Frequently Asked Questions

Govula generates documentation that meets the requirements of major compliance frameworks including ISO 27001, SOC 2, NIST, and PCI DSS. The output format is designed to satisfy auditor expectations. However, certification decisions remain with accredited certification bodies. Govula does not certify compliance; we provide the evidence and documentation that auditors need to make informed assessments. Many organizations have successfully used Govula outputs in certification audits.

AI-generated justifications are a starting point, not a final product. Every justification is based on organizational context and control requirements, and every justification is subject to human review before becoming part of the official Statement of Applicability. Auditors can trace each justification to its inputs: the organizational context, the control definition, and the evidence that informed the decision. They can also see whether a justification was approved as-is, modified, or overridden by a human reviewer. The key is traceability. Auditors don't need to trust the AI; they need to verify the decision-making process. Govula provides that traceability.

Every Statement of Applicability includes full decision history, evidence links, and audit trails. Auditors can: - Trace any control decision back to its supporting evidence - See exactly when and why decisions changed - Verify report integrity via cryptographic signatures - Access historical snapshots to assess continuous compliance - Review the audit trail of all changes and approvals We provide auditor-specific views that present information in the format auditors expect, optimized for verification rather than management.

No. AI assists with evaluation and justification generation, but it does not make final decisions autonomously. Every AI-generated output enters a review queue where authorized humans review, approve, modify, or reject it. The platform is clear about what is automated (scoring, evaluation, draft generation) and what remains human-controlled (final decisions, risk acceptance, evidence attestation). Accountability stays with people, not algorithms.

Yes, always. Any automated suggestion can be overridden by authorized users. When you override a decision, you provide a reason that becomes part of the audit trail. The system tracks both the original suggestion and the override for complete transparency. Overrides are not discouraged; they are expected. The AI provides recommendations based on available data, but human judgment is often necessary to account for context the system cannot see.

AI outputs are treated as suggestions, not facts. Several safeguards address potential errors: - Confidence scoring highlights low-confidence outputs for closer review - Review queues ensure human approval before anything becomes official - Feedback loops incorporate corrections to improve future suggestions - Audit trails maintain full history if issues are discovered later The platform is designed with the assumption that AI will sometimes be wrong. Human oversight is the safety net.

Govula can complement or replace traditional GRC tools depending on your needs. Key differences: - GRC tools are designed for manual workflows; Govula continuously evaluates compliance automatically - GRC tools track tasks and documents; Govula maintains a living compliance state - GRC tools require periodic manual updates; Govula updates as evidence and controls change Many organizations use Govula alongside existing GRC tools, with API integration synchronizing data between systems. Others replace legacy GRC tools entirely with Govula.

Compliance is evaluated continuously, not on a schedule. Whenever data changes - evidence is uploaded, control status is updated, organizational context changes - the affected compliance state is recalculated immediately. Additionally, scheduled jobs run daily to: - Capture compliance snapshots for historical analysis - Check evidence freshness and flag expirations - Generate and distribute stakeholder reports - Detect drift from previous assessments The result is a compliance state that reflects current reality, not a months-old assessment.

Govula supports major compliance frameworks including: - ISO/IEC 27001:2022 - SOC 2 (Type I and Type II) - NIST Cybersecurity Framework 2.0 - NIST 800-53 - PCI DSS 4.0 - DSPT (Data Security and Protection Toolkit) - Cyber Essentials / Cyber Essentials Plus - GDPR - HIPAA We continuously add new frameworks based on customer requirements. The platform handles multi-framework compliance, mapping overlapping controls across frameworks.

Evidence can be collected through multiple channels: - API integrations with security tools, cloud providers, and IT systems - Manual uploads for documents, policies, and screenshots - Automated collection from connected systems - Attestations for controls verified by human observation The platform tracks evidence freshness and alerts you when evidence becomes stale or when controls lack supporting documentation. Evidence is organized by control and framework for easy auditor access.

Your organization owns accountability for compliance. Govula is a tool that supports your compliance program; it does not assume responsibility for compliance outcomes. Specifically: - Your team makes final applicability decisions - Your team implements controls - Your team attests to evidence validity - Your team accepts or addresses risks - Certification bodies assess your compliance Govula provides the documentation, analysis, and traceability that demonstrates your compliance. But demonstrating compliance and being compliant are different things. You implement controls; we help you document and track them.

Govula implements enterprise-grade security: - Strict multi-tenant isolation at database, application, and storage levels - No cross-tenant visibility or data leakage - AES-256 encryption for data at rest - TLS 1.3 for data in transit - Role-based access control with five default roles - Immutable audit logging of all actions - API key authentication with scoping and revocation We maintain the same security posture we help you achieve. Details are available in our Security Model documentation.

Reports and Statements of Applicability can be exported in: - PDF: Formatted for direct auditor consumption with signatures - Excel: For analysis and integration with spreadsheet workflows - CSV: For data import into other systems - JSON: For programmatic integration via API PDF exports include cryptographic signatures for integrity verification. All exports maintain traceability to the underlying data.

Pricing is based on organization size, number of frameworks, and deployment requirements. Contact our team for detailed pricing information tailored to your specific situation.

Yes. We offer demonstrations and pilot programs for qualified organizations. Contact our team to discuss your requirements and schedule a demonstration of the platform with your specific use case.