G
Govalta← Back to home

Security & Data Handling

Designed for regulated enterprise environments.

A full security and data-handling overview is provided during design partner evaluation. The summary below describes our current posture honestly, distinguishing what is implemented from what is planned.

Data Handling

Organization-scoped data isolation

All data — issues, action steps, evidence, and validation records — is scoped to your organization. Application-layer isolation ensures no cross-organization data access is possible.

Validation methodology

Validation analysis is conducted using Govalta's Structured Remediation Validation Methodology. Evidence submitted for validation is used solely for the purpose of producing your organization's validation records and is not used to improve or train any underlying model, shared across organizations, or retained beyond your organization's data lifecycle.

Audit logging

All significant actions — validations run, evidence uploaded, verdicts overridden, reviewer decisions made — are logged with user identity, timestamp, and IP address. The audit log is append-only and cannot be modified or deleted.

Change traceability

Issue and action step records maintain an immutable, field-level change log. Every modification is captured with the field changed, prior value, new value, user, and timestamp.

Access Controls

Authentication

All application access requires authenticated sessions. Unauthenticated access to any data or validation functionality is not possible.

Role-based access

User permissions are managed through role-based access control. Administrators control user provisioning and role assignment within their organization.

Security Posture

Implemented

  • ·Organization-scoped data isolation
  • ·Append-only audit logging
  • ·Field-level change traceability
  • ·Role-based access control
  • ·Authenticated sessions
  • ·No cross-organization data access

In Progress

  • ·Formal data retention and deletion policy
  • ·Security documentation package for vendor review

Planned

  • ·SSO / SAML 2.0 integration
  • ·Penetration testing
  • ·SOC 2 Type II (sequenced with pilot volume)
  • ·In-tenant deployment option

Design Partner Security Review

Detailed security documentation — including data flow diagrams, sub-processor list, data retention and deletion terms, and responses to vendor security questionnaires — is prepared and provided during the design partner evaluation process.

We do not publish a completed SIG-lite or CAIQ publicly at this stage. If your information security team requires specific documentation before evaluation, contact us directly and we will respond.

Contact

For security questions, data handling inquiries, or vendor questionnaire requests:

contact@govalta.com