Docs
Hosted service contract
Hosted service contract
This document defines the managed cloud service boundary for GovBase on govbase.dev. Machine-readable fields live in ../../hosted-saas/service-contract.json.
Managed cloud service#
GovBase hosted is an operator-run audit-backed governance backend: append-only evidence, policy enforcement at ingest, authoritative GET /compliance-summary, and exportable audit artefacts. Customers integrate via HTTPS APIs and the dashboard; they do not manage database patching or ledger storage for the hosted path.
Tenant boundaries#
| Scope | Description |
|---|---|
| Tenant | Root isolation unit for billing, API keys, and row-level security. |
| Organization | Commercial entity; maps to a billing customer when Stripe is enabled. |
| Workspace | Shared governance boundary for a team. |
| Project | Evidence and CI scope (GOVAI_PROJECT). |
Cross-tenant access is denied at the application and database layers. Platform operators use break-glass procedures documented under security-and-isolation.md.
Tenant onboarding#
Canonical lifecycle states are in ../../hosted/tenant-lifecycle.json. The console onboarding flow is described in tenant-onboarding-console.md.
Self-service signup calls POST /api/tenants (Supabase JWT). The platform creates a row in tenants, links a teams / team_members owner, writes govai_team_ledger_bindings for ledger_tenant_id, seeds tenant_onboarding_progress, opens tenant_billing_accounts, and may return a one-time API key stored hashed in tenant_api_keys. Operators no longer need to hand-create ledger bindings for standard hosted tenants.
User roles#
Role definitions and API key scopes: user-roles-and-permissions.md, ../../hosted-saas/user-roles-model.json.
Audit data ownership#
- Customer owns evidence content, policy configuration they submit, and exports they download.
- Operator provides custody, encryption, backups, and availability of the ledger store.
- On exit, customers receive an export window before purge timers complete (see backup-and-disaster-recovery.md).
Hosted versus self-hosted responsibilities#
| Responsibility | Hosted (govbase.dev) | Self-hosted |
|---|---|---|
| TLS and public API | Operator | Customer |
| Postgres and migrations | Operator | Customer |
| Backups and DR drills | Operator | Customer |
| Evidence emission | Customer | Customer |
| Verdict semantics | Same contract | Same contract |
Deployment boundaries#
- Dashboard and docs:
https://govbase.dev - Audit API:
https://audit.govbase.dev - Production secrets live only in the operator secret manager (never in git).
Data retention#
Plan limits in ../../hosted/subscription-plans.json define default retention. Legal hold pauses deletion. Offboarding starts a documented export window before purge.
Backup and recovery#
See backup-and-disaster-recovery.md and ../../hosted-saas/backup-disaster-recovery.json.