Security & Trust

How Govula protects your data, maintains trust, and supports your security requirements.

Security Philosophy

Govula is designed with security as a foundational principle, not a feature added afterward. Our approach is built on four core tenets:

Security-First Design

Security considerations are incorporated from the earliest design stages. Architecture decisions are evaluated for their security implications before implementation. Defense in depth is applied at every layer.

Evidence-First Compliance

We believe compliance should be demonstrable, not asserted. Every claim the platform makes about your compliance state is traceable to underlying evidence. This supports, rather than bypasses, the audit process.

Least Privilege by Default

Users, systems, and processes are granted only the minimum access required to perform their functions. Privileges are explicitly granted, not implicitly assumed.

No Silent Automation

Automated processes do not make consequential decisions without human awareness. Actions that affect compliance state are logged, auditable, and subject to review.

Govula is designed to support audits, not bypass them. We help you demonstrate compliance; we do not certify it.

Data Isolation & Tenancy

Each organization's data is strictly isolated from other organizations. This isolation is enforced at multiple architectural layers to prevent unauthorized cross-tenant access.

  • Logical Isolation: Tenant identifiers are enforced on all data access operations. Every database query includes tenant context.
  • No Cross-Tenant Access: Application middleware validates tenant context on every request. Attempts to access resources belonging to other organizations result in authorization failures.
  • Strong Tenant Boundaries: API keys, sessions, and tokens are scoped to specific tenants. There is no mechanism to escalate access across tenant boundaries.
  • Data Ownership: Your organization retains ownership of all data you provide. We process data on your behalf to deliver services; we do not claim ownership or use your data for purposes beyond service delivery.

Organizations cannot see, access, or infer information about other organizations using the platform. This is a fundamental design constraint, not a configuration option.

Access Control

Access to the platform is controlled through a combination of authentication and role-based authorization.

Authentication

  • API key authentication for programmatic access, with keys scoped to specific tenants
  • Session-based authentication for web interface access
  • Short-lived JWT tokens for external access scenarios (e.g., regulator access)
  • Support for SSO integration where required

Role-Based Access Control

The platform implements RBAC with five default roles. Each role has specific permissions that follow the principle of least privilege:

RoleAccess LevelTypical Use
AdministratorFull access including user managementSystem administration
Compliance ManagerRead/write for controls and evidenceDay-to-day compliance operations
Security AnalystRead/write for technical controlsControl implementation tracking
ExecutiveRead-only dashboards and reportsOversight and governance
AuditorRead-only SoA and evidenceExternal verification

Separation of Duties

Roles are designed to support separation of duties. Users who implement controls are distinct from users who approve compliance status. External auditors have read-only access separate from operational users.

Encryption

Data in Transit

  • TLS 1.3 for all external communications
  • HTTPS enforced with HSTS
  • SSL/TLS for database connections
  • Encrypted internal service communication

Data at Rest

  • AES-256 encryption for database storage
  • Encrypted object storage for evidence files
  • Encrypted backups
  • Encrypted log archives

Secret Handling

Secrets such as API keys, credentials, and encryption keys are managed through secure secret management practices. Secrets are not stored in code repositories, configuration files, or logs. Access to secrets is restricted and audited.

Key Management

Encryption keys are managed according to industry best practices. Keys are rotated periodically. Key access is logged. Separation exists between data processing and key management functions.

Audit Logging & Traceability

Comprehensive audit logging ensures that all significant actions are recorded and traceable. This is essential for both operational security and compliance verification.

Immutable Audit Logs

Audit log entries are append-only. Once written, entries cannot be modified or deleted. This is enforced at the database level through triggers that prevent UPDATE and DELETE operations on audit tables.

Action Traceability

Every logged action includes: the actor (who performed the action), the target (what was affected), the action type (what was done), the timestamp (when it occurred), and relevant metadata (additional context).

Timestamped Decisions

All compliance decisions — applicability determinations, evidence associations, approvals, overrides — are timestamped with server-side UTC timestamps. This creates an unambiguous timeline of when decisions were made.

