govn.ai is built to be the system of record for a regulated firm’s AI governance. The same security posture you would expect from any tool sitting inside a Compliance function applies here — and we are explicit about what we have today, and about what is on the roadmap.
Questions or a request for our security questionnaire response? Email security@govn.ai.
Access controls
Multi-factor authentication enforced
Every user is required to enrol a second factor (TOTP or platform authenticator) before reaching the application. There is no opt-out; the requirement is enforced at the identity-provider level via Clerk.
Role-based access control
Five built-in roles (Owner, Admin, Reviewer, Business Owner, Read-only) with a sixth derived AIGC Member role for committee participation. Every server action runs a permission check at the top — no client-trusted authorisation.
Tenant isolation by organisation
Every operational record carries an organisation_id. All queries are scoped at the application layer; cross-tenant reads are not possible through the application. Tested by attempting cross-org reads in the Drizzle query test suite.
Comprehensive audit log
Every state-changing action writes an immutable audit event in the same database transaction as the state change. Audit events are append-only and cannot be edited or deleted. Available to Admin / Owner roles via the in-app audit log surface and the CSV export.
Data protection
Encryption in transit
TLS 1.3 enforced for all application traffic via Vercel. Certificates issued by Let’s Encrypt and rotated automatically.
Encryption at rest
All customer data is encrypted at rest by the managed services that store it — Neon (AES-256 on Postgres tables and snapshots), Vercel Blob (AES-256 on uploaded files), Clerk (managed encryption on user identity and authentication factors).
EU data residency where supported
The primary Postgres database (Neon) is hosted in the EU (Frankfurt region). Sentry uses the EU region. PostHog is configured to use the EU cloud option. Hosting (Vercel) and identity (Clerk) currently use US-resident services with UK IDTA / SCCs for the international transfer mechanism — this is disclosed in the DPA and is on the roadmap to migrate to UK/EU regions where supported.
Soft deletion with audit history
Operational records are soft-deleted (marked, not destroyed) so an erroneous deletion can be recovered and the audit trail remains complete. Hard-delete on request is available for personal data subject to UK GDPR Article 17.
Infrastructure and operations
Hardened infrastructure
Hosted on Vercel (Next.js application), Neon (Postgres), Clerk (identity), Resend (email), Inngest (background jobs). Each is a managed SOC 2-attested service; we inherit their hosting-layer security controls. The full list of sub-processors is published and version-tracked.
No production secrets on local machines
Production secrets live in Vercel’s encrypted environment variables and are never committed to source control. Drizzle migrations against production are deployed via GitHub Actions or the Vercel build hook — never from a developer’s laptop.
Dependency vulnerability scanning
GitHub Dependabot enabled at the repository level; critical advisories trigger an alert and are patched on a same-week target. Production builds fail when the application bundle ships a known critical vulnerability in a runtime dependency.
Application error monitoring
Sentry captures unhandled errors in production with PII scrubbing on the transmission path; we treat error volume as a security signal alongside the platform reliability signal.
Controls in the customer’s hands
Security is a shared responsibility. The platform gives the customer admin the controls below; using them is part of the customer’s own ISMS.
Per-user role assignment
Customer admins set each user’s role at invitation time and can change it from Settings → Team. Role changes are audit-logged.
Audit log export
Admins can export the full audit log as CSV at any time. The export carries actor, action, entity, before/after state, and timestamp for every event.
Soft-delete recovery
Soft-deleted operational records remain recoverable for 30 days; a hard-delete request via support extends the right to erasure under UK GDPR.
Data export on request
Customers can request a full export of their tenant data at any time. Standard format is CSV per entity table plus an attachments archive.
Compliance and certifications
govn.ai does not currently hold a SOC 2, ISO 27001, or equivalent third-party attestation. The architecture is built to make achieving them a question of evidence collection rather than re-engineering. Specific milestones are on the roadmap below.
Sub-processors
We publish the full list of third-party services that process customer data on our behalf at /sub-processors. Each sub-processor is bound by our DPA; customers are notified at least 14 days before any change to the list.
Vulnerability disclosure
We welcome reports from security researchers and customers. If you believe you have found a security issue, please email security@govn.ai with a description of the issue and steps to reproduce. We will acknowledge receipt within two working days and aim to triage within five working days. We do not currently operate a public bounty programme; good-faith reports made under coordinated disclosure are welcome.
Incident response
If we become aware of a security incident affecting customer data, we will notify affected customers without undue delay and in any event within the timelines required by the DPA and applicable law (including UK GDPR Article 33 where applicable). Incident communications include a summary of what happened, the data and customers affected, the steps we are taking to contain and remediate, and the steps we recommend you take.
Roadmap
The items below are on the platform roadmap. Targets are good-faith estimates; we will update this page when each milestone lands and bump the effective date above.
Enterprise SSO (Entra / Okta / Google Workspace)
IdP federation with JIT user provisioning. SCIM de-provisioning for the Enterprise tier. Required before Standard-tier launch.
SOC 2 Type 1
Target window: H2 2026. Evidence collection tooling (Drata or Vanta) hooks up to the GitHub, Vercel, Neon, and Clerk integrations and back-fills historical evidence on connection.
SOC 2 Type 2
Twelve-month observation window after Type 1 attestation. Target: H2 2027.
ISO 27001
Under evaluation. SOC 2 Type 2 is the prioritised attestation for UK FS buyers; ISO 27001 follows if customer demand justifies the duplication.
Row-level security (Postgres RLS)
Current isolation is application-layer (every query scoped by organisation_id). Defence-in-depth via Postgres RLS is on the roadmap; the trigger is the first customer that asks for it on a SOC 2 readiness checklist.
Penetration test
Annual third-party penetration test starting at the SOC 2 Type 1 milestone. Independent provider; report available to customers under NDA.
Questions
Email security@govn.ai for security-specific questions or a security questionnaire response, or privacy@govn.ai for data-protection questions.