Security & Data Handling
Designed for regulated enterprise environments.
A full security and data-handling overview is provided during design partner evaluation. The summary below describes our current posture honestly, distinguishing what is implemented from what is planned.
Data Handling
Organization-scoped data isolation
All data (issues, action steps, evidence, and validation records) is scoped to your organization. Application-layer isolation ensures no cross-organization data access is possible.
Validation methodology
Validation analysis is conducted using Govalta's Structured Remediation Validation Methodology. Evidence submitted for validation is used solely for the purpose of producing your organization's validation records and is not used to improve or train any underlying model, shared across organizations, or retained beyond your organization's data lifecycle.
Audit logging
All significant actions (validations run, evidence uploaded, verdicts overridden, reviewer decisions made) are logged with user identity, timestamp, and IP address. The audit log is append-only and cannot be modified or deleted.
Change traceability
Issue and action step records maintain an immutable, field-level change log. Every modification is captured with the field changed, prior value, new value, user, and timestamp.
Access Controls
Authentication
All application access requires authenticated sessions. Unauthenticated access to any data or validation functionality is not possible.
Role-based access
User permissions are managed through role-based access control. Administrators control user provisioning and role assignment within their organization.
Security Posture
Implemented
- ·Organization-scoped data isolation
- ·Append-only audit logging
- ·Field-level change traceability
- ·Role-based access control
- ·Enterprise SSO (SAML 2.0 / OIDC)
- ·Authenticated sessions
- ·No cross-organization data access
- ·Formal data retention and deletion policy
- ·Data Processing Addendum (DPA) available
- ·Sub-processor disclosure published
Planned
- ·Penetration testing
- ·SOC 2 Type II (sequenced with pilot volume)
- ·In-tenant deployment option
Design Partner Security Review
The following data governance documentation is available to design partners and enterprise reviewers:
- ·Sub-processor Disclosure
- ·Data Processing Addendum (DPA)
- ·Data Retention Policy
- ·Data Deletion Policy
- ·Privacy Policy
We do not publish a completed SIG-lite or CAIQ publicly at this stage. If your information security team requires specific documentation before evaluation, contact us directly and we will respond.
Contact
For security questions, data handling inquiries, or vendor questionnaire requests:
contact@govalta.com