How we work with
security, legal, and procurement.
This page documents how VG Tech Consulting handles confidentiality, client data, intellectual property, references, and engagement terms. It is written for the teams on the client side who own these questions. Security, legal, procurement, and the engineering leader paying the invoice.
Confidentiality & NDAs
Mutual NDAs are standard on every engagement. We assume everything you share is confidential by default.
Every engagement begins with a mutual NDA before any scoping conversation touches non-public information. Enterprise engagements are under NDA by default and we do not disclose client names publicly.
Case studies on this site fall into two categories: fully named (with written permission from the client) or anonymised to a descriptor level that reveals nothing about the client beyond industry shape and scale (for example, "B2B SaaS, Series B, 15-engineer team, APAC").
We never use client-specific code, data, prompts, configurations, or deliverables in marketing, thought-leadership content, or other client engagements without explicit written permission.
Client data handling
Your data stays inside your boundary wherever possible. We are a boundary-aware consultancy by default.
Access scope
We access only what an engagement requires (specific repositories, specific systems, specific datasets). Access is typically provisioned via the client's SSO, with audit logs on the client side.
Work location
Most hands-on work happens inside client-controlled environments (client laptops, client cloud tenants, client repositories). Where we use our own machines, they are full-disk encrypted with enforced screen-lock and patched automatically.
No training on client data
We do not fine-tune models on client code or data, nor share client artefacts with model providers in ways that allow retention or training. When we use foundation models inside an engagement, we use configurations that disable training on inputs (for example, enterprise or API-tier settings).
Secret hygiene
Production credentials, customer PII, and similar high-sensitivity data are not required for most engagements and we ask clients not to share them. Where access is genuinely necessary, we handle via scoped, time-limited credentials managed on the client side.
End of engagement
On engagement close, access is revoked by the client and any local copies of client artefacts on our side are deleted. We retain only what is required for our own records (invoices, sign-offs, high-level engagement summary).
Intellectual property
You own all work product. IP is assigned to the client on delivery with no residual rights retained on our side.
All work product created during the engagement (tools, code, documentation, configurations, prompt libraries, evaluation harnesses, custom integrations, and training material derived from your systems) belongs to the client. Our standard contract assigns IP to the client on delivery.
We keep no residual rights over client-specific work. We do retain the right to apply the generic know-how and methods we develop across engagements, but never client-specific artefacts.
Any pre-existing tooling or frameworks we bring into an engagement are clearly identified at the start and licensed for the client's continued use after the engagement ends.
Reference policy
We can offer four options during evaluation, without breaching any existing client NDAs.
Anonymised NDA references
Reference calls with past clients under mutual NDA. Names and identifying details are protected; the conversation focuses on working model, delivery quality, and outcomes.
Named public references
The founders of HoverBot and LabCaddy have publicly consented to speak to our work and are available for reference conversations.
Professional references
Professional LinkedIn references for our partners, covering prior enterprise and platform engineering work, are available on request.
Hands-on demonstration
A 60-90 minute walk-through of an agentic SDLC workflow in a real repository. You see the practice rather than hearing about it. No commitment.
Capacity model & access control
Engagements are led end-to-end by a senior partner. Delivery is amplified through AI agents and a vetted specialist network, both under NDA and under partner accountability.
Every engagement is owned by a senior partner from scoping to closeout. There is no delivery-management layer and no rotating bench; the partner you scope with is the partner you ship with across the full contract.
Delivery capacity is extended in two ways. First, through AI agents running inside a guardrailed SDLC (we use the same agentic patterns we install for clients). Second, through a vetted specialist network we bring in selectively when an engagement benefits from additional bandwidth on a specific problem.
All extensions of capacity operate under a consistent set of controls: specialists sign mutual NDAs before accessing engagement context; AI agents operate with the client's tenant and data policies; the senior partner reviews work product before it lands in the client environment. Clients are accountable to, and work with, the senior partner throughout.
Regulatory context
Based in Singapore, we work across APAC and familiar jurisdictions, and design engagements to align with the regulatory context of the client.
VG Tech Consulting is a Singapore-incorporated entity. Our partners have led AI adoption and engineering enablement programmes at enterprise scale in APAC, and we understand the operational and regulatory landscape across the region.
For governance engagements we work against SOC 2, ISO 27001 alignment, Singapore PDPA, MAS technology risk management guidelines, GDPR (for APAC firms with EU customers), and emerging AI-specific frameworks (EU AI Act, NIST AI RMF). We tailor to your jurisdiction mix rather than offering a single template.
Where a client has specific data-residency requirements (for example, data must not leave Singapore or a specific cloud region), we design the engagement and tooling choices to fit those constraints from the start.
Contract defaults
Clear, mutually-cancelable, time-and-materials. No hidden terms.
Pricing model
Time-and-materials, billed monthly against timesheets. The client pays for actual work delivered. No value-based, retainer-fixed, or outcome-contingent pricing by default.
Engagement shape
Diagnostic (60 minutes), Hands-on Demo (60-90 minutes), Sprint (2-8 weeks), or Embedded Retainer (typically 12-month shape, adjustable by mutual agreement). Embedded Retainer baselines at around 35 hours per week, flexible up or down.
Notice period
2 months from either side on Embedded Retainer. Sprint and Diagnostic engagements are single-scope and complete in full.
Re-contract
Option to re-contract before an engagement ends, with continuity of the same senior partner.
Expenses
Travel and similar expenses are excluded from the baseline fee and invoiced at cost only where required and pre-approved.
Additional resources
Additional consultants or specialists can be added by mutual agreement if scope expands. The senior partner leading the engagement does not change.
Incident response & continuity
Clear single point of contact, structured escalation, and honest reporting when something goes wrong.
Every engagement has a single point of contact on our side (the senior partner) and a named point of contact on the client side, normally a technical leader. All deliverables, decisions, and change requests flow through these two points, so context is never lost across conversations.
If something goes wrong in the engagement (a tool misbehaves, an agent generates code that causes a production issue, a change of scope is required) we report honestly and fast, propose a remediation path, and only bill for the actual work required to resolve the situation.
Tool and process changes always go through a small-group proof of concept before team-wide rollout. We do not push changes directly into production workflows without the client's explicit sign-off.
Request a security & procurement pack.
For enterprise evaluations we can share a compact pack covering our standard MSA and NDA templates, data-handling controls, sub-processor list, incident response, and pre-filled answers to the most common security questionnaires. Available under mutual NDA.