Trust Center

Sovereignty Standards

Sovereignty means the customer retains full control of their data, code, and credentials. Nothing leaves the customer's perimeter without explicit, auditable consent. Elmahrosa builds to this standard by default.

• Customer data processed within TEOS stack systems does not flow to Elmahrosa's servers or third-party analytics without explicit customer configuration.
• All TEOS products are designed for self-hosted deployment inside the customer's own infrastructure.
• API keys, credentials, and secrets are never stored by Elmahrosa except where the customer explicitly provisions a managed service tier.
• Law over Code: when regulatory obligation and technical capability conflict, the regulatory obligation governs.

Responsible AI Statement

Elmahrosa develops AI systems for high-stakes institutional environments. We hold ourselves to a higher disclosure standard than consumer AI products.

Capability claim tagging system — every claim is tagged:

• Verified Tested and confirmed in production-equivalent conditions.
• Probable Technically sound and expected to work, but not yet confirmed end-to-end in production.
• Inferred Reasonably expected based on underlying technology, but not specifically tested in this context.
• Speculative Theoretically possible but not demonstrated. Included for roadmap transparency only.

Disclosure Policy

Elmahrosa commits to timely, clear, and honest disclosure on the following:

• Security incidents affecting customer data: disclosed to affected customers within 72 hours of confirmation, and publicly within 7 days.
• Material capability limitations that affect a customer's procurement decision will be disclosed proactively before contract signature.
• Third-party dependencies disclosed — Anthropic Claude API is our primary AI dependency.
• Active threat intelligence: brand impersonation and malware targeting the AI ecosystem in MENA will be published via the Security Advisory page.

Vulnerability Reporting

Elmahrosa welcomes responsible disclosure of security vulnerabilities. We commit to:

• Acknowledge receipt within 48 hours of submission.
• Provide initial severity assessment within 7 business days.
• Resolve confirmed critical vulnerabilities within 30 days where technically feasible.
• Not pursue legal action against reporters who follow responsible disclosure principles.

To report: email ayman@elmahrosa.org with subject "Responsible Disclosure — [Product Name]".

Auditability

Every AI-generated verdict in TEOS Sentinel Shield is logged with a timestamp, the input that triggered it, the rules applied, the verdict, and the risk score. No verdict is issued without a complete, human-readable explanation.

• No black-box outcomes — every TEOS decision traces to a named rule or model invocation.
• Logs are customer-controlled and not retained by Elmahrosa after the customer's retention policy expires.
• Customers may connect their own SIEM systems to receive TEOS verdict events in real time via webhook.

Self-Hosted Capability

All TEOS stack products are engineered to run inside the customer's own infrastructure. Self-hosted deployment is the default, not an enterprise add-on.

• TEOS Sentinel Shield deploys as three PM2-managed services on the customer's own hardware with no Elmahrosa-hosted dependencies required.
• UCH Sovereign Core operates entirely within the customer's network perimeter. Patient data does not leave the hospital's own infrastructure.
• TEOS Comply-Crawl can be containerized and deployed via Docker Compose inside the customer's data zone.

Compliance Posture

Elmahrosa International is a privately held Egyptian company governed by the laws of the Arab Republic of Egypt. Our compliance posture is designed for procurement review by government and institutional buyers in MENA and East Africa.

• Intellectual Property: all TEOS stack products are governed by Egyptian IP Law No. 82 of 2002.
• Data protection: compatible with Egyptian Personal Data Protection Law No. 151 of 2020 and similar frameworks.
• Third-party AI: TEOS products invoke the Anthropic Claude API. Customers should review Anthropic's data handling policies for API usage.
• Healthcare: UCH Sovereign Core is designed with reference to HIPAA technical safeguards.

AI Risk Governance

AI risk governance must be deterministic at decision gates, not probabilistic. Before any autonomous AI agent executes an action, the action is scored against 25 named rules across three scan engines and a verdict is returned.

• AI agents using TEOS Sentinel Shield cannot bypass the pre-execution gate. The verdict (BLOCK/WARN/ALLOW) is enforced programmatically.
• The 25 MCP rules are documented, named, versioned, and available for customer review.
• Risk scoring thresholds are configurable per deployment. High-security environments can set all WARN verdicts to BLOCK.

Human Oversight Policy

AI autonomy must be bounded by human review at every decision with material consequences. Our systems are built to advise and accelerate human decision-making, not to replace it.

• All TEOS Sentinel Shield BLOCK verdicts result in a halt and human notification — no automatic destructive action without human confirmation.
• UCH Sovereign Core presents AI-assisted clinical documentation as drafts requiring physician review and sign-off before being committed to patient records.
• No Elmahrosa product is advertised as autonomous in contexts involving patient safety, legal documents, or financial transactions.
• Law over Code: when AI outputs conflict with the legal or ethical judgement of the responsible human, the human governs.

Contact Security Team