1. Privacy and Data Protections

1.1 Policies

• Privacy Policy
Govin has a published Privacy Policy.

2. Cloud Security

2.1 Data Center and Physical Security

• Cloud-First
Customer data is stored in secure facilities, on secure servers, and within secure applications. We partnered with Google for infrastructure and cloud services. Govin runs on the Google Cloud Platform (GCP), commonly referred to as PaaS (Platform as a Service).

• Data Hosting Location
Govin offers physical storage locations in the EEA (European Economic Area) to ensure compliance with our customers’ data.

• Office Locations
Govin office locations have no data centers or access to data centers. Govin maintains appropriate security personnel for the facilities. Govin office locations are restricted access facilities with proper door access. Badge access is required to enter and exit the building. Visitors are required to sign in and be escorted within the facility. Cameras and sensors monitor the office locations. Rooms that store telecommunication and network equipment are kept locked and alarmed.

2.2 Network Security

• Third-Party Penetration Testing
In addition to our extensive internal testing, Govin partnered with a third-party security firm to perform vulnerability and penetration testing twice a year.

• White-Listed Access
Key internal tools are accessible only from specific, vetted IP addresses, ensuring airtight access protocols to prevent unauthorized access.

• Encapsulated Data Handling
Tools handling sensitive data are not directly accessible from the internet, ensuring data security.

2.3 Encryption

• Encryption in Transit
At Govin, we ensure our platform is accessible only through a secure connection. This is achieved by only supporting the advanced TLS 1.2 and 1.3 protocols and enforcing HTTP Strict Transport Security (HSTS) for every transfer and transaction.

• Encryption at Rest
All Govin data that is stored is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256. With the use of the common cryptographic library, Tink, which includes the FIPS 140-2 validated module (named BoringCrypto), to implement encryption consistently across the whole platform.

2.4 Availability and Continuity

• Redundancy
For every service we offer, we have a redundant system on standby. In the rare event of a failure, our instant fallback ensures that operations continue seamlessly.

• Disaster Recovery
With daily backups stored in an isolated location, we ensure you’re always one step ahead of any data uncertainties. Even if the redundant systems fail, rest assured that data restoration is swift, minimizing potential data loss.

3. Application Security

3.1 Secure Development

Secure Code Training
At Govin, we require all individuals with code access to complete specialized Secure Coding & Secure Application Development courses. This training is focused on equipping our team with essential skills to identify and mitigate security risks in coding practices. Key topics include addressing common vulnerabilities, implementing secure coding techniques, and integrating security into the software development lifecycle. This course is updated and retaken annually, ensuring our team stays current with evolving security standards and practices.

• Code Perfection
Automated tools rigorously assess our code for functionality, quality, and potential vulnerabilities. Utilizing a set of open-source tools, we ensure that you’re operating on a platform that’s efficient, error-resistant, and steadfast in its commitment to security.

• Stay Updated
Every week, our platform checks open-source dependencies to ensure we use the latest versions, preventing known vulnerabilities. Through extensive testing, open-source tools keep us at the forefront of digital security trends, ensuring you’re continuously operating with the latest, safest version.

• Environment Isolation
We maintain separate environments such as test, automated test, security, and demo for development purposes alongside the production environment. Development, testing, and production are kept strictly distinct, ensuring that replications use synthetic data, never mirroring the data from the production environment.

• Static Code Analysis
Govin uses a Static Application Security Testing (SAST) tool set up to spot potential vulnerabilities in application code regularly. Alongside automated scans, Govin also conducts secure code evaluations during the SDLC release cycle.

• Security Proactiveness
A detailed and secure log of user behaviors provides a clear audit trail, preserving platform integrity. It’s more than just surveillance; it’s our pledge to maintain the security of your data.

• Responsive Logging
In our logs, beyond the mentioned metrics, we utilize information from HTTP response codes, response times, and crash reports to drive platform optimization and improvements continually.

• User-Driven Enhancements
At Govin, we prioritize enhancing your experience. Every platform click, login, and interaction is carefully analyzed from anonymized user actions, including button clicks and session durations. This ensures that we gain actionable insights for continuous product improvement and that your data remains untraceable to any individual user.

3.2 Product Security

Password Integrity
At Govin, passwords are not stored in our system but managed by our renowned authentication partner, ensuring optimal safety and adherence to a strict password policy. A widget is available during password setup or changes to assist users in creating robust credentials.

• Advanced Password Protections
Soon, we’re enhancing access security by introducing optional Time-based One-Time Passwords (TOTP) for robust account protection. Additionally, plans are in motion to support Single Sign-On and Two-Factor Authentication, ensuring seamless access with the utmost security.

• Granular Permissions
Govin features a nuanced permission model, which is not only covered by automated tests but has also been externally audited, ensuring that data access is consistently in the right hands.

• Document Security
Data and documents, whether entered or uploaded to the platform, are sealed behind strict access barriers in a high-security digital vault. Only specific, vetted Govin personnel, granted access using the permission model, can access them, ensuring they cater to advanced onboarding needs with utmost discretion and security. Any access by Govin personnel for onboarding requires explicit permission.

3.3 Additional Product Security Features

Role-based Access Controls
At Govin, role designations are used to regulate access to specific features and functions. Every individual within an entity is assigned a role, which determines their access level to certain features.

– Administrative Role:
The Admin role is available at the manager level and entity level. If granted at the manager level, the user can also perform all functions at the entity level.

– User Roles:
The User role is available at the manager level and entity level. If granted at the manager level, the user can also perform some functions at the entity level, where there is also the possibility to revoke permission entirely for an entity.

• Emails and Notifications
Within Govin, data and attachments are never sent directly in email notifications. All alerts from Govin originate from a specific group of dedicated IP addresses. We highly recommend that customers avoid filtering or inspecting messages that come from our platform.

4. Human Resources Security

4.1 Security Awareness

• Policies
Govin has formulated an extensive array of security policies addressing various subjects. All employees and contractors with access to Govin’s information resources are informed and provided with these policies.

• Training
Govin requires security education training for everyone granted access to its systems. This training is mandatory upon first-time access and is revisited annually. The training covers policies, standards, confidentiality, privacy, physical and system security, acceptable use, social engineering, and more.

4.2 Employee Vetting

Background checks
Govin performs background screenings for all employees, as permitted by law, in line with local rules and regulations. This process encompasses federal criminal record reviews, as well as verification of employment history, education, and references.

• Confidentiality Agreements
Govin has established a Nondisclosure Agreement (NDA) with its employees and third parties with access to systems or information.

4.3 Employee Devices Security

Work Environment
Our team accesses and operates data directly in the secure environment of our cloud, ensuring no local storage risks or vulnerabilities. Data is not stored on employees’ devices; all interactions occur exclusively within the safety of our cloud environment.

• Mandatory MFA
All employees must use mandatory multi-factor authentication (MFA) when creating their accounts, protecting them against phishing attacks.

• Drive Encryption
Every employee’s drive is encrypted using Bitlocker or FileVault, ensuring that every data byte, document, and piece of information on our devices is protected, reinforcing our multi-layered security approach.