AlfaTechLabs
Let's TalkBook a Demo
← Back to portfolio
Built for the UAE ● Flagship platform On-prem · Air-gapped RBAC · Audit-grade

AI that reads your documents — and shows its work.

Agentic retrieval-augmented generation for organisations that can't trade data for convenience. Sovereign or air-gapped deployment, role-based access on every chunk, citations on every claim, and a complete audit trail of what the model saw and did.

0
live deployments
0M docs
indexed across tenants
0%
citation precision · benchmark
0s p50
end-to-end latency
The console

Ask. Verify. Trust the answer.

Every claim cites the source. Every source is a real document the user is allowed to see. Tools, planning steps, and retrievals are visible and auditable — not hidden in a black box.

ai.ministry.gov.ae / workspace · policy
⌘K?

Federal procurement thresholds

Workspace · Policy · 3,420 docs · last updated 2h ago
SECURE v2.1 · on-prem
Fatima · policy analyst
What is the current threshold for direct procurement under federal regulation, and how does it differ from the emirate-level rules in Dubai?
Assistant model · llama-3 70B · on-prem
Plan · decomposed into 2 sub-questions: federal threshold; Dubai variation
82ms
Retrieve · federal regulation · 4 chunks · workspace: Policy · ACL passed
214ms
Retrieve · Dubai amendments · 3 chunks · workspace: Policy
198ms
Tool · table-lookup · threshold-table.csv · row: 2024 amendments
66ms
Synthesise & verify citations · 6 claims · 6 supported
312ms

Under federal regulation, direct procurement (without a competitive process) is permitted for contracts up to AED 200,000, raised from AED 150,000 in the 2024 amendments¹. Procurement officers must still document a single-source justification.

Dubai's emirate-level rules diverge in two ways²³:

  • The threshold is set lower at AED 100,000 for departments under Dubai Government Excellence Programme.
  • Above that, framework-agreement procurement is available for repeat purchases of routine supplies, which the federal rules do not codify.

For cross-jurisdictional procurement, the stricter ceiling applies — the federal rule only sets the upper bound.

Export memo Send to legal Ask follow-up
↗ summarize this answer ⌘ /reset planning ⇧ compare against draft all retrieval ACL-checked · 0 leaks

A representative session. Document names, citations and figures shown are illustrative — every deployment runs on the client's own corpus, behind their own perimeter.

How it thinks

A loop, not a single shot.

Naive RAG retrieves once and hopes for the best. Our agent plans, retrieves, calls tools, verifies its own citations, and re-plans when the evidence is thin. Every step is logged.

User question + workspace · role + conversation history 01 Plan decompose · scope 02 Retrieve hybrid · ACL-aware 03 Act tools · DBs · APIs 04 Synthesise draft · cite · ground 05 Verify claims ↔ sources 06 Reflect re-plan if thin Cited answer + traces · audit log + confidence · sources
Anatomy

Five capabilities. One platform. No surprises.

Each layer is engineered for the same outcome: an answer you can stake your reputation on.

01 — Ingestion & connectors

Bring your own corpus — wherever it lives.

Native connectors to the document stores your organisation already runs. Incremental sync, OCR, layout-aware parsing for tables and diagrams, and per-source ACL preservation.

  • SharePoint · Google Drive · Confluence · file shares
  • Email archives · ticket systems · SQL databases
  • OCR for scanned docs · PDF table extraction · diagram captioning
  • Per-document permission inheritance — never re-permission anything
  • Incremental sync · delta-only re-indexing
Sources · sync status
SourceTypeDocsLast syncStatus
SPPolicy SharePoint
SharePoint14,8202m agolive
GDLegal · Drive
Google Drive8,40214m agolive
CFOperations · Confluence
Confluence2,10842m agosyncing
FSArchive · NAS
SMB share38,9901h agolive
DBProcurement · Postgres
SQL182k rows3h agolive
EMInbox · Exchange
Email62,4016h agore-auth
02 — Security & isolation

Built for organisations that can't trade data for convenience.

On-prem, sovereign-cloud or air-gapped. Document permissions enforced at the chunk level — the model can only retrieve what the asking user is already allowed to see. Nothing leaves your perimeter.

  • On-prem · sovereign-cloud · air-gapped deployment
  • Chunk-level ACLs · per-user, per-workspace, per-tag
  • PII detection & redaction at ingest and at output
  • SSO · SAML · LDAP · Active Directory integration
  • End-to-end encryption · KMS-managed keys
Security posture · production
Deployment
On-prem · single-tenant · client KMS
Air-gapped
ACL enforcement
Chunk-level · per-user · per-tag
14,820 rules
PII redaction
At ingest & at output · 18 entity types
99.4% recall
Audit trail
Every retrieval · every tool call
7-year retention
Identity
SSO · SAML · MFA enforced
100% SSO
Egress
No outbound · model weights local
0 leaks
03 — Hybrid retrieval & ranking

Find the right paragraph — not the closest-sounding one.

