Platform Overview
Understanding the core architecture and operational philosophy of Govula.
This section is intended for: Technical Team, Auditor, Management, End User. Unauthorised access is restricted.
Governance OS Overview
A Governance Operating System (Governance OS) is an enterprise infrastructure layer that enforces structured decision authority, lifecycle integrity, and immutable governance traceability — transforming compliance from an administrative task into a structurally governed outcome.
Governance first. Compliance is a structurally enforced outcome.
Core Philosophy
"Governance is a continuously enforced system, not a document."
Traditional governance tools treat governance as a documentation exercise. You create documents, store them, and review them periodically. The gap between documentation and reality grows immediately after each review cycle. Govula treats governance as a continuous lifecycle that is actively enforced and monitored.
Govula treats governance as a continuously enforced system state, where compliance is a measured outcome. Evidence changes, controls are updated, organizational context evolves. The governance state reflects these changes in near real-time, ensuring that what you report matches what you practice.
Core System Components
Organization Registry
The foundation of the platform. Each organization is configured with its industry, regulatory context, size, and operational characteristics. This context informs all downstream governance decisions and ensures that applicability determinations are relevant to your specific situation.
Framework Library
A curated library of governance frameworks including ISO 27001, SOC 2, NIST CSF, PCI DSS, DSPT, and others. Each framework is structured with its complete control set, organized by domain. Controls include metadata, implementation guidance, and cross-references to related controls in other frameworks.
Control Management Engine
The engine that tracks the status of each control for each organization. Controls can be marked as applicable or not applicable, with justifications. Implementation status, evidence associations, and risk ratings are maintained at the control level.
Evidence Repository
A managed repository for governance evidence. Evidence is associated with controls, tagged with metadata, and tracked for freshness. Stale evidence triggers alerts. Evidence can be documents, attestations, screenshots, configuration exports, or links to external systems.
Governance Evaluation Engine
The continuous evaluation system that calculates governance and compliance state based on control status, evidence freshness, and organizational context. Produces compliance snapshots, detects drift, and generates recommendations for remediation.
Reporting Engine
Generates stakeholder-specific reports and exports. Executive summaries, technical detail reports, and auditor-ready evidence packages are produced on demand or on schedule. Reports are cryptographically signed for integrity verification.
How Components Interact
This relationship model ensures that changes at any level propagate appropriately. When evidence expires, the affected control's status reflects this. When a control's status changes, the organization's overall compliance score updates. When a framework is updated, all organizations using it are notified of the impact.
Continuous Evaluation
The governance evaluation engine runs continuously, not on a schedule. Whenever data changes, the affected compliance state is recalculated. This includes:
- Evidence added, updated, or marked as expired
- Control status changes (implemented, partial, not implemented)
- Applicability decisions modified
- Organizational context updated
- Framework updates received
Compliance snapshots are captured at regular intervals for historical analysis and trend tracking. Drift detection compares current state against previous snapshots to identify changes that may require attention.
How This Differs from Static GRC Tools
| Aspect | Traditional GRC | Govula |
|---|---|---|
| Compliance State | Point-in-time document | Continuously evaluated |
| SoA Updates | Manual, periodic | Automatic, continuous |
| Evidence Tracking | File storage | Lifecycle managed with freshness |
| Drift Detection | Manual review | Automated with alerts |
| Justifications | Static text | Context-aware, continuously refined |
| Cross-Framework | Separate management | Unified with control mapping |
Data Model Summary
The platform maintains a relational data model designed for governance traceability:
- OrganizationsEntities being assessed for governance and compliance
- FrameworksCompliance standards (ISO 27001, SOC 2, etc.)
- ControlsIndividual requirements within frameworks
- Organization ControlsThe relationship between an org and a control (applicability, status)
- EvidenceSupporting documentation for control implementation
- Compliance SnapshotsPoint-in-time captures of compliance state
- Audit LogImmutable record of all governance activity