External Trust Statements

Formal declarations of Govula's security posture, data handling principles, availability expectations, and support model.

This section is intended for: Technical Team, Auditor, Management. Unauthorised access is restricted.

Trust Declaration

These trust statements describe the current implemented behaviour of the Govula platform. They are not marketing claims, SLA commitments, or contractual guarantees. Enterprise agreements may include additional specific commitments.

1. Purpose

This document provides formal trust statements for external stakeholders evaluating Govula for enterprise deployment. These statements describe implemented behaviour, not aspirational goals.

2. Security Posture

  • Multi-tenant architecture with strict data isolation at database, application, and API levels
  • Role-based access control (RBAC) with platform-native authentication
  • JWT-based session management with configurable expiry
  • Immutable audit logging of all governance actions
  • Input validation and sanitisation on all API endpoints
  • Security headers enforced on all responses (HSTS, CSP, X-Frame-Options)
  • No cross-tenant data visibility by design

3. Data Handling Principles

  • All compliance data is tenant-scoped — no shared data pools
  • Evidence and governance artefacts are immutable once sealed
  • Data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Backup and recovery procedures with point-in-time capability
  • Data retention follows tenant entitlement lifecycle
  • Expired or suspended tenants retain read-only access to historical data — no deletion on entitlement expiry

4. Availability Expectations

  • Cloud-native architecture designed for horizontal scaling
  • Health check endpoints for infrastructure monitoring
  • Graceful shutdown with in-flight request completion
  • Database connection pooling and retry mechanisms
  • Scheduled maintenance windows communicated in advance
Govula does not publish SLA targets in this document. Availability commitments are defined in individual customer agreements.

5. Support Model

  • Platform documentation available at all times
  • API documentation with OpenAPI 3.1 specification
  • Operator console for platform administration
  • Entitlement lifecycle management with renewal alerting
  • Structured logging for diagnostic support
Support response times and escalation paths are defined in individual customer agreements and are not covered by this document.

6. Limitations & Disclaimers

  • Govula is a compliance management tool, not a compliance authority
  • The platform does not certify compliance — it helps organisations document and demonstrate compliance
  • AI-generated content is advisory only and requires human review
  • Sandbox/demo environments are explicitly marked and are not suitable for audit purposes
  • System boundaries are defined in the System Boundaries & Non-Goals document

7. Document Control

This trust statement document is a governed artefact. Changes require BINDING_GOVERNANCE_DECISION class approval and are subject to the change and amendment rules defined in the Governance Constitution.

Document IDGOV-TRUST-001
Version1.0
ClassificationGovernance — External Trust Statement
Last Updated2/10/2026
Review CycleAnnual or upon material change
Accountability ModelAssurance Layer