Governance Constitution

Formal declaration of Govula's governance authority, decision-making principles, and institutional rules.

This section is intended for: Technical Team, Auditor, Management. Unauthorised access is restricted.

Document Purpose: This constitution defines the foundational rules governing all compliance operations within Govula. It is versioned, immutable once approved, and referenced by all governance documentation.

1. Platform Purpose & Authority

Govula exists as a Living Statement of Applicability (SoA) engine for regulated environments. It provides structured compliance management, evidence lifecycle tracking, and audit-grade document generation for organisations operating under formal compliance frameworks.

The platform's authority derives from governed workspace operations, not from external mandate. Govula does not issue compliance certifications, regulatory approvals, or audit opinions. It is a compliance management tool, not a compliance authority.

Authority Boundaries

  • Derived fromGoverned workspace operations, decision workflows, and evidence management
  • NOT derived fromExternal regulatory mandate, certification body delegation, or legal authority
  • Platform roleCompliance management tool that supports human decision-making

2. Decision-Making Principles

All compliance decisions within Govula follow a five-class hierarchy. Each class has defined approval requirements, escalation paths, and truth levels that determine how the decision is treated within the governance framework.

1

INFORMATIONAL

Data collection and status reporting. No approval required. Used for logging observations, recording evidence metadata, and tracking system state. Does not alter compliance posture.

2

ADVISORY

Recommendations generated by AI analysis or system heuristics. Requires human acknowledgement before action. Advisory outputs inform but do not constrain decision-making.

3

RECOMMENDATORY

Formal recommendations with supporting evidence and rationale. Requires review by a qualified role. Rejection must include documented justification. Creates a decision record in the audit trail.

4

CONSTRAINED_DECISION

Decisions that affect compliance status, control assessments, or evidence quality. Requires approval from an authorised role with separation of duties enforced. The preparer cannot approve their own constrained decision.

5

BINDING_GOVERNANCE_DECISION

Decisions that alter governance rules, constitutional provisions, workspace bindings, or disclosure policies. Requires multi-party approval with full separation of duties. Creates an immutable governance record with hash-chain integrity.

Truth Levels

Each decision class produces outputs with defined truth levels that determine how the output may be used within the compliance framework:

AUTHORITATIVEBinding compliance determinations. May be cited in audit reports and regulatory submissions. Produced by CONSTRAINED_DECISION and BINDING_GOVERNANCE_DECISION classes.
SUPPORTINGEvidence and analysis that substantiates authoritative decisions. Produced by RECOMMENDATORY and CONSTRAINED_DECISION classes.
CONTEXTUALBackground information and system observations. Produced by INFORMATIONAL and ADVISORY classes. Cannot be cited as compliance evidence without elevation.

3. Source of Truth Rules

The workspace is the single source of truth for each compliance framework within Govula. These rules are fundamental to the platform's governance integrity and cannot be overridden by configuration.

  • One workspace per framework per audience — each compliance framework operates within a dedicated workspace, and each audience is bound to exactly one workspace at any time
  • Living SoA — the Statement of Applicability is a living document that reflects point-in-time assessments, not a static snapshot
  • No overwrites — each assessment creates a new versioned record; previous assessments are never modified or deleted
  • Workspace isolation — workspace data cannot be merged, copied, or aggregated across framework boundaries without explicit governance approval
  • Deterministic resolution — all reports and compliance outputs are generated from the bound workspace, resolved automatically from the authenticated user's audience binding

4. Change & Amendment Rules

Changes to this constitution and to governance rules within the platform are subject to strict procedural controls. These rules ensure that governance changes are deliberate, traceable, and resistant to unilateral modification.

Approval Requirements

Constitutional changes require BINDING_GOVERNANCE_DECISION class approval. This is the highest decision class and requires multi-party approval with full separation of duties. No single actor may both propose and approve a constitutional amendment.

Version Integrity

All changes are versioned with hash-chain integrity. Each version includes a cryptographic hash of its content and a reference to the previous version's hash, creating an immutable chain of governance history. Tampering with any version invalidates all subsequent versions.

Historical Access

Previous versions of all governance documents remain accessible and auditable. No version may be deleted, archived, or hidden. The complete governance history is available to administrators and auditors at all times.

Separation of Duties

Amendment requires strict separation of duties. The proposer of a constitutional change cannot be the approver. This is enforced at the application level and cannot be bypassed by administrative privilege.

5. Accountability Philosophy

Govula's governance model is built on the principle that every action within the platform must be attributable to an authenticated identity. This accountability framework ensures that governance operations are transparent, traceable, and defensible under audit.

  • Authenticated identity — every governance action is attributable to an authenticated user identity; system-generated actions are attributed to the triggering user or scheduled process
  • No anonymous governance — anonymous or unauthenticated governance actions are prohibited; the platform rejects governance operations from unidentified actors
  • Immutable audit trail — the audit trail is append-only and immutable; entries cannot be modified, deleted, or backdated after creation
  • Separation of duties — preparers cannot approve their own decisions; this is enforced at the application level for all CONSTRAINED_DECISION and BINDING_GOVERNANCE_DECISION classes

Governance Guarantee

The combination of authenticated identity, immutable audit trails, and enforced separation of duties ensures that all governance operations within Govula are transparent, traceable, and defensible under formal audit. No governance action can be taken without attribution, and no actor can unilaterally alter governance state.

6. Document Control

This constitution is a governed document subject to the change and amendment rules defined in Section 4. All modifications require BINDING_GOVERNANCE_DECISION class approval with separation of duties.

Document IDGOV-CONST-001
Version1.0
ClassificationGovernance — Constitutional
Last Updated2/10/2026
Review CycleAnnual or upon material change
Governance & DisclosureSystem Boundaries