Security & Trust

Security controls designed around isolation and auditability.

Govarna stores AI inventories, governance evidence, and questionnaire content. This page describes controls visible in the current architecture without claiming a certification or absolute security.

Managed transport and storage

Govarna is served over HTTPS. Customer records and uploads use managed Supabase database and object-storage services, with provider-managed protection for stored data.

Row-level isolation

Customer records use Postgres Row Level Security policies tied to organization membership and role. Application queries also scope customer content by organization where the workflow requires it.

Append-only audit-log privileges

State-change paths write audit entries through a server-only service role. Database grants give authenticated users read access only when an organization-admin policy allows it; application roles have no update or delete grant on audit rows.

Server-side privileged credentials

Supabase service-role, Stripe, and Anthropic credentials are read only in server-side code and deployment configuration. Browser code uses public client configuration and authenticated sessions instead of service credentials.

Private file buckets

Evidence and source-questionnaire uploads are stored in non-public buckets. Storage policies use an organization identifier in each object path and restrict writes or deletion by membership role.

Responsible disclosure

Report a suspected vulnerability to security@govarna.com with reproduction steps and potential impact. Please avoid accessing, changing, or retaining data that is not yours.

Fictional sample — format preview only

Review a sample audit package

This PDF uses fictional data to demonstrate a possible export format. It is not a Govarna certification, audit opinion, customer report, or evidence of regulatory compliance.

Open sample PDF

Compliance posture

Privacy operations

Privacy questions and individual-rights requests can be sent to privacy@govarna.com. Scope, identity, authority, and applicable requirements are reviewed before action is taken.

Compliance tooling, not an attestation

Govarna uses deterministic rules for its core EU AI Act risk-tier workflow and organizes related evidence. Outputs support human review; they do not establish a customer's legal status or compliance.

Certification status

Govarna does not claim SOC 2 or ISO certification on this page. Any assurance reports or certifications held by infrastructure providers belong to those providers and are not Govarna attestations.

Sub-processor list

Current code paths reference Vercel, Supabase, Anthropic, Stripe, Resend, Loops, Google Analytics, PostHog, Sentry, Axiom, and Upstash. The services active for a customer depend on feature and deployment configuration. Ask security@govarna.com for the current operational list.

Need our security questionnaire response?

Email security@govarna.com with your security-review questions.

To ask whether DPA or service-level materials are available for a purchase, contact us directly. This public page does not create contractual commitments.

Start 14-day free trial