AI Security in the Public Sector: ENS and GDPR
The adoption of Artificial Intelligence in the public sector has moved from being a curiosity to a strategic necessity. However, for any Chief Information Officer (CIO), Data Protection Officer (DPO), or Chief Information Security Officer (CISO), operational efficiency can never override security.
The fear of "Shadow AI" (the unauthorized use of AI tools by employees) is real. We have seen cases of code leakage or other types of sensitive information in the private sector. In public administration, a similar error is not a financial loss; it is a violation of national security or citizen privacy.
When a public institution uploads a specification to the cloud, the critical question is not "what can AI do with this?", but "where does my data go, who sees it, and is it used to train the model?".
In this technical article, we break down Tendios' security architecture and how we guarantee compliance with the National Security Scheme (ENS) and GDPR in GovTech environments.
The Architecture of Isolation: Your Digital "Safe"
The biggest myth—and risk—of Large Language Models (LLM) is prompt privacy. Free tools often use your data to retrain their future models. At Tendios, the policy is unequivocal: Your data is yours. We never train models with client data.
To guarantee this, we use a strict logical isolation architecture (Single-Tenant Logic). Even if the processing engine is powerful, your data never mixes.
Technical Glossary: How Do We Protect Information?
For technical profiles, this is how we translate our architecture and security:
- RAG (Vector Database) with Traceability: We use RAG technology over a vector database that allows documentary verification. This ensures the AI does not "hallucinate" or invent data, always offering grounded and traceable answers, unlike generic models.
- Compliance and European Data Security: The platform is designed prioritizing regulatory compliance, protection, and data security according to European standards.
- Specialized and Centralized AI: We do not use a generalist model; we operate with an AI specialized in the regulatory and documentary complexity of Public Procurement, centralizing all operations in an all-in-one platform to avoid information fragmentation.
Regulatory Compliance and Certifications
In public procurement, security is not promised; it is certified. Our infrastructure is aligned with the strictest requirements of the Spanish and European public sector.
National Security Scheme (ENS)
We work on infrastructure certified in the National Security Scheme (High Category). Tendios implements the organizational, operational, and protection security measures required to guarantee the confidentiality, integrity, traceability, authenticity, and availability of public information.
ISO 27001 and 27018
Our processes and cloud providers comply with the ISO/IEC 27001 (Information Security) and ISO/IEC 27018 (Protection of Personal Data in the Cloud) standards, aligning with GDPR requirements and ensuring auditable controls exist over who accesses what data and when.
Data Residency (GDPR)
Unlike tools that route data through servers in the US, we guarantee data sovereignty. All information processed by Tendios resides and is processed exclusively within the European Economic Area (EEA), eliminating risks of non-compliant international transfers.
Comparison: Public AI vs. Generic Cloud vs. Tendios
Not all private AIs are equal. What is the real difference between contracting an Azure OpenAI API "raw" and using Tendios?
| Feature | Public AI (ChatGPT Free/Plus) | Generic Cloud (Azure/AWS) | Specialized GovTech (Tendios) |
|---|---|---|---|
| Training with your data | Yes (Default) | NO (Configurable) | NEVER (By design) |
| Data Residency | Global (USA) | Configurable | European Union (Guaranteed) |
| ENS Compliance | Not designed for it | Requires complex configuration | Native (Out-of-the-box) |
| Data Deletion | Difficult to verify | Retention policies | Full user control (Immediate deletion upon request/closing file) |
| Access Traceability | Limited | Complex technical logs | Full user audit |
Frequently Asked Questions About AI Security (FAQ)
Is it safe to upload specifications with personal data to Tendios?
Yes. In addition to encryption, we apply obfuscation or pseudonymization techniques wherever possible. Furthermore, by signing the Data Processor contract (Art. 28 GDPR), we assume the legal obligations for protecting such data.
What happens if I use ChatGPT to draft a specification?
You are exposing public (and potentially confidential) information to servers outside your control that can use it to learn. This could constitute an infringement of the duty of custody of administrative information.
Do you have access to my data?
We apply the Least Privilege principle. Our technical team does not have access to your files except for express and temporary authorization for support, and all accesses are recorded in audit logs.
Conclusion: Innovating Without Exposure
Modernizing the administration does not require assuming uncontrolled risks. It is possible to leverage the power of generative artificial intelligence while maintaining the highest standards of security and digital sovereignty.
Choosing a specialized platform is not just a question of functionalities ("that it responds well"); it is the only way to ensure that public data remains, at all times, under control.
