Security & Compliance

Security is not a feature at eGovern — it is the foundation. Every platform we build is designed from the ground up with a zero-trust architecture, assuming breach and enforcing least-privilege access at every layer. Our security posture is continuously validated through independent audits, red team exercises, and automated monitoring.

Our infrastructure is hosted across sovereign, geographically distributed data centres with the following controls in place:

• End-to-end encryption in transit (TLS 1.3) and at rest (AES-256)
• Hardware security modules (HSMs) for key management
• Network segmentation and micro-perimeter enforcement
• Immutable audit logs with tamper-evident storage
• Automated vulnerability scanning and patch management
• DDoS mitigation and rate limiting at the edge

Access to production systems and client data is governed by strict controls:

• Role-based access control (RBAC) with least-privilege enforcement
• Multi-factor authentication required for all staff and privileged accounts
• Just-in-time (JIT) access provisioning for sensitive environments
• Quarterly access reviews and automated de-provisioning
• Background checks and security clearance requirements for relevant roles

We maintain a documented incident response plan tested through regular tabletop exercises and red team engagements. In the event of a confirmed security incident affecting client data, we will notify affected clients within 72 hours of discovery, in accordance with applicable regulatory requirements. Our security operations centre (SOC) operates 24/7 with defined escalation paths and SLAs.

We conduct annual third-party penetration tests across all production systems and platforms. Critical and high-severity findings are remediated within 30 days. Clients operating under government contracts may request access to executive summaries of penetration test reports under NDA.

We operate a responsible disclosure programme. If you discover a security vulnerability in any eGovern system, please report it to security@egovern.com. We commit to:

• Acknowledging your report within 48 hours
• Providing a status update within 10 business days
• Not pursuing legal action against good-faith researchers
• Crediting researchers in our security acknowledgements (if desired)

We maintain a software bill of materials (SBOM) for all production systems and conduct regular reviews of third-party dependencies. All vendors with access to client data are subject to security assessments and contractual data processing obligations. We participate in relevant information sharing and analysis centres (ISACs) for our sectors.