AI Trust & Security Overview

  1. Introduction

This document describes how Tacton uses artificial intelligence (AI) in its products and customer implementation projects, how we protect customer data in that context, and the governance structures we have in place to ensure responsible and accountable AI use.

We publish this document for one reason: transparency. We want customers, procurement teams, and information security reviewers to have a clear, honest picture of our practices – not because we are required to, but because we believe trust is built on clarity.

A note on scope

Tacton operates a global SaaS platform used by manufacturers to configure, price, and quote complex products. AI is one capability within that platform. This document covers AI specifically – for broader security and data protection information, please refer to Tacton’s Security Information at https://www.tacton.com/about-us/information-security/ and Data Processing Agreement available at tacton.com/legal-information.

Like every modern enterprise software company, Tacton uses AI tools and technologies across product development, services, internal operations, and in selected product features. We approach this the same way we approach every other technology decision: by selecting capable, secure tools and processes; by protecting the data entrusted to us; and by complying with applicable law. The category of a tool – AI or otherwise – does not change those obligations, and it does not lower our standards.

  1. How Tacton Uses AI

2.1 AI-powered product features

Tacton’s CPQ platform includes AI-augmented features designed to help users work more efficiently. These features are accessible via the standard Tacton CPQ interface and is subject to the same authentication, authorization, and access controls as the rest of the platform.

Key design principles applied to all AI product features:

  • Human-in-the-loop by default – No AI-generated change takes effect automatically. Every suggestion must be reviewed and explicitly accepted by the user before it is applied. Any additional automation may be configured by the customer.
  • Tenant isolation – Each customer operates in a strictly isolated tenant. AI features are architecturally prevented from accessing, reading, or influencing data belonging to any other tenant. This is not a policy control – it is an enforced technical boundary. An AI interaction in one tenant cannot, by design, reach data from another.

2.2 What Tacton does not do with AI

  • Tacton does not use customer data to train or fine-tune AI models.
  • Tacton does not make automated decisions about customers or their end users based on AI output without human review.
  • Tacton does not share customer data with AI providers beyond what is strictly necessary to deliver a specific product feature, and only under appropriate confidential provisions and contractual protection.
  • AI providers used by Tacton does not use customer data to train or fine-tune AI models.

  1. Data Handling & AI Training

3.1 Customer data is not used to train AI models

This is our clearest and most important commitment in this document: Tacton does not use customer data to train, fine-tune, or improve AI models, whether our own or those of third-party providers.

When customer data is processed by an AI feature, it is used solely to generate the specific output requested by the user in that session. It is not retained by the AI provider beyond the inference call, and it is not used to improve the underlying model.

Training commitment in our MSA

Tacton’s Master Services Agreement explicitly provides that AI outputs and learnings that arise from operating AI features do not include Customer Data or Customer Confidential Information. These contractual protections apply to all customers operating under the current MSA.

3.2 Data flow in AI features

For the AI features, the data flow is as follows:

  • The authenticated user uploads context within their tenant.
  • The Tacton backend assembles a structured prompt by adding additional Tacton IP to the context as well as prompt execution logic. The user’s identity (name, email) is used for audit logging only and is not included in the prompt sent to the AI model.
  • An inference request is made to AWS Bedrock in the customer specified AWS region.
  • The structured response is validated against the product schema, then returned to the user for review.
  • No customer data is stored by the AI provider. Data at rest remains in Tacton’s dedicated AWS infrastructure, within the customer specified AWS region.

No customer data leaves the customer’s region in normal operation of the AI features.

3.3 Data residency

Tacton’s AI features are hosted and processed within AWS infrastructure in the EU (eu-west-1, Ireland). Customer data submitted to AI features is stored in:

Storage type Location
Uploaded files (AWS S3) Customer specified AWS region
Conversation history (AWS MySQL) Customer specified AWS region
AI inference (AWS Bedrock) Customer specified AWS region

  1. Security & Infrastructure

4.1 Certifications

Tacton maintains the following security certifications, which cover the full product portfolio including AI product features:

ISO 27001 Tacton’s Information Security Management System (ISMS) is certified under ISO/IEC 27001. This certification covers the policies, processes, and controls that govern how we identify, manage, and mitigate information security risks across our organization — including risks associated with how customer data is handled within AI-enabled features of our product portfolio.
SOC 2 Type II Tacton holds SOC 2 Type II certification, demonstrating that our security, availability, and confidentiality controls operate effectively over time. The AI features are within the scope of this certification. Reports are available under NDA upon request.
Annual Pen Testing Tacton conducts annual third-party penetration tests across its product infrastructure, including AI components. Findings are tracked and remediated according to severity.

