rates, click rates, report rates
  • Vault access events โ€” every recovery, every wipe, with reasons and notifications
  • Admin activity log โ€” every modifying action by every admin, peer-reviewable
  • Audit log โ€” every login, every API call, retained for the lifetime of the account

Pre-built compliance reports

Annual compliance attestation

A one-page summary suitable for a board meeting or insurance review. Lists what TSNC features are enabled, what training has been completed, what controls are in place. Aligned with common frameworks: CISA cybersecurity awareness recommendations, NIST core functions, and the USCCB's 2024 cybersecurity guidance for Catholic institutions.

FERPA alignment statement

Documents how TSNC handles student-related data. Useful when you need to demonstrate FERPA compliance for vendor reviews. We're not a primary student-data system, but we touch staff communications about students, so we maintain a clear statement of practices.

Per-staff training transcript

For HR purposes โ€” when a teacher needs to demonstrate completed cybersecurity training (often required for state professional development hours), TSNC generates a transcript with module names, completion dates, and certificate numbers.

Audit log access

The full audit log is available to org admins under Reports โ†’ Audit Log. It captures every login, every admin action, every API call by every user. Filterable by user, action, time range. Export as CSV.

โ„น๏ธ
Retention policy
Audit logs are retained for the life of your account. We do not auto-purge after 90 days like some products. The trade-off is storage cost (small) for the benefit of being able to investigate incidents from years ago, which matters in education and legal contexts.

What we're aligned with vs. certified for

We're honest about this distinction because vendor questionnaires often blur it.

  • SOC 2: Planned. We're building toward Type II. Not yet certified โ€” don't claim it on a security questionnaire.
  • FERPA: Aligned. We design with FERPA in mind. We're not a school of record so we don't hold "education records" in FERPA's technical sense.
  • GDPR: Aligned. We support data subject access requests, deletion, and minimal collection.
  • HIPAA: Not covered. We are not a Business Associate. Don't store ePHI in TSNC.
  • Penetration testing: We've started running scans (currently via Intruder.io). Independent third-party pentest is planned.

FAQ

How do I respond to a vendor security questionnaire that asks about TSNC?+
Email security@thoushaltnotclick.com with the questionnaire and we'll fill it out within 48 hours. We've answered SIG-Lite, CAIQ, and most common state-level questionnaires before. We'd rather respond honestly to one ourselves than have you guess.
Can I delete an old user's training records?+
Yes โ€” under GDPR and similar "right to be forgotten" laws, you can request deletion of a former user's training records. Email support with the request. We'll deactivate the user in the audit log but retain a hash for compliance integrity, and remove their personally identifiable training data.
What happens to compliance records if my school cancels?+
You can export everything as CSV and PDF before cancelling. After cancellation, data is retained for 90 days then permanently deleted. If you need an extended retention, email us before cancelling โ€” we can hold for up to 7 years for legal hold reasons.