Frequently Asked Questions

No. Govula enforces governance authority and structured decision lifecycles. Compliance becomes a byproduct of disciplined governance enforcement, not the core mission. The platform governs how decisions move through authorized states — compliance documentation is an output of that process.

No. Govula operates as a governance authority layer that enforces lifecycle integrity across existing systems. Traditional GRC platforms manage tasks and documents. Govula governs how decisions are authorized, validated, and transitioned. The two can coexist — Govula enforces the governance discipline that GRC tools track.

Risk tools track risk posture. Govula governs how decisions move through authorized states. Risk management identifies what could go wrong. Governance enforcement ensures that organizational actions follow structured, auditable lifecycles with explicit authority boundaries.

Yes. Govula uses SHA-256 hash-chained event logging to preserve decision lineage integrity. Each event references the hash of the previous event, creating a tamper-evident chain. Any modification to historical records is detectable.

Yes — but compliance is a governed outcome, not the core engine. Govula produces defensible compliance through structured lifecycle enforcement, immutable decision lineage, and authority-bounded state transitions. Compliance documentation is an output of disciplined governance, not the starting point.

No. Govula governs the integrity of decisions and lifecycle transitions across existing systems. Compliance automation tools focus on evidence collection and control monitoring. Govula governs how decisions are authorized, validated, and transitioned through structured governance lifecycles. The two serve different architectural layers.

No. Govula is not a Cloud Security Posture Management (CSPM) tool. It does not scan cloud infrastructure for misconfigurations. Govula governs decision authority and lifecycle integrity at the governance layer. Evidence from cloud scanners and CSPM tools can be ingested into Govula as part of the governed evidence lifecycle, but scanning is not a platform function.

Governance objects in Govula move through enforced states: Draft, Under Review, Approved, Active, Pre-Expiry, Grace, Expired, and Archived. Each transition requires validation checkpoints to be satisfied. No state change occurs silently — every transition is attributed, timestamped, and recorded in the immutable audit stream.

Authority is enforced through role-based boundaries. Preparers, approvers, and auditors operate in distinct authority domains. No single role can both create and certify a governance artefact. Authority matrices are configured at the organizational level and enforced by the platform.

The platform monitors authority windows and enforces pre-expiry warnings and grace period states. When an authority approaches expiry, stakeholders are notified. Grace periods provide structured time for renewal. Expired authorities are archived with full lineage preserved.

A formal audit question-response engine that provides structured, interrogation-ready output. Auditors can ask structured questions about governance decisions, and the platform responds with traceable answers linked to the immutable audit stream. Ten-question formal review structures with role-aware reporting.

Every governance decision includes full lineage: who authorized it, when it transitioned, what validation checkpoints were satisfied, and the hash-chain evidence of integrity. Auditors access read-only views designed for verification, not management. Nine-section structured audit reports are generated on demand.

AI-generated justifications are a starting point, not a final product. Every justification is subject to human review before becoming part of the official governance record. Auditors can trace each justification to its inputs and see whether it was approved, modified, or overridden. Traceability, not trust, is the operative principle.

Govula implements enterprise-grade security: strict multi-tenant isolation, AES-256 encryption at rest, TLS 1.3 in transit, role-based access control with authority boundaries, and immutable audit logging of all actions. The platform maintains the same governance discipline it helps organizations achieve.

Govula supports major governance frameworks including ISO/IEC 27001:2022, SOC 2 (Type I and Type II), NIST Cybersecurity Framework 2.0, NIST 800-53, PCI DSS 4.0, Cyber Essentials, GDPR, and HIPAA. The platform handles multi-framework governance, mapping overlapping controls across frameworks.

Pricing is based on organization size, number of frameworks, and deployment requirements. Contact our team for detailed pricing information tailored to your specific governance requirements.