The questions Emeron is actually asked, by the people actually evaluating Emeron — government CIOs, public-sector procurement officers, central-IT architects, ministry chiefs of staff, donor-funded programme managers. Answers are written for procurement-grade specificity, and we say so where the honest answer is "roadmap, not in production today."
This page collects the questions Emeron is actually asked, by the people actually evaluating Emeron — government CIOs, public-sector procurement officers, central-IT architects, ministry chiefs of staff, donor-funded programme managers. Not a marketing FAQ. A buyer's FAQ.
Answers are written for procurement-grade specificity. Where the honest answer is "this is on our roadmap, not in production today," we say so. Where the answer is "this depends on your deployment shape," we explain which variables move the answer.
If your question is not below, send it — the most useful new entries on this page come from real procurement conversations. Email contact@emeron.io.
The questions architects and technical evaluators ask first.
Emeron's core runs on .NET 10 and PostgreSQL 16, with a React 18 + TypeScript front-end. Workflow and event handling use an internal queue layered on PostgreSQL with optional Redis. The integration layer supports REST, gRPC, SOAP for legacy systems, AMQP, Webhooks, and Peppol. The stack is deliberately mainstream — there are no proprietary runtimes, no exotic dependencies, and no vendor-locked infrastructure components in the core deployment.
Forms, workflows, fee schedules, approval chains, role-based access, reports, and integration mappings are all defined in metadata — versioned, exportable, and human-readable. Adding a new permit type, a new fee structure, or a new approval chain is a configuration action, not a code release. The metadata is portable: a customer can theoretically export their entire configuration and import it into a fresh deployment. This is the architectural foundation that makes the year-7 exit conversation a real conversation.
Yes. On-premises is one of five officially supported deployment topologies, alongside sovereign cloud, private cloud, hybrid, and air-gapped. On-premises deployments are common for defence, intelligence, and central-bank workloads. The platform runs on standard Linux (Ubuntu 22.04 LTS / RHEL 9), with no proprietary infrastructure requirements.
A fully isolated deployment with no external network connectivity. Updates are delivered via signed media on a defined schedule. Time synchronisation uses internal NTP. Threat intelligence and CVE feeds are delivered separately under contract. Air-gapped deployments are supported for classified workloads but are operationally heavier — the deployment cost reflects that.
Yes, with strong isolation. Each tenant (typically an agency, jurisdiction, or sub-organisation) has its own metadata namespace, its own data partition, and its own role-based access policy. Cross-tenant data access is explicit, audited, and configurable. For sovereignty-sensitive deployments, single-tenant topologies are supported and common.
English and Arabic (RTL native) are production today. French, Spanish, and Portuguese are on the Q1 2027 roadmap; Swahili, Bahasa, and Hindi on Q3 2027; Mandarin, Russian, Urdu, and Bengali in 2028. Localisation is configuration — new language packs are administered through the platform UI, not engineered. RTL is handled at the layout level, not retrofitted.
Yes. The platform exposes a REST API covering 100% of metadata operations and the majority of runtime operations. OpenAPI 3.1 specifications are published per deployment. GraphQL is supported for read-heavy integrations. The event bus exposes a published-subscribe interface with at-least-once delivery semantics. All APIs are authenticated via OAuth 2.0 / OIDC and rate-limited per tenant.
Semantic versioning at the platform level. Major releases ship annually with a 24-month support overlap, ensuring customers always have at least 18 months to plan an upgrade. Security patches ship on a published cadence with same-day release for critical CVEs. Metadata schemas are versioned independently of the platform, so customer configurations migrate forward without engineering effort.
Public posture below. Full audit reports, sub-processor lists, and CAIQ/SIG responses available under NDA via the Trust Center.
ISO 27001 certification is on roadmap for Q3 2026. SOC 2 Type I roadmap Q1 2027, Type II Q3 2027. The architecture is aligned with NIST SP 800-53. A continuous internal security review programme is in place today, with quarterly third-party penetration testing. Pre-certification audit reports are available under NDA.
Data residency is selectable per deployment. Customer data does not leave the chosen jurisdiction. Sub-processors (where used) are listed publicly and updated quarterly. For sovereignty-sensitive deployments, the customer can deploy entirely on infrastructure under their own legal jurisdiction. Customer-managed encryption keys are supported via standard HSM integration.
The architecture is FedRAMP-compatible, with control mappings completed. Full FedRAMP authorisation is being pursued under a partner-led path through a US-based partner. StateRAMP-compatible deployment models are supported on the same architecture. Customers requiring FedRAMP today should engage us — we will route to the partner path.
G-Cloud-ready deployment model. Active engagement with the Crown Commercial Service framework process. Architecture aligned with NCSC Cloud Security Principles. Application to the next G-Cloud framework iteration is planned.
GDPR-aligned by design. EU Cloud Code of Conduct adherence statement available. eIDAS-aligned identity integration. Standard contractual clauses and data processing agreements are provided as part of the procurement kit. A NIS2 readiness assessment is available on request.
Active NESA and TDRA alignment. Federal Tax Authority Accredited Service Provider pilot pursued for the July 2026 Peppol-based e-invoicing rollout. Emeron is registered with the UAE Federal Tax Authority and operates from SRTIP Sharjah under FZE registration. Local procurement vehicles are listed on the How to buy page.
