EMEA Contech

Trust and Compliance

This page is maintained by EMEA Contech to answer common security, privacy, and deployment questions about our products. It describes enabled controls and current practices; it is not a third-party certification.

Security

Security posture

  • ISO 27001 alignment in progress - information security management system aligned with ISO 27001 controls; certification audit in progress.
  • Encryption in transit and at rest across all customer data.
  • Single sign-on (SSO) via enterprise identity providers.
  • Role-based access control (RBAC) with least-privilege defaults.
  • Application-level audit logging on every evaluation decision.
  • No public LLMs - private models run inside the customer tenancy; no third-party model provider sees customer submissions.

Privacy

Data privacy

  • GDPR ready and EU AI Act ready.
  • Data minimization - only the data needed for the evaluation is processed.
  • Source-linked outputs - every finding cites the exact page, clause, or BOQ cell it came from.
  • Customer data is never used to train shared models.
  • Ticketed vendor support access only - no permanent vendor access into customer environments.

Deployment

Deployment models

ModelWhat it means
Private CloudSingle-tenant managed environment, isolated per customer.
On-Premise / Customer VPCDeployed inside the customer's own infrastructure or virtual private cloud.
GCC Sovereign / Government CloudData residency in Kingdom of Saudi Arabia, United Arab Emirates, or Oman government cloud regions.

Governance

Access and governance

Access roles are defined before rollout. Least-privilege is the default. Separation of duties is enforced for tender boards: the reviewer, the approver, and the awarder are distinct roles, and every decision carries a full evidence trail back to the source documents.

AI recommends, humans decide. Qualification status is always presented as a reviewable recommendation, never an automated award.

Shared responsibility

What we own, what you own

EMEA Contech provides

The platform, the private models, the security controls listed above, the deployment environment for managed options, and the audit logging infrastructure.

Customer owns

User provisioning and de-provisioning, data classification, retention decisions, and the choice of deployment model that fits the customer's regulatory regime.