Trust & Security
A direct reference for the questions your procurement, legal, security, and audit teams will ask before any contract is signed. Data handling, IP, contractual terms, regional compliance, sub-processors, the stack we deploy on, security practices, and incident response — in one place, without marketing language.
01 · Data Handling
Where your data lives.
The single most important principle: your data does not leave your environment. We are configured around this assumption on every engagement.
Data stays in your environment
Client data — code, models, prompts, training datasets, production traffic — lives in your Azure subscription, AWS account, GCP project, or on-premise infrastructure. Gennoor Tech does not store client data on our infrastructure.
We access through your controls
During an engagement, our practitioners access your environment through your identity provider, your RBAC, your conditional access policies, and your audit logging. We do not maintain shadow credentials.
Access ends with the engagement
Engagement closure includes credential revocation, removal from your tenant, and a written attestation of off-boarding. We do not retain access "in case you need us later."
Documentation retention is bounded
Engagement documentation (scopes, plans, deliverables, decision logs) is retained for contract duration + 90 days unless your contract specifies a different period. Deletion-on-request honored within 30 days.
Telemetry is opt-in and aggregated
Anonymized engagement telemetry (e.g., aggregated prompt-volume metrics for our internal improvement) is opt-in only and never includes client content. Default is opt-out.
No data shared between clients
Insights, patterns, and learnings developed during one client engagement are not transferred — explicitly or implicitly — to another client. Reusable IP refers to non-client-specific frameworks only.
02 · IP Ownership
Who owns what — explicitly.
Most consulting engagements bury IP terms in 60 pages of MSA. We surface the table here so there are no surprises. The MSA references this; the SOW references the MSA.
| Artifact | Client owns | Gennoor owns | Note |
|---|---|---|---|
| Source code (production) | In your repository from day one | ||
| Source code (PoC / pilot) | Same — your repo from commit 1 | ||
| Fine-tuned model weights | Stored in your subscription / artifact registry | ||
| Prompts (production) | Versioned in your repository | ||
| Training & evaluation data | Never copied to our infrastructure | ||
| Architecture documentation | Yours; we retain a redacted copy | ||
| Engagement deliverables (reports, dashboards, runbooks) | Yours; we retain copies per Section 1 | ||
| Gennoor methodology (the Gennoor Way framework) | Non-confidential; listed in SOW as reusable IP | ||
| Gennoor evaluation harnesses (templates) | Re-implementable; not proprietary lock-in | ||
| Gennoor course content (PDFs, slides, scripts) | Licensed to client cohorts for the engagement period | ||
| Custom course content (co-authored with client) | When developed using your scenarios, yours |
03 · Contracts
NDA, MSA, SOW, IP, indemnification, termination.
Our default contractual posture. We accept client templates and standard enterprise terms; we do not require unusual carve-outs.
Mutual NDA
Mutual non-disclosure agreement available before any data conversation. We work with your standard NDA template or provide ours. Typical exchange: 2–5 working days.
MSA (Master Services Agreement)
We accept client-provided MSAs as our default position. Standard exchange: 2–4 weeks of legal review. We also offer a Gennoor MSA template for organizations that prefer to start from a vendor template.
SOW per engagement
Each phase of work is a separate Statement of Work with explicit acceptance criteria, fixed pricing for Diagnose / Train / Innovate, and milestone deliverables. SOWs reference the MSA for boilerplate terms.
IP assignment
Standard work-product clause: all client-specific work product is assigned to client upon delivery and payment. Gennoor retains rights only to clearly-listed reusable IP (frameworks, methodology, course content).
IP indemnification
Indemnification against third-party IP claims arising from Gennoor-delivered work, subject to commercially reasonable caps. Specific limits negotiated per engagement size.
Termination & exit
Per-phase termination available at each phase gate. On termination, all client materials, code, and documentation are handed over within 10 working days; credentials revoked within 5.
04 · Regional Compliance
Data protection and AI regulation across our regions.
We operate primarily across GCC, India, Africa, and SEA, with engagements into the EU and US. Our default posture is data residency in the client's region; we accommodate sovereign and air-gapped requirements where mandated.
