Security, privacy, and transparency are at the core of everything we build. Here's how we protect your code and data.
Your code never leaves your control. GovNu processes code analysis in ephemeral sandboxes that are destroyed immediately after each scan.
We do not store, train on, or share your source code. Analysis results and governance metrics are stored only as long as you need them, with full deletion control in your hands.
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database access is protected by row-level security policies that enforce strict tenant isolation.
GovNu is built with security-first architecture: principle of least privilege, defense in depth, and zero-trust networking.
We are committed to annual third-party security audits and quarterly penetration testing by independent firms.
Vulnerability disclosure: We maintain a responsible disclosure policy. Security issues are triaged within 24 hours and resolved according to severity tiers (Critical: 48h, High: 7d, Medium: 30d).
Compliance: GovNu adheres to GDPR and CCPA requirements and is pursuing SOC 2 Type II and ISO 27001 certification.
We collect only the minimum data necessary to provide the service: repository metadata, scan configurations, and quality metrics. Personal data (names, emails) is collected only with explicit consent.
You have full control: data export (machine-readable JSON), data deletion (immediate or 30-day grace period), and access logs (view who accessed what, when).
Analytics only with your explicit consent. We use PostHog for product analytics — no tracking occurs until you opt in. No advertising. No data brokerage. Your governance data is yours alone.
BYOLLM (Enterprise): When you bring your own LLM provider, code analysis happens entirely in your chosen infrastructure. GovNu never sees your code.
We target 99.9% monthly uptime for all production services.
Enterprise SLA: Custom uptime guarantees with dedicated support and escalation paths.
Infrastructure: Cloud-native deployment with automatic failover. Database replication with point-in-time recovery.
Monitoring: Real-time health checks with automated incident detection and response.
Status page: Subscribe for real-time incident notifications and scheduled maintenance windows.
Our compliance posture is continuously monitored. Here is the current status of our certifications.
Audit in progress — estimated Q3 2026
Certification planned Q4 2026
GDPR-aligned processing — DPA available on request
California Consumer Privacy Act compliant
BAA available for Enterprise tier
Our SOC 2 audit readiness is continuously tracked against Trust Service Criteria.
Audit in Progress
We are actively working toward SOC 2 Type II certification. Real-time readiness data will appear here once evidence collection milestones are reached.
Record of processing activities maintained per GDPR Article 30 requirements.
7
Processing Categories
3
Legal Bases Used
EU
Primary Jurisdiction
| Category | Purpose | Legal Basis | Data Subjects | Retention |
|---|---|---|---|---|
| Account Data | User authentication and account management | Contract performance (Art. 6(1)(b)) | Registered users | Duration of account + 30-day deletion grace |
| Governance Metrics | Code quality scoring and trend analysis | Contract performance (Art. 6(1)(b)) | Organization members | Configurable by org admin (default: 12 months) |
| Scan Results | Governance rule evaluation and remediation | Contract performance (Art. 6(1)(b)) | Repository contributors | Configurable by org admin (default: 6 months) |
| Usage Analytics | Product improvement and feature adoption | Consent (Art. 6(1)(a)) | Users who opt in | 24 months from collection |
| Support Communications | Customer support and incident resolution | Legitimate interest (Art. 6(1)(f)) | Users who contact support | 36 months from resolution |
| Billing Data | Subscription management and invoicing | Contract performance + Legal obligation (Art. 6(1)(b),(c)) | Billing contacts | 7 years (tax compliance) |
| Pentest Reports | Vendor security audit and SOC 2 evidence | Contract performance (Art. 6(1)(b)) | Testers + customer staff | 7 years (SOC 2 audit retention) |
You have the right to access, rectify, erase, restrict processing, port your data, and object to processing. All requests are fulfilled within 30 days per GDPR Article 12.
To exercise your rights, contact privacy@govnu.dev or use the self-service data export and deletion tools in your account settings.
Our support team is here to help with implementation, configuration, and incident resolution.
View live health of all services
GovNu is designed with a zero-access philosophy: we cannot read your source code even if we wanted to. Here's how:
Our security team is here to help. Contact us for detailed technical documentation, penetration test reports, or compliance certifications.