AlfaTechLabs
Let's TalkBook a Demo
← Back to portfolio
Built for the UAE ● Live in production Enterprise · Internal-only Air-gapped option

Every answer cited. Every access logged. Nothing leaves the perimeter.

An internal knowledge hub for a UAE conglomerate's 1,800-person corporate centre — replacing the "ask the SME" bottleneck with a cited, audit-grade assistant that reads SharePoint, Confluence, contracts, and twelve years of board memos.

0 seats
deployed corporate-wide
0K docs
indexed across functions
0%
citation precision
0%
faster time-to-answer
The console

Ask. Verify. Act on the answer.

Every claim cites the document. Every document is one the asking employee was already cleared to see. Tools, planning steps and retrievals are visible — not hidden behind a black box.

kb.acmegroup.ae / workspace · corporate
⌘K?

Supplier-funded travel policy

Workspace · Corporate · 42,180 docs · last updated 4h ago
SECURE v3.2 · on-prem
Hessa · senior procurement officer
What's our policy on supplier-funded travel? Specifically: can a Tier-1 vendor fly me business-class to a factory inspection, and what disclosure is required?
Assistant model · llama-3 70B · on-prem
Plan · decomposed into 3 sub-questions: cap on hospitality value; class of travel; disclosure thresholds
94ms
Retrieve · code of conduct · 5 chunks · workspace: Corporate · ACL passed
186ms
Retrieve · procurement policy · 4 chunks · workspace: Corporate
202ms
Tool · table-lookup · hospitality-thresholds.csv · row: Tier-1 vendor
58ms
Synthesise & verify citations · 5 claims · 5 supported
288ms

Yes, with disclosure. Supplier-funded travel is permitted for inspection or training purposes, capped at a per-trip value defined by vendor tier¹. For Tier-1 vendors, the cap is AED 18,000 per trip and explicitly allows business-class travel for journeys over 6 hours².

Three disclosure obligations apply³:

  • File a Form HR-22 within 5 working days of return — your line manager and Compliance must both sign.
  • Declare the trip in your annual conflict-of-interest declaration.
  • If the same vendor sponsors more than one trip per calendar year, escalation to the Audit Committee is automatic.

Note: gifts of cash, equity, or items above AED 1,500 in personal value are never permitted, regardless of context¹.

Export memo Send to Compliance Pre-fill Form HR-22
↗ summarize for line manager ⌘ /reset planning ⇧ compare against last year's policy all retrieval ACL-checked · 0 leaks

A representative session. Document names, citations and figures shown are illustrative — every deployment runs on the client's own corpus, behind their own perimeter.

Anatomy

Five layers — engineered for one outcome.

An answer that an officer can sign their name to. Without surprises, leaks, or guesswork.

01 — Connectors & ingestion

Read everywhere your knowledge already lives.

Native connectors to the corporate document stores you already run. Layout-aware parsing for tables and signed PDFs, OCR for scanned legacy files, and per-source permission inheritance from day one.

  • SharePoint · Google Drive · Confluence · OneDrive
  • Outlook archive · Exchange shared mailboxes
  • SMB/NAS file shares · 12 years of legacy contracts
  • OCR for scanned docs · table extraction · signature blocks
  • Incremental sync · delta-only re-indexing every 15 minutes
Sources · live sync
SourceTypeDocsLast syncStatus
SPHR · SharePoint
SharePoint8,4202m agolive
SPLegal · SharePoint
SharePoint11,6084m agolive
CFOperations · Confluence
Confluence3,24012m agolive
FSContracts · NAS
SMB share14,90238m agosyncing
EMBoard · Exchange
Email archive3,8101h agolive
DBVendor master · SQL
Postgres42K rows3h agolive
02 — Permissions inheritance

The model can only see what the user is already allowed to see.

Permissions are not bolted on after — they're inherited from each source system at ingest time and stored on every chunk. Retrieval is filtered by the asking user's effective rights before the model sees a single character.

  • Chunk-level ACLs · per-user, per-group, per-classification
  • SSO · SAML · Active Directory · MFA enforced
  • SharePoint and Confluence permission inheritance
  • Re-permissioning happens automatically on source change
  • Restricted classifications never reach the retrieval index
Permission posture · production
Identity
SSO · SAML · MFA · Azure AD
100% SSO
ACL rules
Chunk-level · per-user · per-tag
218,400 rules
PII redaction
At ingest & at output · 18 entity types
99.4% recall
Classification
Public · Internal · Confidential · Secret
4 tiers · enforced
Egress
No outbound · weights local · keys local
0 leaks
Re-perm SLA
User group change → effective in retrieval
< 30s
03 — Cited answers & eval

An answer you can stake your name on — because it's been verified before you see it.

Every claim in the answer is mapped back to the chunk that supports it. Self-verification runs before the answer reaches the user. Compliance can replay any session in full.