India
Digital Personal Data Protection Act (DPDP), 2023
Gennoor Tech Private Limited is registered in India and operates under DPDP. We handle Indian-jurisdiction client data within India where contractually required. Data Fiduciary obligations are honored when we process personal data on client behalf.
Saudi Arabia
Personal Data Protection Law (PDPL), enforced by SDAIA
For KSA-resident workloads we deploy on KSA-region cloud or on-premise infrastructure. We honor data residency requirements and do not transfer personal data out of KSA without consent and contractual authorization. Aligned with SDAIA enforcement priorities.
United Arab Emirates
Federal Data Protection Law (PDPL) + DIFC + ADGM regimes
We deliver into UAE workloads with deployment in UAE-region infrastructure. Familiar with DIFC and ADGM-specific regimes for financial-services clients. Cross-border transfers handled per the applicable regime.
European Union
GDPR · EU AI Act
For engagements involving EU data subjects, we operate under DPA terms with explicit lawful-basis documentation. EU AI Act risk classification incorporated into our governance assessments where applicable.
East Africa
Tanzania Data Protection Act, Kenya Data Protection Act
On-the-ground delivery experience in Tanzania and Kenya. We respect cross-border transfer restrictions and work with client legal teams on jurisdictional specifics.
Air-gapped / Sovereign
Defense, government, regulated finance, healthcare
Reference patterns for fully air-gapped deployment using open-source LLMs (Llama, Mistral, Phi) on private infrastructure via Ollama or vLLM. No internet egress, no public-API dependencies. Suitable for sovereign and classified workloads.
05 · Sub-Processors
The vendors involved in our operations.
The complete list of third-party vendors involved in Gennoor's operations and (where applicable) in client engagements. Cloud-vendor exposure depends on your stack choice — Azure / AWS / GCP / on-prem.
| Vendor | Purpose | Data shared | Location |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure for client engagements (only when client uses Azure) | Client data — but in CLIENT subscription, not ours | Client-selected region |
| AWS | Cloud infrastructure for client engagements (only when client uses AWS) | Client data — but in CLIENT account, not ours | Client-selected region |
| Google Cloud Platform | Cloud infrastructure for client engagements (only when client uses GCP) | Client data — but in CLIENT project, not ours | Client-selected region |
| GitHub | Source code hosting (only when client uses GitHub; otherwise Azure DevOps / GitLab / Bitbucket) | Source code — in CLIENT organization, not ours | GitHub global |
| Microsoft 365 | Internal Gennoor email, document collaboration, calendar — for our own operations only | No client production data. Engagement documents and meeting notes only. | Microsoft global with EU and India regional availability |
| Stripe / payment processor | Invoice payment processing for international engagements | Billing data only. No engagement content. | PCI-compliant provider |
| Notion or similar | Internal Gennoor project management and knowledge base | Engagement metadata and internal-only notes. No client production data. | Provider global |
06 · Our Delivery Stack
What we deploy on — by layer.
Stack-flexible by design. We default to Microsoft technologies where the client already uses Microsoft 365 or Azure, but we deliver natively on AWS, GCP, and open-source self-hosted stacks. Selection per engagement is documented in a Stack Fit Assessment.
| Layer | Primary | Alternates we use |
|---|---|---|
LLM (cloud) | Azure OpenAI (GPT-4o, GPT-4o-mini) | AWS Bedrock (Claude, Llama, Titan), Google Vertex (Gemini), Anthropic API direct |
LLM (open-source / self-hosted) | Llama 3.x, Mistral, Phi, Qwen | Self-hosted via Ollama, vLLM, Azure ML private endpoints |
Agent frameworks | Microsoft Copilot Studio, Semantic Kernel, LangGraph | CrewAI, AutoGen, Microsoft Agent Framework |
RAG / search | Azure AI Search (hybrid: keyword + vector + semantic ranking) | Pinecone, Weaviate, pgvector, Elasticsearch |
Orchestration | Azure Functions, Azure Logic Apps | n8n, Temporal, AWS Step Functions |
Data platforms | Microsoft Fabric, Azure ML | Databricks, Snowflake, BigQuery |
Evaluation | MLflow, Azure AI Evaluation | Promptfoo, Ragas, LangSmith |
Observability | Application Insights, MLflow Tracing | LangSmith, Arize, Datadog |
Source control | GitHub, Azure DevOps | GitLab, Bitbucket |
CI/CD | GitHub Actions, Azure Pipelines | GitLab CI, Jenkins, CircleCI |
Front-end (when needed) | Next.js, Power Apps | React, Streamlit, Gradio |
07 · Security Practices
Controls we operate.
