Security

Last updated: 15 June 2026 · Practices we follow today; certifications listed where applicable.

Tenant isolation

Every customer is a separate tenant. Reads and writes are scoped to the signed-in user’s tenant at the application layer; cross-tenant access attempts are rejected as “not found.” The isolation boundary is enforced in code and verified against two-tenant test scenarios.

Authentication

Passwords are hashed with bcrypt (cost 10). Sessions use signed JWTs in httpOnly, Secure, SameSite=Lax cookies with a 7-day expiry. Password reset links are single-use, expire in 1 hour, and only the hash is stored.

Encryption

• In transit: TLS for all network connections.
• At rest (database): provider-level encryption (Neon).
• At rest (third-party secrets): credentials you plug in for connectors (e.g. DocuSign access tokens, Dropbox Sign API keys) are encrypted with AES-256-GCM before storage and decrypted only when dispatching.

Data residency & sub-processors

See the Privacy Policy for the full list of sub-processors and how international transfers are handled.

Audit trail

Every governance action and connector dispatch writes an immutable audit-log entry with the actor, the event id, the matched rules and a tamper-evidence hash. This is what makes “prove who approved what, when” possible.

Backups

Database backups are managed by our hosting provider; point-in-time recovery is available within retention windows.

Responsible disclosure

If you believe you have found a security issue, please report it to security@governos.co. We aim to acknowledge within two business days and to keep researchers informed throughout remediation.

What we don’t do

• We do not sell or share customer data with advertisers.
• We do not enter customer credentials on third-party sites on the user’s behalf — clients connect their own provider licences in Settings.
• We do not run third-party tracking cookies.