  • Per-claim citation mapping · chunk-level provenance
  • Self-verification: claims are checked against cited sources
  • Hallucination rate below 1% on our internal eval
  • Domain-specific eval set, jointly built with Compliance
  • Continuous re-evaluation when policies are updated
Eval · last 30 days · 12k queries
Recall@1096.1%
+22pp vs dense-only baseline
Citation precision94.0%
Claims supported by their cited source
Hallucination rate0.7%
Self-verify catches before answer is shown
p50 latency1.6s
End-to-end · including verify pass
Adoption · WAU76%
Weekly-active vs licensed seats
Time-to-answer−68%
Vs baseline interview-the-SME
04 — Deployment shapes

VPC-private, on-prem, or fully air-gapped — your choice, your perimeter.

No mandatory call to a hosted API, no model weights leaving your data centre. We deploy where your security model says we must, not where it is convenient for us.

  • VPC-private · single-tenant inside your cloud account
  • On-prem · client KMS, client-supplied GPUs
  • Air-gapped · fully offline, signed release artefacts
  • Bring-your-own-model: Llama 3 70B, Qwen, internal fine-tunes
  • Container-only ship: Helm charts, no opaque binaries
Deployment options · this client
VPC-private
Single-tenant · client cloud · client KMS
Standard
On-prem
Client data centre · client GPUs
Selected
Air-gapped
Fully offline · signed release artefact
Available
Bring-your-own model
Llama 3 · Qwen · client fine-tune
Supported
05 — Audit ledger

Every retrieval. Every tool call. Every answer. Replayable, exportable, signed.

If it can't be audited, it can't be trusted. The ledger is append-only, signed, and retained for seven years by default. Compliance can reproduce any past session in full.

  • Append-only audit log · 7-year retention · signed entries
  • Per-session replay: question, retrievals (incl. filtered-out), answer
  • Compliance dashboard · adoption · risk · accuracy
  • Red-team mode & jailbreak-attempt logging
  • Model and prompt version pinning · rollback
Audit log · last 30 minutes
HA
Hessa A. · queried "supplier-funded travel policy"
workspace: Corporate · 9 retrievals · 1 tool call · cited 4 sources
14:08
SK
System · ACL denied 3 chunks for user role procurement
audit-committee-internal-only.pdf · workspace: Audit · expected · logged
14:08
RM
Compliance · Reem M. · exported session #84210 to evidence archive
PDF + JSON trace · signed · retention 7y
13:54
JA
Jasem A. · pre-filled Form HR-22 · sent to manager
attached audit trace · auto-routed to Compliance for co-sign
13:42
SK
System · prompt-injection attempt blocked & logged
user-uploaded vendor brochure contained instruction-override pattern · isolated
13:21
Under the hood

A platform you run yourself.

Containers. Helm charts. Your KMS. Your LDAP. Your GPUs. We provide the platform; you keep the data.

EMPLOYEES CONTROL PLANE AGENT & RETRIEVAL DATA & MODELS Web console React · streaming UI · SSO Teams & Slack bot in-channel · DM · approval REST & SDK embed in internal tools Compliance dash audit · adoption · risk API + Auth SSO · SAML · OAuth2 rate-limit · audit streaming WebSocket Agent runtime plan · act · verify · reflect Retrieval engine hybrid · ACL-aware · rerank Tool registry forms · email · calendar · DB Ingestion pipeline parse · OCR · chunk · embed Eval & safety PII · jailbreak · self-verify Vector store pgvector · Qdrant BM25 · OpenSearch keyword · facet Postgres + ACLs tenants · roles · chunks Object store source docs · evidence Model · GPU Llama 3 · Qwen · local
In production · this client

Three functions. One platform. One perimeter.

Anonymized at the client's request. Function, scale and outcomes are real and verifiable on request under NDA.

HR · 220 staff

HR queries answered in seconds — by every line manager.

Group HR · 220 line managers · 8K policy docs

Line managers used to email HR for every leave-balance, allowance and entitlement question. The hub now answers them in 30 seconds, citing the exact policy clause and seniority band — and HR gets to spend time on the cases that actually need a human.

"I get the answer with the policy reference. My team trusts it because they can see the source."

— head of corporate HR

−72%
HR ticket volume
94%
first-answer accuracy
100%
policy citations
3 wks
to onboard 220 managers
Legal · in-house

First-pass contract review, every time, against our own playbook.

In-house legal · 18 lawyers · 14K contracts

The legal team uses the hub to triage incoming third-party contracts — flagging clauses that deviate from the playbook, citing the playbook reference, and drafting a redline memo for the senior counsel to review.

"It does the first read of every contract. Senior counsel only sees the deviations now."

— general counsel

−68%
first-pass review time
+3.6×
contracts reviewed/week
96%
deviation-flag accuracy
7-yr
audit retention
Procurement · cross-business

Procurement officers stop chasing policy and start running deals.

