First SOC 2 audit in three years with zero LMS findings
Pacific Institute is a professional language certification body. They had accumulated three consecutive SOC 2 audits with LMS-layer findings — a pattern their board was unwilling to continue through a fourth.
The problem
Their prior LMS enforced tenant boundaries through application-layer WHERE clauses and emitted audit events to a mutable internal table. Auditors could not verify that cross-tenant access paths were physically blocked, which had produced three cycles of repeat findings.
Why Cognaxa
Cognaxa enforces tenant isolation at the PostgreSQL query planner through Row-Level Security policies. Pacific Institute's compliance team could sign off on isolation by reading one policy, not auditing every service. The activity audit log captures key tenant actions with a server-enforced timestamp.
How it changed the audit
The auditor's assessment of the tenant-isolation control moved from "partially effective with repeat finding" to "effective, cleanly designed." The query-planner-level RLS architecture was specifically cited in the audit report as an example of a well-designed preventive control.
The outcome
Zero LMS-layer findings for the first time in four audit cycles. The security team's recovered attention moved to application-layer controls in the institution's two other critical systems — a win the CISO cited as the year's highest-leverage technology swap.
"We passed our annual SOC 2 audit with zero findings related to the LMS layer — the first time that has ever happened. The auditor specifically called out Cognaxa's row-level tenancy as the cleanest tenant-isolation control they had reviewed that year."
Prof. James ChenHead of Languages, Pacific Institute
See how Cognaxa could fit your institution
45-minute working session with an engineer who can answer architecture, security, and migration questions live.
Book a demo →