Dense embedding retrieval for semantic recall, BM25 for keyword precision, cross-encoder reranking for final ordering. Retrieval is workspace-scoped, ACL-checked, and aware of conversation context.

  • Dense (E5 / bge) + sparse (BM25) hybrid retrieval
  • Cross-encoder reranking · top-100 → top-8
  • Conversation-aware query rewriting
  • Per-workspace tuning · custom embeddings on request
  • Sub-200ms p50 across 1M+ chunks
Retrieval · Q&A benchmark
Recall@1094.2%
+18pp over dense-only baseline
MRR0.81
Mean reciprocal rank · top-cited
Citation precision93.8%
Claims supported by their cited source
Hallucination rate0.6%
Unsupported claims · self-verify catches
p50 latency1.4s
End-to-end · including planning & verify
p99 latency3.8s
Even with re-plan loops
04 — Agents & tools

Beyond Q&A — workflows that finish the work.

Custom tools your domain needs: structured table queries, calculator, calendar, ticket creation, code execution in a sandbox. The agent decides when to call them, you decide which exist.

  • Tool-use protocol · custom function calling
  • Sandboxed code execution for reproducible analysis
  • Structured output: JSON · forms · spreadsheets
  • Multi-step workflows: retrieve → compute → draft → route
  • Human-in-the-loop checkpoints on sensitive actions
Tools · in this workspace
table-lookup
Query a structured CSV / DB by row · column
used 1,402×
calc
Sandbox python · numbers, dates, FX
used 3,118×
calendar
Read & write Exchange / Google · meetings
used 408×
ticket-create
Create Jira / ServiceNow · attach context
used 214×
email-draft
Compose · attach citations · human review
used 902×
memo-export
Render answer as branded PDF · sign & archive
used 1,816×
05 — Governance & audit

If it can't be audited, it can't be trusted.

Every retrieval, tool call, planning step and final answer is logged with attribution. Compliance officers can replay any session, see exactly what the model saw, and export evidence for review.

  • Append-only audit ledger · 7-year retention
  • Per-session replay: question, retrievals, tools, answer
  • Compliance dashboards · adoption · risk · accuracy
  • Red-team mode & jailbreak monitoring
  • Model & prompt version pinning · rollback
Audit log · last 30 minutes
FA
Fatima A. · queried "federal procurement thresholds"
workspace: Policy · 7 retrievals · 2 tool calls · answer cited 4 sources
12:42
SK
System · ACL denied 2 chunks for user role analyst
doc-classified-2024-q3.pdf · workspace: Legal · expected · logged
12:42
RM
Compliance · Reem M. · exported session #18204 to evidence archive
PDF + JSON trace · signed · retention 7y
12:38
JA
Jasem A. · flagged answer #18198 for review
reason: outdated source · routed to policy reviewer
12:31
SK
System · prompt-injection attempt blocked & logged
user-uploaded PDF contained instruction-override pattern · isolated
12:24
Under the hood

A platform you can run yourself.

Everything ships as containers. Bring your own GPU, your own keys, your own LDAP. We provide the platform; you keep the data.

CLIENTS CONTROL PLANE AGENT & RETRIEVAL DATA & MODELS Web console React · streaming UI Slack / Teams bot in-channel · DM REST / SDK embed in your apps Compliance dash audit · adoption · risk API + Auth SSO · SAML · OAuth2 rate-limit · audit streaming WebSocket Agent runtime plan · act · verify · reflect Retrieval engine hybrid · ACL-aware · rerank Tool registry sandbox · DB · email · APIs Ingestion pipeline parse · OCR · chunk · embed Eval & safety PII · jailbreak · self-verify Vector store pgvector · Qdrant BM25 · OpenSearch keyword · facet Postgres + ACLs tenants · roles · chunks Object store source docs · evidence Model · GPU Llama 3 · Qwen · local
In production

Three deployments. Three industries. One platform.

Anonymized at the client's request. Sector, scale and outcomes are real and verifiable on request under NDA.

Government · Policy

Policy analysts get an answer in 90 seconds, not an afternoon.

Federal ministry · 14 analysts · 3,420 docs

A federal policy unit replaced the practice of "ask the senior analyst" with a sovereign on-prem deployment. The corpus: every regulation, decree, circular and amendment going back 12 years. Air-gapped; nothing leaves the perimeter.

"Junior analysts now produce briefings the seniors can sign without rewriting them. The citations are the unlock."

— director, policy unit

12×
faster briefing turnaround
94%
citation precision
100%
on-prem · air-gapped
0
data egress events
Enterprise · Legal

Contract review at the speed of partnership.

In-house legal · 28 lawyers · 180k contracts

A regional conglomerate's legal team uses the platform to triage incoming contracts against their own playbook — flagging deviations, citing the playbook clause, and drafting a redline memo for the partner to review.

