Platform Overview

Understanding the core architecture and operational philosophy of Govula.

This section is intended for: Technical Team, Auditor, Management, End User. Unauthorised access is restricted.

Core Philosophy

"Compliance is a continuously evaluated system, not a document."

Traditional compliance tools treat compliance as a documentation exercise. You create documents, store them, and review them periodically. The gap between documentation and reality grows immediately after each review cycle.

Govula treats compliance as a system state that is continuously evaluated. Evidence changes, controls are updated, organizational context evolves. The compliance state reflects these changes in near real-time, ensuring that what you report matches what you practice.

Core System Components

Organization Registry

The foundation of the platform. Each organization is configured with its industry, regulatory context, size, and operational characteristics. This context informs all downstream compliance decisions and ensures that applicability determinations are relevant to your specific situation.

Framework Library

A curated library of compliance frameworks including ISO 27001, SOC 2, NIST CSF, PCI DSS, DSPT, and others. Each framework is structured with its complete control set, organized by domain. Controls include metadata, implementation guidance, and cross-references to related controls in other frameworks.

Control Management Engine

The engine that tracks the status of each control for each organization. Controls can be marked as applicable or not applicable, with justifications. Implementation status, evidence associations, and risk ratings are maintained at the control level.

Evidence Repository

A managed repository for compliance evidence. Evidence is associated with controls, tagged with metadata, and tracked for freshness. Stale evidence triggers alerts. Evidence can be documents, attestations, screenshots, configuration exports, or links to external systems.

Compliance Evaluation Engine

The continuous evaluation system that calculates compliance state based on control status, evidence freshness, and organizational context. Produces compliance snapshots, detects drift, and generates recommendations for remediation.

Reporting Engine

Generates stakeholder-specific reports and exports. Executive summaries, technical detail reports, and auditor-ready evidence packages are produced on demand or on schedule. Reports are cryptographically signed for integrity verification.

How Components Interact

OrganizationselectsFramework(s)
FrameworkcontainsControls
Controlsevaluated forApplicability
Applicabilitysupported byEvidence
Evidencetracked forFreshness
All aboveproducesCompliance State

This relationship model ensures that changes at any level propagate appropriately. When evidence expires, the affected control's status reflects this. When a control's status changes, the organization's overall compliance score updates. When a framework is updated, all organizations using it are notified of the impact.

Continuous Evaluation

The compliance evaluation engine runs continuously, not on a schedule. Whenever data changes, the affected compliance state is recalculated. This includes:

  • Evidence added, updated, or marked as expired
  • Control status changes (implemented, partial, not implemented)
  • Applicability decisions modified
  • Organizational context updated
  • Framework updates received

Compliance snapshots are captured at regular intervals for historical analysis and trend tracking. Drift detection compares current state against previous snapshots to identify changes that may require attention.

How This Differs from Static GRC Tools

AspectTraditional GRCGovula
Compliance StatePoint-in-time documentContinuously evaluated
SoA UpdatesManual, periodicAutomatic, continuous
Evidence TrackingFile storageLifecycle managed with freshness
Drift DetectionManual reviewAutomated with alerts
JustificationsStatic textContext-aware, continuously refined
Cross-FrameworkSeparate managementUnified with control mapping

Data Model Summary

The platform maintains a relational data model designed for compliance traceability:

  • OrganizationsEntities being assessed for compliance
  • FrameworksCompliance standards (ISO 27001, SOC 2, etc.)
  • ControlsIndividual requirements within frameworks
  • Organization ControlsThe relationship between an org and a control (applicability, status)
  • EvidenceSupporting documentation for control implementation
  • Compliance SnapshotsPoint-in-time captures of compliance state
  • Audit LogImmutable record of all system activity
Getting StartedSoA Engine