Govarna EmblemGovarna
Sign InStart Free Trial
Security & Trust

Built to meet the highest standards of enterprise security.

Govarna stores the most sensitive parts of your AI governance programme — your risk register, your evidence library, your customers' questionnaires. We hold ourselves to the same standard we help you demonstrate to buyers.

Encryption everywhere

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Daily encrypted backups are managed by our hosting provider. Keys are managed by the provider with automatic rotation.

Row-level isolation

Every database table that holds customer data is gated by Postgres Row Level Security. Authorisation is enforced at the database tier, not just in application code.

Insert-only audit log

Every state change to a compliance artefact — risk classifications, control status, evidence uploads, exports — writes an audit log row. The application has no code path that can update or delete audit rows once written.

Least privilege

Production access is restricted to the founding team, protected by SSO and MFA. Every administrative action is logged. We do not share standing production credentials.

Hosted on certified infrastructure

Govarna runs on cloud infrastructure that holds SOC 2 Type II, ISO 27001, and ISO 27018 certifications. A dedicated EU-region deployment is available for Assured-tier customers on request.

Responsible disclosure

Security researchers are welcome. Report vulnerabilities to security@govarna.com — we do not pursue legal action against good-faith research that follows our disclosure policy.

Compliance posture

GDPR

Lawful-basis tracked per processing activity, privacy contact at privacy@govarna.com, data-subject requests handled within the one-month statutory window, and we commit to investigating any confirmed breach and notifying affected customers in line with GDPR Article 33.

EU AI Act

We classify our own AI systems against Annex III and track Article 9–15 obligations for any high-risk system, ahead of the 2 August 2026 enforceability date.

SOC 2

SOC 2 Type II is on our roadmap with audit window targeted before broad enterprise rollout. Customer-bound reports will be available under NDA when issued.

Sub-processor list

Hosting (cloud provider), transactional email, AI API providers, error tracking, analytics. The full list with country and purpose is available on request to security@govarna.com.

Need our security questionnaire response?

Email security@govarna.com and we'll send a current SIG-Lite response within one business day.

Start 14-day free trial