Security controls designed around isolation and auditability.
Govarna stores AI inventories, governance evidence, and questionnaire content. This page describes controls visible in the current architecture without claiming a certification or absolute security.
Managed transport and storage
Govarna is served over HTTPS. Customer records and uploads use managed Supabase database and object-storage services, with provider-managed protection for stored data.
Row-level isolation
Customer records use Postgres Row Level Security policies tied to organization membership and role. Application queries also scope customer content by organization where the workflow requires it.
Append-only audit-log privileges
State-change paths write audit entries through a server-only service role. Database grants give authenticated users read access only when an organization-admin policy allows it; application roles have no update or delete grant on audit rows.
Server-side privileged credentials
Supabase service-role, Stripe, and Anthropic credentials are read only in server-side code and deployment configuration. Browser code uses public client configuration and authenticated sessions instead of service credentials.
Private file buckets
Evidence and source-questionnaire uploads are stored in non-public buckets. Storage policies use an organization identifier in each object path and restrict writes or deletion by membership role.
Responsible disclosure
Report a suspected vulnerability to security@govarna.com with reproduction steps and potential impact. Please avoid accessing, changing, or retaining data that is not yours.
Fictional sample — format preview only
Review a sample audit package
This PDF uses fictional data to demonstrate a possible export format. It is not a Govarna certification, audit opinion, customer report, or evidence of regulatory compliance.
Compliance posture
Privacy operations
Privacy questions and individual-rights requests can be sent to privacy@govarna.com. Scope, identity, authority, and applicable requirements are reviewed before action is taken.
Compliance tooling, not an attestation
Govarna uses deterministic rules for its core EU AI Act risk-tier workflow and organizes related evidence. Outputs support human review; they do not establish a customer's legal status or compliance.
Certification status
Govarna does not claim SOC 2 or ISO certification on this page. Any assurance reports or certifications held by infrastructure providers belong to those providers and are not Govarna attestations.
Sub-processor list
Current code paths reference Vercel, Supabase, Anthropic, Stripe, Resend, Loops, Google Analytics, PostHog, Sentry, Axiom, and Upstash. The services active for a customer depend on feature and deployment configuration. Ask security@govarna.com for the current operational list.
Need our security questionnaire response?
Email security@govarna.com with your security-review questions.
To ask whether DPA or service-level materials are available for a purchase, contact us directly. This public page does not create contractual commitments.
Start 14-day free trial