At rest: AES-256. In transit: TLS 1.3. Key management: customer-managed keys supported via HSM integration. Field-level encryption available for sensitive PII categories. Backups are encrypted with separate keys, customer-rotatable on demand.
Immutable audit log across all platform operations. Regulator-accessible export in standard formats. Retention configurable per workflow. Cryptographic chain-of-custody for evidentiary export. Logs include user, action, resource, timestamp, source IP, and metadata diff.
Published security contact at security@emeron.io. Acknowledgment within 24 hours. Coordinated disclosure window of 90 days standard, extendable by mutual agreement. Hall of fame for responsible disclosure researchers maintained.
The questions that decide whether the conversation continues past the second meeting.
Pricing follows deployment shape, not a list price. Five commercial models are supported: perpetual license, subscription, build-operate-transfer, capability-transfer-weighted, and hybrid. After a 30-minute scoping call, a written line-item proposal with assumptions and pricing-model options is provided within five business days. See /pricing/ for the full posture.
Source-code escrow is offered as standard on contracts above a threshold ACV. The customer's metadata configuration is portable and human-readable, independent of Emeron's continued existence. A documented exit-runbook is included in every capability-transfer contract. The architectural commitment to ownership is precisely the answer to this question: the platform is built so that you can keep running it, with or without us.
Standard support includes business-hours coverage in the customer's time zone, 24/7 critical-incident response, named technical account manager for deployments above threshold ACV, and quarterly business reviews. Higher tiers add follow-the-sun coverage and dedicated environments for staging and DR.
Yes. 3-year, 5-year, and 7-year subscription terms are common. Pricing escalations are capped at CPI or 5% annually, whichever is lower. Multi-year commitments unlock price preservation across the term, capability-transfer milestones, and academy seats.
Yes, via the Permitted References Programme. Some references are confidential under contract and not publicly named. Live reference calls are arranged after a mutual NDA is in place. East Africa anchor deployment is a publicly named multi-entity reference.
Professional indemnity, public liability, cyber liability, employer's liability, and product liability — all at levels matched to typical government tender requirements. Certificates of insurance are included in the procurement kit. Higher coverage available on a contract-specific basis where mandated.
Implementation is where most government technology programmes succeed or fail. The questions below describe how Emeron actually operates a deployment.
Initial GovStack deployments routinely go live within 12–16 weeks of contract signature. Subsequent modules and additional agencies are typically added in 2–6 weeks each. EmeronBiz typically deploys in 14–18 weeks for a multi-entity rollout. Permit Engine, when deployed alone, typically goes live for the first permit category in 10–14 weeks.
Emeron consultants for the first deployment of a customer. Certified partners for subsequent expansions where the customer prefers. Customer internal teams for new modules and configurations after capability transfer. The composition is explicit in the contract and shifts toward the customer over time by design.
Seven certification tracks: Administrator, Workflow Designer, Functional Analyst, Integration Engineer, Solution Architect, Security & Compliance, and Platform Trainer. Standard deployments include 10–30 seats; capability-transfer programmes include 30–200 seats. Certifications are publicly verifiable through the Emeron Practitioner Directory. Renewal is annual.
Annual major releases with 24-month support overlap. Minor releases quarterly. Security patches on published cadence. Customer-controlled upgrade windows for production environments. Test and staging environments upgraded ahead of production by 30 days standard. No forced upgrades; customers are supported on N-1 indefinitely for contractual periods.
Standard migration adapters for ERPNext / Frappe, SAP S/4HANA, Oracle E-Business Suite, Microsoft Dynamics, ServiceNow, and a portfolio of legacy government systems. Custom migrations are scoped per deployment. Data quality assessments are included as part of the discovery phase. Production cutover plans are signed off by both parties.
National identity, national payment switch, national e-signature, and central reporting registries are handled through the integration layer. Adapters for the most common national systems (UAE Pass, Saudi Absher, Singpass, Aadhaar, M-Pesa, India Stack) are pre-built or in roadmap. New national-system integrations are scoped as defined units of work, not open-ended T&M.
Reasonable questions about counterparty risk. Honest answers about company stage.
Emeron is a UAE-registered company at growth stage. The team is structured around platform engineering, deployment delivery, and academy. We do not publish headcount in marketing materials — counterparty-risk-relevant team data is available in the procurement kit, signed by an authorised officer.
Salman, founder and CEO. Thirteen-plus years of ERP and government-technology platform development. Company leadership composition and bios are at /company/leadership/.
Yes. Nine institutional investors hold minority equity from two capital raises. Investor list is published at /company/investors/. Anchor investors are referenceable on request.
SRTIP Sharjah, United Arab Emirates. The HQ location matters in procurement primarily because it determines our base legal jurisdiction, the applicable export-control regime, and the corporate tax position. UAE jurisdiction is procurement-friendly in most GCC, MENA, and Africa contexts, and procurement-acceptable in most EU, UK, and Australia contexts. For US federal deployments, partner-led paths apply.
Deliberate. We are growing footprint through deployments that include capability transfer, not through volume-driven services growth. Strategic markets are UAE, GCC, MENA, and Africa for direct engagement; UK, EU, Southeast Asia, and the Americas through partners. We aim to grow customer count more slowly than our installed base would suggest possible — because the operational model is to make each customer self-sufficient over time, not to retain them through dependency.
Send it. Procurement-grade answers within two business days, in writing, from a named person at Emeron — not a generic SDR queue.