Group procurement · 64 officers · 11K vendor docs

Procurement used to lose hours per week chasing the right approver, threshold, or vendor history. The hub answers in seconds, pre-fills the disclosure forms, and links to the exact prior memo where a precedent was set.

"I close more vendor evaluations in a week than I used to in a month. The forms come pre-filled."

— senior procurement officer

+2.4×
evaluations/week
−54%
policy lookups
100%
disclosure forms pre-filled
0
classified-doc leaks
Implementation

From kick-off to corporate-wide in 8 weeks.

Discovery, secure provisioning, ingestion, evaluation, pilot, and a 30-day stabilisation. We move quickly on infrastructure and slowly on trust — exactly the right pace for an internal knowledge platform.

Talk through your rollout
Week 1 · Discovery

Map the corpus & the questions

Sources, document types, ACL model, target use-cases, evaluation set. Threat model and deployment topology agreed in writing.

Week 2 · Secure provisioning

Stand up the environment

On-prem cluster (or VPC) provisioned. SSO & LDAP wired. KMS keys handed over. Network ingress & egress locked down.

Week 3–4 · Ingestion

Index the corpus

Connectors live. ACLs imported and verified. First-pass index complete. Initial retrieval evaluation against the gold set.

Week 5 · Tuning

Tune retrieval & agent

Reranker tuned. Custom tools added (HR-22, vendor-master lookup, calendar). Domain prompts iterated against the gold set.

Week 6 · Pilot

Pilot with 30 users across HR, Legal, Procurement

Real users, daily review of every session. Issues fixed in hours. Adoption coached. Compliance dashboard handed to risk team.

Week 7–8 · Roll-out

Open to 1,800 seats

Wider rollout, function by function. Training kits in-platform. Daily then weekly review for 30 days, then transition to support cadence.

Compliance

Built for regulated environments.

We design to the strictest framework in the room. SOC 2, ISO 27001, UAE NESA, and sector-specific frameworks on request.

SOC 2 · Type II
Security
ISO 27001
Infosec
UAE NESA
Sovereign
UAE PDPL
Privacy
GDPR-equiv
Privacy
HIPAA-ready
Healthcare
PCI-DSS
Payments
FedRAMP-style
Gov-grade
AES-256
Encryption
EU AI Act
AI · ready
Common questions

The things every CIO asks.

If yours isn't here, ask us directly — we welcome the security questionnaire.

Send your questionnaire
Is this the same as your Agentic RAG flagship?

Yes — Corporate Knowledge Hub is our Agentic RAG platform configured for an internal-corporate-knowledge use case. The flagship deep-dive walks through the platform itself; this page describes one specific deployment shape (1,800-seat corporate centre, on-prem, ACL-inherited from SharePoint & Confluence) and the outcomes that came with it.

Can it read our existing SharePoint and Confluence permissions?

Yes. Permissions are inherited at ingest time and stored at the chunk level. If a user can't open the document in SharePoint, the model will not retrieve any chunk from it — the retrieval is filtered before the model sees a single character. Permission changes propagate in under 30 seconds.

What about prompt injection from uploaded documents?

All retrieved text is treated as untrusted. Tool execution is sandboxed; tool calls require structured arguments, not free-form prompts. Documents are scanned for instruction-override patterns at ingest. Sensitive tools (forms, email, ticket creation) require explicit user confirmation in the UI.

How long to roll out across 1,800 seats?

Eight weeks end-to-end is our standard pace: one for discovery, one for secure provisioning, two for ingestion, one for tuning, one for pilot, two for staged rollout. Faster is possible if your environment is already standardised.

What's pricing for 1,800 seats?

A platform subscription based on user-seats and corpus size, plus a one-time deployment fee. Sovereign / on-prem contracts are quoted separately because the support model is different. We share a worked example in the discovery call — no obligation.

How are evaluations built?

Jointly with your Compliance and Knowledge owners. We start with a 200-question gold set drawn from real recent queries, with the right answers and the supporting clauses. The model has to pass a citation-precision and recall bar against that set before any user touches it. The gold set re-runs on every model upgrade or policy change.

What if the model gets it wrong?

The user sees the cited source and the chunk text — they can verify before they act. Every flagged answer routes to a reviewer queue. Compliance can replay the full session, see exactly what the model saw, and export the trace as evidence. Wrong answers are turned into eval cases and the model is re-tuned against them.

Can it generate forms and route them through Compliance?

Yes — that's the most common tool we wire up. The agent can pre-fill HR-22, COI declarations, vendor-evaluation memos and similar internal forms, attach the retrieval trace as supporting evidence, and route them to the named approver. Approvers see the form and the trace side by side.

Built on our flagship Agentic RAG platform — read the full platform deep-dive →
Book a private walkthrough

See it on a slice of your corpus.

45 minutes. We'll demo the platform on a sanitised slice of your real documents — not a sample dataset.