Security is the
foundation.
Governance professionals trust Governa with their most sensitive decisions. That trust is earned through architecture, not promises.
Compliance certifications and frameworks
ISO 27001
Information Security
SOC 2 Type II
Service Organisation Controls
Kenya DPA
Data Protection Act 2019
GDPR
EU Data Protection
POPIA
SA Protection of Personal Info
How we protect your data.
Encryption Everywhere
AES-256 encryption at rest. TLS 1.3 in transit. Per-tenant encryption keys derived from a tenant-specific master key. Your data is encrypted at every layer.
BYOK Support
Enterprise and Sovereign plans support Bring Your Own Key. Use your own AWS KMS keys for encryption. Revoke access at any time by rotating your keys.
Tenant Isolation
Schema-per-tenant database isolation. No shared tables between organisations. Separate encryption keys, separate storage prefixes, separate search indices.
Data Sovereignty
Choose your data region at provisioning. No cross-region data transfers. Africa-only options available. Sovereign plans include dedicated infrastructure.
Consent-Based Access
Governa support staff cannot access your data without explicit, time-limited consent from your tenant administrator. Every access is logged and auditable.
AI Safety
No cross-tenant AI training. All AI outputs are explainable with source citations. Kill switch available. AI features can be disabled per-workspace.
The Support Access Protocol.
Unlike most SaaS platforms, Governa staff cannot see your data by default. Access requires explicit consent.
Support request created
Your team raises a support ticket. Our team investigates using only non-tenant metadata.
Access requested
If data access is needed, a formal request is sent to your tenant administrator with scope and duration.
Consent granted (or denied)
Your administrator grants time-limited access — 1 hour, 24 hours, or a custom window. Or they deny it.
Auditable access
Every action taken during the access window is logged in your tenant audit trail. Full transparency.
Access expires
When the window closes, access is automatically revoked. No lingering permissions.
Penetration Testing
Annual third-party penetration testing by accredited firms. Results shared with Enterprise and Sovereign customers upon request.
Data Processing Agreement
A comprehensive DPA is available for all customers. Enterprise and Sovereign plans include custom DPA terms as needed.
Security questions?
Our security team is available to discuss architecture, compliance, or custom requirements.