 

4.2 Infrastructure

All Tacton SaaS infrastructure, including AI features, runs on Amazon Web Services (AWS). Key infrastructure properties include:

  • Environment separation – Production, staging, and development environments run in separate AWS accounts and VPCs with independent IAM boundaries, Kubernetes namespaces, database clusters, and S3 buckets. Production data is never replicated to non-production environments unless specifically requested by the customer.
  • Encryption in transit – All data in transit is encrypted using TLS 1.2 or higher.
  • Encryption at rest – All customer data stored in S3, databases, and backups is encrypted at rest using AES-256.
  • Access control – Access to production systems is restricted to authorized Tacton personnel, requires MFA, and is logged. Privileged access reviews are conducted regularly.
  • Kubernetes autoscaling – The AI Features runs on Kubernetes with horizontal autoscaling, ensuring performance under load without degrading isolation between tenants.

4.3 Authentication & access to AI features

Access to AI features is gated by the same authentication stack as the Tacton CPQ platform. Customers authenticate via their own Identity Provider (IdP) using SAML, OIDC, or Azure AD with MFA enforced. A short-lived JWT is issued and verified for each AI session. No AI feature is accessible without valid authentication within the customer’s tenant.

4.4 Logging & auditability

All AI interactions are logged with the following information: input summary, output summary, model identifier, timestamp, and user identity. Logs are retained as part of Tacton’s centralized observability stack and are available for export via standard Tacton CPQ audit-log channels. Customers requiring SIEM integration may connect via these export channels.

  1. Compliance & Regulatory Alignment

5.1 GDPR

Tacton acts as a Data Processor with respect to personal data that customers submit through the Services, and as an independent Data Controller for business contact information and login credentials. Tacton’s Data Processing Agreement (DPA) sets out the obligations, rights, and safeguards applicable to personal data in full compliance with GDPR. With respect to AI features: personal data (such as a user’s id and email) is captured for audit logging purposes only. It is not included in prompts sent to AI models.

5.2 EU AI Act

Tacton has assessed its AI features against the risk classification framework of the EU AI Act. The AI features operate in a narrowly defined, professional domain and is not deployed in any of the prohibited-use or high-risk categories enumerated in the Act.

Key factors in this assessment:

  • Users are always informed when they are interacting with an AI feature.
  • The system does not make decisions with legal or similarly significant effects on individuals.
  • Every AI-generated output requires explicit human acceptance before it takes effect.
  • No biometric data, sensitive personal categories, or real-time inference about individuals is processed.

Tacton continues to monitor regulatory guidance as the AI Act implementation progresses and will update its assessments accordingly.

5.3 NIS2 & CRA

Tacton’s existing ISMS and security program – as evidenced by the ISO/IEC 27001 certification and SOC 2 Type II audit – aligns with the security risk management and incident response requirements of NIS2 as they apply to software service providers. The NIS2 Directive requires organizations to implement appropriate technical and organizational measures to manage cybersecurity risks, maintain business continuity, and ensure timely incident reporting. Tacton’s certified ISMS addresses these obligations through documented risk assessment processes, a structured incident response capability, and defined recovery procedures, all subject to independent audit.

As a SaaS provider to customers globally, Tacton is committed to supporting customers in meeting their own NIS2 obligations where Tacton forms part of their supply chain, including through transparency around security controls and clear channels for incident notification.

The EU Cyber Resilience Act (CRA) is primarily designed for products with digital elements – such as hardware devices, IoT components, and distributed software – and as a cloud-based SaaS provider, Tacton’s core product offerings generally fall outside its direct scope. Tacton nonetheless monitors the regulation closely and has conducted assessments to confirm its applicability posture as the CRA progresses toward full enforcement.

Where the CRA is relevant to Tacton’s context is indirectly – many of Tacton’s manufacturing customers produce and sell physical products with digital elements that will be subject to CRA requirements. Tacton is aware of this and considers how its CPQ and manufacturing software can support customers in managing the configuration, engineering, and compliance data flows that underpin their own CRA obligations.

5.4 Data residency & sovereignty

Tacton’s AI features operate within the customer’s specified AWS region. Customers with specific data residency requirements should contact your Account Executive or Customer Success Manager at Tacton, as regional deployment options may be available.

  1. Human Oversight & AI Governance

6.1 Internal AI governance

Tacton maintains an internal AI governance process that applies to the development, deployment, and operation of all AI features. This includes:

  • Pre-deployment review – New AI features and model changes are reviewed by a cross-functional team including product, engineering, security, and legal before being deployed to production.
  • Bias and safety assessment – AI features are assessed for potential bias and unintended outputs, both at initial deployment and when AI models are updated. Tacton also relies on the safety work performed by model providers as a complementary control.
  • AI model versioning and rollback – Tacton pins specific AI model versions per tenant via configuration. If a model update introduces undesirable behavior, rollback is performed by reverting the tenant’s model configuration without requiring data migration or retraining.
  • Continuous monitoring – AI interactions are monitored for anomalies, unexpected output patterns, and errors as part of Tacton’s standard observability pipeline.

6.2 Hallucination and AI output validation

Generative AI is predictive in its nature, which means that there is always a risk for incorrect output or hallucinations. Tacton deploys various techniques to reduce the risk this can have for users and the customers’ business.

