Operational Governance
Standard operating procedures for onboarding, offboarding, data lifecycle, access revocation, and data retention.
This section is intended for: Technical Team, Auditor, Management. Unauthorised access is restricted.
1. Purpose
This document codifies operational governance procedures for the Govula platform. It exists to ensure consistent, auditable operations across all tenant lifecycles — from initial onboarding through active use to offboarding and data retention.
2. Standard Onboarding Sequence
Every new organisation follows a governed onboarding sequence. Each step is logged and must complete before the next can begin:
Tenant isolation provisioning with dedicated data boundaries
Trial, pilot, or active status with corresponding feature access
Primary administrator account creation with MFA enrollment
Framework selection and workspace provisioning
Initial control mapping and evidence assignment
Audience workspace binding configuration
DRAFT → IN_PROGRESS → READY_FOR_DISCLOSURE → AUTHORISED
Pre-flight governance checks before workspace activation
No workspace can reach AUTHORISED status without passing automated pre-flight governance checks.
3. Offboarding & Data Lifecycle
Offboarding follows a governed process that prioritises data integrity and auditability over immediate deletion:
- Offboarding triggered by entitlement expiry or explicit administrator action
- Expired organisations transition to read-only mode (no data deletion)
- All compliance artefacts remain accessible in read-only mode
- Data export is available during suspension/expiry window
- Permanent data removal requires explicit written request and governance approval
- Offboarding actions are logged in the institutional audit stream
4. Access Revocation Rules
Access revocation is immediate and comprehensive. The following rules govern how access is removed:
- Immediate revocation on role change or user deactivation
- Session tokens invalidated on revocation
- Access revocation logged with actor identity and timestamp
- Workspace bindings reviewed on administrator role changes
- Auditor bindings require re-lock after any workspace rebinding
5. Data Retention & Export Guarantees
The platform enforces the following data retention and export guarantees:
- All compliance decisions retained for minimum retention period
- Evidence versions are append-only; historical versions never deleted
- Reports locked to decision versions at generation time
- Export bundles include cryptographic signatures for integrity verification
- Tenant data isolation maintained throughout retention period
| Data Type | Retention | Export Format |
|---|---|---|
| Governance Decisions | Indefinite (append-only) | JSON, PDF |
| Evidence Artefacts | Minimum 7 years | Original format + metadata |
| Audit Stream | Indefinite (immutable) | JSON with hash chain |
| Generated Reports | Indefinite (locked to version) | PDF, HTML, CSV |
| Workspace Configurations | Tenant lifecycle | JSON |
6. Decision Freshness Indicators
All generated outputs include freshness indicators to ensure stakeholders can assess the currency and reliability of compliance data:
- Decision timestamp (when the governance decision was made)
- Evidence freshness score (how current the supporting evidence is)
- Report generation timestamp (when the report was produced)
- Framework version at time of assessment
- Staleness warnings when evidence exceeds freshness thresholds