Our internal controls and how they interact with your environment. Where you have stricter controls than ours, yours apply; we adopt them on entry.
Encryption
At-rest and in-transit encryption is the responsibility of the client environment we deploy into. We do not introduce un-encrypted data paths. For our internal communications, we use TLS-protected channels.
Secret management
Never plaintext. We use Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault — depending on client environment. Secrets never enter source code or chat.
Role-based access control
During engagement, our access is governed by your IAM. Principle of least privilege. Time-bound access where supported. No shared accounts.
Source code custody
All source code in your repository from commit 1. We do not maintain "client-X-private" repos on our infrastructure.
Endpoint security
Gennoor practitioners operate on managed devices with disk encryption, password managers, MFA, and screen-lock policies. We provide a security attestation on request.
Background checks
Senior practitioners undergo background verification appropriate to the engagement (basic for commercial, enhanced for regulated finance, full clearance for defense / government when required). Documentation provided per engagement.
NDAs across the delivery team
Every practitioner involved in your engagement is covered by an NDA back-to-back with your client NDA. Reusable practitioners-NDA-on-file model means no per-engagement delay for our team to start.
Logging & monitoring
In your environment, we use your logging and monitoring stack. We do not exfiltrate logs. For our internal ops, audit logging is enabled on all administrative actions.
08 · Incident Response
How we respond, by severity.
Senior practitioner availability and notification timelines. SLAs apply during active engagement (Build, Sustain). Discovery-only engagements use a separate cadence spelled out in the SOW.
| Severity | Response | Notification |
|---|---|---|
| Sev-1 — production-impacting | Senior practitioner reachable within 4 hours | Written notification within 24 hours of awareness |
| Sev-2 — degraded service | Senior practitioner engaged within 1 business day | Notification within 48 hours |
| Sev-3 — minor / cosmetic | Acknowledged within 2 business days | Tracked through standard support cadence |
| Suspected data incident | Senior + client legal contact within 4 hours | Per applicable breach notification law (DPDP / PDPL / GDPR) |
09 · Compliance Alignment
Frameworks we operate against.
What we are aligned to, what we are certified to (and what we're not), and how we handle security questionnaires. Honest about gaps.
NIST AI Risk Management Framework
Active alignment. Risk assessments delivered in E1 Strategic Diagnostic are structured against NIST AI RMF categories (Govern, Map, Measure, Manage).
EU AI Act
Awareness and incorporation. For clients with EU exposure, AI systems are classified per the Act's risk categories during the Diagnose phase, and high-risk systems carry additional documentation per the Act's requirements.
ISO 27001 controls
Aligned, not certified. We follow ISO 27001 principles for information security management. Formal certification is on our roadmap but not currently held.
SOC 2
Not certified. We work with SOC 2 clients by aligning to their controls where applicable.
CAIQ / CSA STAR
CAIQ-style questionnaires answered within 5–10 working days of request. Custom security questionnaires honored on the same SLA.
OWASP for LLMs
OWASP Top 10 for LLM Applications considered during architecture review on every E3 Pilot and E4 Build engagement. Prompt-injection mitigations standard.
10 · Corporate & Insurance
Entity, governance, insurance.
Legal entity
Gennoor Tech Private Limited — registered in India. GST-compliant invoicing for Indian clients. International invoicing supported (USD, EUR, SAR, AED). Detailed entity documentation provided during MSA exchange.
Insurance
Professional liability and errors-and-omissions insurance carried. Limits available on request and adjustable by engagement size. Certificate of insurance issued as part of MSA execution.
