Enterprise Security Questionnaire
Pre-prepared responses to standard enterprise security and operations questionnaire sections.
This section is intended for: Technical Team, Auditor, Management. Unauthorised access is restricted.
1. Purpose
This document provides structured responses to common enterprise security questionnaire sections. It is designed for procurement teams, CISOs, and security reviewers evaluating Govula for enterprise deployment.
These responses describe the current state of the platform. They are not marketing claims or roadmap items. All statements are verifiable through platform documentation and API.
2. Identity & Access Management
IAM Controls
- Authentication
- Enterprise SSO (SAML 2.0, OpenID Connect), local authentication with bcrypt password hashing, MFA support
- Authorization
- Role-based access control (RBAC) with role hierarchy, enforced at middleware level on every API endpoint
- Session Management
- JWT-based tokens with configurable expiry, session invalidation on role change
- Privileged Access
- Admin role required for workspace binding, entitlement management, user provisioning; platform operator role for cross-tenant operations
- Identity Audit
- All authentication events logged, identity changes tracked with full provenance
3. Data Protection
Data Security Controls
- Encryption at Rest
- Database-level encryption via PostgreSQL
- Encryption in Transit
- TLS for all communications
- Data Classification
- Compliance data classified by governance context and audience binding
- Tenant Isolation
- Strict multi-tenant isolation with tenant_id enforcement on all queries
- Data Integrity
- SHA-256 content hashing, cryptographic report signing, blockchain-style audit chain
4. Change Management
Change Controls
- Decision Versioning
- All governance decisions versioned with supersedes chain
- Configuration Changes
- Logged with before/after state and actor attribution
- Immutability
- Approved decisions and locked bindings cannot be retroactively modified
- Report Integrity
- Reports locked to decision versions at generation time
- Governance Guardrails
- Govula enforces governance correctness through deterministic pre-flight validation. Before a workspace can be activated or an authoritative report generated, the platform verifies that minimum governance conditions are satisfied — including framework applicability, control mapping, and ownership assignment. These checks exist to prevent the creation or publication of incomplete, misleading, or non-defensible compliance artefacts. They do not introduce interpretation, scoring, or automated judgement. If a pre-flight validation fails, no existing artefacts are altered.
- Rollback
- Platform does not support rollback of governance decisions; new versions are created instead
5. Business Continuity
Continuity Controls
- Deployment Options
- SaaS (multi-tenant), single-tenant Docker, on-premises Docker
- Data Export
- Full data export available in JSON, PDF, CSV formats
- Backup
- Database-level backup with configurable retention
- Recovery
- Standard PostgreSQL recovery procedures; compliance data integrity verified via hash chains
6. Compliance & Governance
Governance Controls
- Framework Support
- ISO 27001, SOC 2, Cyber Essentials, DSPT, PCI DSS, NIST CSF
- Audit Trail
- Immutable, append-only audit stream with hash chaining
- Separation of Duties
- Enforced at service layer; preparers cannot approve own decisions
- Evidence Management
- Lifecycle tracking with quality indexing and freshness monitoring
- Reporting
- Governed reports with cryptographic signing and decision version locking
7. Third-Party Risk
Third-Party Controls
- AI Usage
- OpenAI GPT-4o-mini for analysis and recommendations only; AI cannot approve, sign, or publish
- Data Sharing
- No compliance data shared with third parties without explicit tenant consent
- Subprocessors
- OpenAI (AI analysis), PostgreSQL (database)
- AI Authority Boundary
- AI operates in advisory capacity only; all AI outputs require human review
8. Incident Response
Incident Response Controls
- Detection
- Anomaly detection in audit stream, violation logging for capability overreach
- Response
- Structured incident response via governance decision system
- Notification
- Automated alerting for expiring evidence, compliance gaps, entitlement expiry
- Post-Incident
- Immutable audit trail ensures complete incident reconstruction
9. Document Control
This document is a governed artefact. Changes require BINDING_GOVERNANCE_DECISION class approval and are subject to the change and amendment rules defined in the Governance Constitution.
Document IDGOV-ESQ-001
Version1.0
ClassificationGovernance — Enterprise Security Questionnaire
Last Updated2/11/2026
Review CycleAnnual or upon material change