"It does the first read of every contract that lands in our inbox. The partners get to spend their time on the hard 10%."

— general counsel

−74%
first-pass review time
+4.1×
contracts reviewed / week
96%
deviation-flag accuracy
7-yr
audit retention
Enterprise · Customer support

Tier-1 support agents that actually know the product.

Telco · 220 agents · 42k KB articles

A regional telco's tier-1 support agents have the assistant beside their CRM. It reads the customer's account context, the ticket, the device manual and the latest network bulletin — drafts a response, cites the article, and routes to tier-2 only when needed.

"Our average handle time dropped, and our customer-satisfaction score went up. Both at once. Rare."

— head of customer operations

−38%
avg handle time
+11pt
CSAT improvement
−52%
escalations to tier-2
3 wks
to live with 220 agents
Implementation

Live in 6 weeks. Cautiously.

Our standard rollout: discovery, secure environment provisioning, corpus ingestion, evaluation, pilot, and a 30-day stabilisation. We move quickly on infrastructure and slowly on trust — exactly the right pace for sensitive data.

Talk through your rollout
Week 1 · Discovery

Map the corpus & the questions

Sources, document types, ACL model, target use-cases, evaluation set. Threat model and deployment topology agreed in writing.

Week 2 · Secure provisioning

Stand up the environment

On-prem cluster (or sovereign cloud) provisioned. SSO & LDAP wired. KMS keys handed over. Network ingress & egress locked down.

Week 3 · Ingestion

Index the corpus

Connectors live. ACLs imported and verified. First-pass index complete. Initial retrieval evaluation against the gold set.

Week 4 · Tuning

Tune retrieval & agent

Reranker tuned. Custom tools added. Domain-specific prompts. Evaluation iterated until citation precision passes the bar.

Week 5 · Pilot

Pilot with 5–10 users

Real users, daily review of every session. Issues fixed in hours. Adoption coached. Compliance dashboard handed to risk team.

Week 6 · Roll-out

Open to the team

Wider rollout. Training kits in-platform. We stay close — daily, then weekly — for 30 days, then transition to support cadence.

Compliance

Built for regulated environments.

We design to the strictest regulator in the room. SOC 2, ISO 27001, UAE NESA, GDPR-equivalent data residency, and sector-specific frameworks on request.

SOC 2 · Type II
Security
ISO 27001
Infosec
UAE NESA
Sovereign
GDPR-equiv
Privacy
UAE PDPL
Privacy
HIPAA-ready
Healthcare
PCI-DSS
Payments
FedRAMP-style
Gov-grade
AES-256
Encryption
EU AI Act
AI · ready
Common questions

The things every CIO asks.

If yours isn't here, ask us directly — we welcome the security questionnaire.

Send your questionnaire
Does our data ever leave our perimeter?

No. The default deployment is on-prem or sovereign-cloud, single-tenant, with all model weights, embeddings and source documents resident inside your boundary. There is no required outbound call. For air-gapped clients we deliver a fully offline release artefact.

Which model do you use? Can we bring our own?

By default we deploy open-weight models (Llama 3, Qwen, Mistral families) — they are competitive on retrieval-heavy workloads and they run inside your perimeter. Clients can also bring their own model: Azure OpenAI in a private link, an internal fine-tune, or a sovereign endpoint. The agent runtime is model-agnostic.

How do you prevent hallucinations?

Three layers. First, the retrieval is good — strong recall on the right document. Second, the agent self-verifies: every claim in the draft is checked against its cited source before the answer is shown. Third, the UI never hides the source — users see the chunk, not just the citation. On benchmarks our hallucination rate sits below 1%.

How are document permissions handled?

Permissions are inherited from the source system at ingest time and stored at the chunk level. Every retrieval is filtered by the asking user's effective permissions before the model sees anything. The model can never retrieve a chunk the user is not already entitled to read.

What about prompt injection from uploaded documents?

We treat all retrieved text as untrusted. Tool execution is sandboxed; tool calls require structured arguments, not free-form prompts. Documents are scanned for instruction-override patterns at ingest. Sensitive tools (email, ticket creation, code execution) require explicit user confirmation in the UI.

Can we audit what the model said and saw?

Yes — every session is replayable. Compliance officers see the question, the retrieval results (including filtered-out items), every tool call and its arguments, the draft, the verified-claim mapping, and the final answer. Audit ledger is append-only with 7-year retention by default.

What's pricing?

A platform subscription based on user-seats and corpus size, plus a one-time deployment fee. Sovereign / air-gapped contracts are quoted separately because the support model is different. We share a worked example in the discovery call — no obligation.

Book a private walkthrough

See it on your corpus.

45 minutes. We'll demo the platform on a sanitised slice of your real documents — not a sample dataset.