Formal declaration of platform scope, capabilities, and explicit limitations for audit review contexts.

This section is intended for: Auditor. Unauthorised access is restricted.

System Governance Artefact

GOV-ASL-001

Version1.0.0

Last Approved2026-02-10

ClassificationAssurance / Auditor Scope

This document is immutable. Changes require formal governance approval and versioned re-issuance.

1. Purpose

This document provides a formal declaration of what the Govula platform does and does not assert, claim, or guarantee. It is intended as a primary reference for auditors, regulators, and compliance reviewers evaluating artefacts produced by the platform.

All responses generated by the platform's Auditor Interrogation Mode, all audit reports, and all compliance artefacts are governed by the declarations in this document. Auditors should treat this document as the authoritative scope statement for any platform-generated output they review.

2. What Govula Asserts

The following assertions describe the platform's implemented and enforced capabilities:

All governance events are recorded in an append-only, hash-chained audit stream that cannot be retroactively modified.

Evidence submitted to the platform is integrity-verified at submission and carries traceable ownership attribution.

Compliance reports are generated from the current governance state at the time of generation and include content hash verification.

Role-based access control and audience-governed disclosure are enforced at the application layer for all platform operations.

Pre-flight validation prevents the creation of artefacts that do not meet defined governance prerequisites.

Governance decisions are versioned, immutable once finalised, and carry separation of duties enforcement.

Tenant isolation is enforced at the data layer, ensuring no cross-tenant data exposure in multi-tenant deployments.

Contract entitlements govern the scope of operations available to each organisation, with enforcement at the middleware layer.

3. What Govula Does Not Assert

The following explicit non-assertions define the boundaries of the platform's scope. These are not limitations to be addressed in future releases — they are deliberate design boundaries that preserve the integrity of the platform's governance model.

Govula does not certify compliance.

The platform provides governance infrastructure for maintaining and demonstrating compliance posture. Certification is the prerogative of accredited certification bodies.

Govula does not validate the accuracy of submitted evidence.

The platform verifies evidence integrity (hash, format, ownership) but does not assess whether the evidence accurately represents the control it supports. That assessment remains a human judgement.

Govula does not replace auditor judgement.

The platform provides structured data, traceable records, and governance context. The interpretation of that data and the determination of compliance status remain the auditor's responsibility.

Govula does not guarantee regulatory acceptance.

Regulatory bodies may have specific requirements beyond what the platform enforces. The platform provides governance infrastructure that supports regulatory compliance, but does not guarantee acceptance by any specific regulatory body.

Govula does not perform penetration testing or vulnerability assessment.

The platform governs compliance posture, not technical security posture. Security testing, vulnerability scanning, and penetration testing are outside the platform's scope.

Govula does not provide legal advice.

The platform's governance model, documentation, and outputs are not legal counsel. Organisations should seek independent legal advice regarding their compliance obligations.

Govula does not assert completeness of control coverage.

The platform supports the frameworks configured within it. The determination of which controls are applicable to an organisation is a governance decision made by the organisation, not by the platform.

4. Assurance Layer Cross-Reference

The following platform assurance guarantees are referenced as supporting evidence for the assertions in Section 2. Each guarantee is documented and enforceable:

RBAC Enforcement

Documented in Assurance Layer — Section 2: RBAC Guarantees

Audit Stream Integrity

Documented in Assurance Layer — Section 5: Audit Logging

Evidence Integrity Verification

Documented in Evidence Semantics — Integrity and Lifecycle

Governance Decision Immutability

Documented in Governance Constitution — Decision Versioning

Pre-flight Validation

Documented in System Boundaries — Guardrail Enforcement

5. Scope of Platform-Generated Reports

All reports generated by Govula are subject to the following scope constraints:

Temporal Scope

Reports reflect the governance state at the time of generation. They are point-in-time artefacts, not continuous representations.

Framework Scope

Reports cover only the frameworks configured within the generating workspace. Controls from unconfigured frameworks are not included.

Evidence Scope

Reports include evidence that has been submitted, verified, and associated with controls within the workspace. Evidence not submitted to the platform is not reflected.

Integrity Verification

Each report includes a SHA-256 content hash. Any modification to the report after generation invalidates this hash and renders the report non-authoritative.

6. Auditor Guidance

When reviewing artefacts produced by the Govula platform, auditors should:

1.Verify the content hash of any report presented as authoritative.
2.Confirm that the report was generated within the workspace and framework scope relevant to the audit.
3.Review the governance decision history for any controls under examination using the platform's point-in-time replay.
4.Note that the platform does not certify compliance — it provides the governance record from which compliance can be assessed.
5.Refer to the Auditor Interrogation Q&A for structured responses to common audit questions.

7. Version History

Version	Date	Change Description
1.0.0	2026-02-10	Initial release. Establishes formal scope and limitations declaration for audit review contexts.

Auditor Scope & Limitations