Delivery model
Senior-only delivery. Active engagements capped per quarter to maintain quality. For larger programs (E4 Transformation), the senior lead is paired with mid-senior practitioners; the lead remains the accountable point of contact end-to-end.
Audit rights
Reasonable client audit rights accepted as standard MSA terms. One client audit per year on 30-days written notice; regulator-mandated audits accommodated as required.
11 · Procurement & Security FAQ
Direct answers to the questions you’re about to ask.
Do you store our data on Gennoor infrastructure?
No. Client data lives in your environment — your cloud subscription, your tenant, your on-prem infrastructure. Engagement documents (scopes, plans, redacted deliverables) are retained on our internal systems for contract duration + 90 days.
Can we use our MSA template, or do we have to use yours?
We accept client MSA templates as the default. We also have a Gennoor MSA template available for organizations that prefer to start from a vendor template. Typical legal exchange: 2–4 weeks, which we begin in parallel with scoping conversations.
How do you handle a data breach in a system you built?
Per Sev-1 incident response: senior practitioner reachable within 4 hours, written notification to client within 24 hours of awareness, breach-notification cooperation per applicable law (DPDP / PDPL / GDPR / sector regulators). Post-incident review with root cause and remediation within 10 working days.
Are you SOC 2 / ISO 27001 certified?
Not currently. We are aligned to ISO 27001 principles and operate ISO-27001-style controls (encryption, access management, change management, incident response). Formal certification is on our roadmap. For clients who require certified vendors, we work alongside certified system integrators as the AI specialist partner.
Can you sign our security questionnaire?
Yes. Standard CAIQ-style and client-custom security questionnaires are answered within 5–10 working days of receipt. Request the questionnaire to contact@gennoor.com (security subject line) and we route to the senior practitioner who handles security review.
Who owns the code, prompts, and models we build together?
You do. The IP table on this page lists every artifact and its ownership explicitly. Client-specific code, prompts, fine-tuned models, training data, and deliverables are 100% yours. Gennoor retains rights only to clearly-listed reusable IP (methodology framework, evaluation templates, generic course content).
Can you work air-gapped for our sovereign / classified workloads?
Yes. Open-source LLMs (Llama, Mistral, Phi, Qwen) deployed on private infrastructure via Ollama or vLLM is one of our reference patterns. Zero internet egress, no public-API dependencies. We have delivered air-gapped builds in defense-adjacent and government contexts.
How is our data isolated from other Gennoor clients?
Three layers: (1) Engagement data lives in your tenant — physically separated from other clients. (2) Internal engagement documents are stored in client-keyed folders with access restricted to the engagement team. (3) Insights from one engagement are explicitly never transferred to another — our reusable IP is non-client-specific by design.
What happens to our access when the engagement ends?
Credentials revoked within 5 working days of engagement close. Off-boarding attestation provided in writing. Documentation retained per the retention period in your MSA (default: contract duration + 90 days). Deletion-on-request honored within 30 days.
Do you carry professional liability / errors and omissions insurance?
Yes. Limits available on request and adjustable by engagement size. Certificate of insurance issued to clients as part of MSA execution.
How do you handle PII / PHI / sensitive personal data?
For engagements involving regulated data, we default to private-deployment patterns (open-source LLM, on-prem or VPC-only infra), tokenization or de-identification before model inputs where possible, and explicit DPA terms in the MSA. Healthcare PHI engagements include additional HIPAA-equivalent controls.
Can your practitioners be background-checked?
Yes. Senior practitioners are subject to background verification appropriate to the engagement. For regulated finance, enhanced verification (employment history, criminal record check). For defense / government, full clearance support where required.
Do you accept right-to-audit clauses in the MSA?
Yes. Reasonable audit rights are standard. We typically agree to one client audit per year on 30 days written notice, plus regulator-mandated audits as required. Scope is the work we performed and the documentation we retained for it.
For procurement, legal, security, or audit questions.
Send the questionnaire, contract, or specific question to the email below — we route it to the senior practitioner who handles security and procurement review. We respond within five working days for security questionnaires and within two working days for general contract questions.