Govarna EmblemGovarna
Sign InStart Free Trial
Transparency

AI Safety & Transparency Statement

We practice what we preach. Read our formal transparency disclosures, database isolation configurations, and model hosting rules.

Zero Model Training

Your inputs, files, and approved questionnaire responses are never used to train third-party foundation models.

Tenant Isolation

Postgres Row-Level Security (RLS) guarantees that data retrieved for RAG context cannot bleed between organizations.

Transient Caching

Integrations with model APIs utilize developer contracts configured with transient abuse caching or zero-retention rules.

1. Model Architecture & Data Pipeline

Govarna utilizes Large Language Models (specifically Claude 3.5 Sonnet and Gemini 1.5 Pro) to parse uploaded buyer security questionnaires and draft responses.

Our system uses a closed-loop Retrieval-Augmented Generation (RAG)pattern. When a user uploads a new questionnaire, Govarna queries the customer's isolated Postgres database (containing approved answers, policy documents, and system descriptions) to compile context. This context is sent to the LLM API alongside the question. The model drafts a response based solely on this provided context, without drawing from outside knowledge.

2. supabase Database Row-Level Security (RLS)

Our Supabase backend enforces Postgres Row-Level Security policies at the database tier on all tables.

ALTER TABLE questionnaire_answers ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation_policy ON questionnaire_answers
  FOR ALL USING (organization_id = auth.jwt() ->> 'org_id');

This ensures that even if an application bug occurs, a tenant's compliance data cannot be searched or accessed by another tenant during RAG vector operations or standard table queries.

3. EU AI Act Article 50 Transparency Compliance

To support trust and comply with upcoming Article 50 transparency requirements under the EU AI Act:

  • Direct Disclosures: The dashboard explicitly flags all draft responses generated or assisted by LLM models with a dedicated badge.
  • Human Oversight: Responses require approval from a security or compliance contributor before they can be exported to standard compliance packages.
  • Policy Enforcement: System logs record the identity of the human reviewer who validated each response.

4. Data Encryption & Security Compliance

All data transmission between our clients, servers, and model API subprocessors is secured using TLS 1.3. Databases and document attachments stored in Supabase Buckets are encrypted at rest using AES-256 with key rotation.