Security

Last updated: April 19, 2026

Security is foundational to Governer. As a platform that helps organisations achieve AI governance compliance, we hold ourselves to high security standards. This page describes how we protect your data and our approach to security.

1. Encryption

In Transit

  • All connections to Governer use TLS 1.3.
  • HTTPS is enforced on all endpoints with HSTS headers.
  • API communications between our services are encrypted end-to-end.

At Rest

  • Database storage uses AES-256 encryption at rest (provided by Supabase/AWS).
  • Passwords are hashed using bcrypt with a minimum cost factor of 10.
  • API keys are stored as irreversible hashes; only the prefix is displayed to users.

2. Data Handling

  • Source code uploads: Processed in-memory during scans. Code is not persisted to disk or database after scan completion.
  • Website compliance scans: Only publicly accessible page content is fetched. No authentication credentials are required. Crawled HTML is processed and discarded.
  • Scan results: Stored encrypted in our database. Retained for up to 12 months, then automatically purged.
  • Personal data: Minimised by design. See our Privacy Policy for details.

3. Infrastructure

  • Hosting: Netlify (global CDN, DDoS protection).
  • Database: Supabase (PostgreSQL, hosted on AWS with SOC 2 compliance).
  • AI Processing: Groq (inference-only, no training on user data).
  • Authentication: Supabase Auth with Row Level Security (RLS) policies on all database tables.

4. Access Controls

  • Role-based access control (RBAC) for team plans.
  • Row Level Security (RLS) ensures users can only access their own data.
  • Admin access to production infrastructure requires multi-factor authentication.
  • Third-party integrations use least-privilege OAuth scopes.

5. Vulnerability Disclosure Policy

We take security reports seriously. If you discover a vulnerability, please report it responsibly:

  • Email: security@governer.dev
  • Scope: All Governer web properties, APIs, and the governer CLI tool.
  • Response time: We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
  • Disclosure: We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (90 days).

We are grateful for responsible disclosures and will credit researchers (with permission) in our security advisories.

6. Incident Response

In the event of a data breach, we will:

  • Notify affected users within 72 hours (as required by GDPR Article 33).
  • Notify the relevant supervisory authority where required.
  • Provide a detailed incident report including scope, impact, and remediation steps.
  • Conduct a post-incident review to prevent recurrence.

7. Security Contact

For security questions or concerns: security@governer.dev