Historical State Preservation

Compliance snapshots capture point-in-time state. Auditors can view exactly what your compliance posture looked like at any given moment, not just the current state.

Why This Matters: Auditors need to verify not just your current state, but your continuous compliance over time. Complete, immutable audit trails allow auditors to trace any claim back to its origin and verify the decision-making process.

AI Safety & Governance

Govula uses AI to assist with compliance tasks. This section explains where AI is used, where it is explicitly not used, and the safeguards in place.

Where AI Is Used

  • Generating draft justifications for applicability decisions
  • Suggesting remediation actions for control gaps
  • Assisting with evidence analysis and categorization
  • Generating report summaries

What AI Is NOT Allowed to Do

  • Make final applicability decisions without human review
  • Accept or reject risk on behalf of users
  • Attest to evidence validity
  • Implement security controls
  • Certify compliance
  • Make user management decisions

Human Accountability

All AI-generated outputs enter review queues. Authorized humans review, approve, modify, or reject AI suggestions. Final decisions are attributed to human users, not the AI system.

Deterministic Safeguards

Core compliance calculations (scores, drift detection, evidence freshness) are deterministic functions, not AI-generated. Given the same inputs, these always produce the same outputs.

AI does NOT replace auditors or risk owners. Accountability for compliance decisions remains with your organization.

Compliance Alignment

Govula is designed with awareness of major compliance frameworks. Our security controls and practices align with recognized standards.

ISO 27001 Principles

Our security management approach aligns with ISO 27001 principles including risk-based thinking, continuous improvement, and comprehensive security controls across people, processes, and technology.

SOC 2 Concepts

Our controls address SOC 2 trust service criteria including security, availability, and confidentiality. We implement appropriate administrative, physical, and technical safeguards.

Public Sector Expectations

For organizations operating in healthcare and public sector environments, our approach addresses data protection requirements, access controls, and audit trail expectations common to these sectors.

Note: Alignment with framework principles does not constitute certification. Certification requires formal assessment by accredited bodies.

Incident Response

We maintain incident response capabilities to detect, respond to, and recover from security events.

Detection

We monitor systems for anomalous activity, security events, and potential threats. Logging and alerting are designed to surface security-relevant events for investigation.

Response

We maintain documented incident response procedures. Response includes containment, investigation, remediation, and post-incident review. Severity is assessed to prioritize response efforts.

Notification

If an incident affects your organization's data, we will notify affected customers promptly and provide relevant details about the nature and scope of the incident.

Transparency

We communicate honestly about security events. We do not hide incidents or minimize their significance. Post-incident, we share lessons learned where appropriate.

Responsible Disclosure

We welcome reports from security researchers and the broader community about potential security vulnerabilities in our systems.

Reporting Security Issues

If you believe you have discovered a security vulnerability, please report it to:

security@govula.com

Please include a clear description of the vulnerability, steps to reproduce, and any supporting evidence. We will acknowledge receipt within 48 hours.

Our Commitment

  • We will respond promptly to validate reported vulnerabilities
  • We will work to remediate confirmed vulnerabilities in a timely manner
  • We will not take legal action against researchers acting in good faith
  • We will credit researchers who wish to be acknowledged

Expectations

  • Do not access, modify, or delete data belonging to other users
  • Do not disrupt service for other users
  • Allow reasonable time for remediation before public disclosure

Third-Party & Dependencies

Like all modern software, Govula relies on third-party components and services. We manage these dependencies with security in mind.

Dependency Management

We maintain an inventory of dependencies and track known vulnerabilities. Dependencies are updated regularly, with security patches prioritized.

Upstream Risk Monitoring

We monitor security advisories for our dependencies. When vulnerabilities are disclosed, we assess impact and apply fixes according to severity.

Regular Review

We periodically review our dependency footprint to identify unnecessary dependencies, outdated components, and opportunities to reduce attack surface.

Third-Party Services

Third-party services we rely on are selected with security considerations. We review their security posture and contractual commitments.

Security Questions

If you have questions about our security practices or need additional information for your security review, contact our team.

security@govula.comTechnical Documentation