BearingNorthAI · Security & compliance

How we handle data and access across every product we build.

Security at BearingNorthAI is a company-wide standard, not a per-product feature. Every product we build, and every engagement we run, follows the same principles for data ownership, access control, encryption, and human oversight, with private cloud deployment available where you need it.

Company-wide security postureApplied across every product
CollectIsolateEncryptLogReview
Private cloud deployment options across every product · Your data never trains public models · Role-based access enforced company-wide · Every consequential action can be logged

Security principles

Six commitments that apply to every product and engagement.

These are not marketing claims specific to one product. They are the standards our team builds against, whether we are shipping a WhatsApp agent, a document tracker, a tendering engine, or a GTM automation.

Private by design, across the whole company

Zenvox, ZenDox, Zortex, and ZentraBid can each be deployed inside a cloud environment your business signs off on, with the same architecture principles applied consistently across every product we build.

Customer data stays customer data

Conversations, documents, ERP records, tender archives, and business policies belong to you. Nothing you upload or connect is used to train a public AI model, on any product or engagement.

Access follows least privilege

Every team member, on every account, only sees what their role requires. Admin permissions and tenant isolation are standard, not an add-on.

Encrypted in transit and at rest

Data moving between systems is encrypted end to end, and stored data uses the encryption controls offered by the hosting or cloud provider selected for that deployment.

Audit-ready by default

AI replies, human handoffs, CRM updates, and account actions can be logged across our products, so your team has a clear trail whenever a question comes up.

A human is always reachable

Every product we build routes sensitive or unclear cases to a person. Automation never removes the option of a human decision where it matters.

Data lifecycle

What happens to your data from the moment it reaches us.

01

Collection

We only collect what a product or engagement needs to function: the documents, records, and conversations you choose to connect or upload, nothing more.

02

Processing

Data is processed inside the deployment architecture agreed for your account, whether that is a shared managed environment or a private cloud stack built around your preference.

03

Storage

Each customer's data is isolated in its own tenant or namespace. Nothing is pooled, shared, or cross-referenced between customers at any point.

04

Retention and deletion

Retention periods are agreed with each customer at onboarding. On request or contract end, data can be exported and then deleted from our systems on a defined schedule.

Private AI deployment

Choose the cloud stack your security team already trusts.

For customers who need it, any BearingNorthAI product can be architected around a specific enterprise cloud, so conversations, business knowledge, and AI inference stay inside a controlled environment you already manage.

AWS-first customers

Amazon Bedrock

For businesses already standardized on AWS, our products can be architected around Amazon Bedrock, keeping the AI layer inside AWS's own infrastructure and governance controls.

Microsoft 365 and Azure customers

Microsoft Foundry

For Microsoft-led businesses, our products can deploy on Microsoft Foundry and Azure AI services, aligning access control and data governance with the Azure environment you already manage.

Google Cloud customers

Google Vertex AI

For Google Cloud-first teams, our products can run on a Vertex AI-based stack, keeping AI inference, APIs, and data architecture inside your existing Google Cloud environment.

Vendors and subprocessors

We hold our own vendors to the same standard.

BearingNorthAI relies on a small set of reviewed infrastructure and messaging providers to run its products. Every vendor that touches customer data goes through the same review before it is added to any deployment.

Vendors and subprocessors are reviewed before they touch customer dataWhatsApp messaging runs through Twilio's WhatsApp Business APIHosting and infrastructure providers are chosen for regional availability and uptime track recordEvery subprocessor is bound by a data processing agreement before go-liveNew vendors are added only after a security review by our teamCustomers can request the current subprocessor list at any time

Guidelines and frameworks

Aligned to UAE requirements today, and broader frameworks as customers need them.

Most SMBs and mid-market customers do not need a heavy compliance program on day one, but they do need the right foundation. We build against UAE requirements by default, then map to additional frameworks as customer, investor, or enterprise-buyer requirements get stronger.

UAE PDPL-aware data handling across every engagementNESA-aligned control mapping for UAE-based customersISO 27001 control alignment support on requestSOC 2 readiness conversations for larger accountsSupport for completing customer security questionnairesA cloud architecture review before go-live on any private deployment

FAQ

Security questions we get from leadership teams.

Is this policy the same across Zenvox, ZenDox, Zortex, and ZentraBid?

Yes. Data ownership, tenant isolation, least-privilege access, and audit logging are company-wide standards we apply to every product, not a policy that varies product by product.

Does BearingNorthAI use our data to train AI models?

No. Customer conversations, documents, ERP records, tender archives, and business data are never used to train public models, on any product or account.

Can we require a private cloud deployment?

Yes. For customers with stricter requirements, our products can deploy on your preferred stack across AWS, Microsoft Azure, or Google Cloud. The exact architecture depends on your systems and internal security policy.

Where is our data hosted?

By default, data is hosted with providers chosen for UAE and regional availability. For customers who require a specific cloud, region, or provider, we architect the deployment around that requirement.

Can BearingNorthAI be checked against our internal security policy?

Yes. During onboarding we can map our practices against your existing policy, covering access rules, data retention, logging, approval steps, cloud region preference, and how records move into your systems.

Who do we contact for a security review or questionnaire?

Reach out through our contact page and ask for the security and compliance team. We support customer security questionnaires and can share our subprocessor list and architecture documentation on request.

Security review

Bring your security checklist. We will map our practices against it.

Share your internal policy, preferred cloud provider, and compliance requirements, and our team will walk you through exactly how BearingNorthAI's products and infrastructure fit.