GovernLayer is built to protect the systems that protect your AI. Security is not a feature we added — it is the foundation everything else is built on.
GovernLayer runs on hardened, enterprise-grade infrastructure with security controls at every layer of the stack.
Hosted on Railway, which maintains SOC 2 Type II compliance. Infrastructure is managed with continuous monitoring, encrypted storage, and strict access controls. All compute runs in isolated containers with no shared tenancy.
PostgreSQL database storage is encrypted at rest using AES-256. All sensitive fields including password hashes, API keys, and audit records are protected at the storage layer. Backups are encrypted with the same standard.
Every connection to GovernLayer — API requests, database connections, and inter-service communication — is encrypted with TLS 1.2 or higher. HSTS is enforced with a two-year max-age and preload directive.
Structured logging captures operational metadata (request paths, latency, status codes) but never logs request bodies, API keys, tokens, or any customer-submitted data. Log output is sanitized before persistence.
Defense-in-depth controls built into the application layer, from cryptographic audit trails to fine-grained access control.
Every governance decision is recorded on an immutable, hash-chained audit ledger. Each record contains the SHA-256 hash of the previous record, making any tampering mathematically detectable. The genesis hash is deterministic and verifiable.
All user passwords are hashed using bcrypt with per-user salt and an adaptive cost factor. Plaintext passwords are never stored, logged, or transmitted. Password verification occurs server-side only.
Authentication uses JSON Web Tokens with configurable expiration. Tokens are signed with a 64-byte secret key and validated on every request. Expired tokens are rejected without exception.
API keys follow the format gl_xxxxx and support fine-grained permission scopes (govern, audit, risk, scan). Keys can be rotated, revoked, and audited per organization. Dual auth supports both API keys and JWT.
Per-plan rate limiting enforced at the middleware layer using Redis as the backing store. Limits are applied per API key and per organization: Free (20 rpm), Starter (100 rpm), Pro (500 rpm), Enterprise (2,000 rpm).
The application is built with OWASP Top 10 mitigations including parameterized database queries (SQL injection), input validation on all endpoints (XSS), CSRF protection via token-based auth, and strict Content-Security-Policy headers.
Every HTTP response from GovernLayer includes the following security headers, enforced at the middleware layer.
# Applied to every response via SecurityHeadersMiddleware
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self'
Your data stays yours. GovernLayer provides deployment options and data handling practices designed for the most privacy-sensitive environments.
GovernLayer aligns its own security practices with the same frameworks we help our customers meet.
Infrastructure hosted on SOC 2 Type II certified providers. Internal controls aligned to Trust Services Criteria. Pursuing formal SOC 2 Type II certification.
Pursuing CertificationInformation security management practices aligned to ISO 27001 Annex A controls. Risk assessment, access control, and incident management follow the standard.
Aligned PracticesData processing compliant with GDPR principles. Purpose limitation, data minimization, right to erasure, and data processing records maintained for all customer data.
CompliantSecurity is automated into every stage of our development and deployment pipeline. No code ships without passing these checks.
Automated continuous integration on every push and pull request. Linting and full test suite must pass before merge.
Dependency vulnerability scanning using pip-audit. Known CVEs in Python packages are flagged and blocked before deployment.
Static Application Security Testing via Bandit. Python source code is analyzed for common security issues including hardcoded secrets and injection flaws.
Software Bill of Materials generated in CycloneDX format. Full dependency tree documented for supply chain transparency.
We take security reports seriously. If you discover a vulnerability, we want to hear from you.
If you believe you have found a security vulnerability in GovernLayer, please report it to us responsibly. We ask that you give us reasonable time to investigate and address the issue before any public disclosure. We will not take legal action against researchers who follow this policy.
Please include a description of the vulnerability, steps to reproduce, and any relevant proof-of-concept. We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
Report vulnerabilities to: security@governlayer.ai