  • By default, AI output is highlighted and require user approval before changes take effect.
  • References to data sources are used to explain why the AI output was generated
  • When applicable, AI output is validated by Tacton’s predictive algorithms (symbolic AI)

It is important to acknowledge that Tacton’s AI features should be viewed as assistants where users keep accountability for the use of any output generated.

  1. Customer Controls

Tacton believes that customers should have meaningful control over how AI is used within their environment. The following controls are available:

Control Details
Feature availability AI features can be enabled or disabled at the tenant level by the customer’s CPQ administrator.
AI model selection Tacton manages AI model selection centrally to ensure quality and security. Changes are communicated in advance where they may affect behavior.
Audit log access Customers can access complete logs of AI interactions within their tenant via the standard audit log.
Data deletion Upon termination, Tacton will delete all customer data, including data associated with AI features, in accordance with the MSA.
DPA and data requests Customers wishing to exercise data subject rights, or with questions about data processing, should contact their Account Executive or Customer Success Manager (Account Team) at Tacton.

 

Tacton does not currently offer opt-out from AI features on a per-user basis within a tenant where AI features are enabled. Administrators wishing to restrict AI access should do so at a tenant level. If you have a specific requirement, please discuss with your Account Team.

  1. AI Providers

Tacton uses third-party infrastructure and AI services to deliver its products. The following are the primary AI Providers:

Provider Role Information
Amazon Web Services (AWS) Cloud infrastructure & AI inference platform (Bedrock) Structured prompts and product data submitted to AI features. AWS does not use this data to train models.
AI model vendor (via AWS Bedrock) AI model provider Models are hosted by AWS and accessed via AWS Bedrock under AWS Service Terms.

  1. Frequently Asked Questions

The following questions reflect the most common concerns raised by customers’ legal, security, and procurement teams.

Can we require Tacton to sign our company’s AI policy?

Tacton cannot operate under individually negotiated AI requirements from each customer. As a multi-tenant SaaS provider serving hundreds of enterprise customers, applying different AI-use constraints per customer would make it impossible to maintain the uniform security, quality, and compliance standards that protect all customers equally. Instead, Tacton publishes this document and offers the contractual commitments set out in its MSA and DPA, which are designed to address legitimate concerns consistently. We welcome feedback on gaps.

Does Tacton use our data to improve its AI?

No. Customer data is not used to train or fine-tune AI models. Tacton may use aggregated, de-identified, non-customer-identifying data for product analytics and improvement, as set out in the MSA. This is a contractual commitment, not just a policy statement.

Which AI model does Tacton use, and can we choose?

Tacton uses AI models available in AWS Bedrock. These include currently models from Anthropic and OpenAI. Model selection is managed centrally by Tacton to maintain quality and security. Customers cannot currently select a different model provider. If a customer has a specific regulatory constraint around model providers, please raise this with your Account Team.

Is Tacton’s AI covered by ISO 27001 and SOC 2?

Yes. The AI features are part of the Tacton product portfolio and falls within the scope of Tacton’s ISO/IEC 27001 ISMS and SOC 2 Type II certification. SOC 2 reports are available under NDA upon request.

What happens if the AI produces an incorrect output?

Incorrect outputs are prevented from taking effect through two technical safeguards (schema validation and deterministic configurator validation) and one human control (the mandatory human-in-the-loop review step). No AI output is applied without explicit user acceptance. It is the customer’s responsibility to ensure that all AI-generated output is reviewed by an authorized user before acceptance. If an error is identified after acceptance, standard Tacton support processes apply.

Does Tacton’s AI comply with GDPR?

Yes. Personal data handling in AI features is governed by Tacton’s DPA.

How does Tacton handle AI risk under the EU AI Act?

Tacton has assessed its AI features against the EU AI Act’s risk classification framework and considers its current features and functionality to fall within the limited-risk or minimal-risk categories. This assessment is based on the nature of Tacton’s AI capabilities – which support commercial configuration, pricing, and quoting workflows rather than high-stakes decision-making in sensitive domains such as employment, credit, or critical infrastructure.

For features that fall within the limited-risk category, the relevant transparency obligations are met: users are informed when they are interacting with AI-generated outputs, and human oversight is maintained as a mandatory control – AI outputs do not autonomously execute actions without user confirmation.

Tacton monitors the EU AI Act as implementation continues and prohibited practices and high-risk provisions become enforceable and will update its assessments accordingly as the regulatory landscape matures.

  1. Contact & Further Questions

We recognize that AI governance is an evolving area, and we take our customers’ concerns seriously. If this document does not answer your question, or if you have a specific concern about how AI is used in your deployment, please reach out to your Account Executive or Customer Success Manager at Tacton.

Document version and updates

This document is reviewed and updated at least annually, and whenever material changes are made to Tacton’s AI capabilities or practices. The current version is always available at tacton.com/legal-information. Customers are notified of material changes via the standard product communications channel.

 

© 2025 Tacton Systems AB. Tacton AI Trust & Security Overview, Version 1.0. This document is provided for informational purposes and does not constitute a binding contractual commitment except where expressly incorporated by reference into an executed agreement. For contractual terms, refer to the Master Services Agreement.