SLED Partnerships
Hub How We Engage Operating Model Capabilities Engagement Examples Procurement Vehicles Contact
U.S. SLED · Operating model & data architecture

Where the data goes. Who touches it.

A prime compliance officer needs a clean answer before subcontract paperwork moves. This page is that answer: the bifurcated CONUS / Lahore architecture we operate under, the compliance frameworks that wrap it, and the state-by-state restrictions we are prepared to disclose against.

Flow-down
question
"If I subcontract this work to Techtiz, where does the data go and who touches it?" Live agency data, CJI, PHI, FCI, and CUI are handled exclusively by U.S.-based personnel on U.S. soil. Lahore-based engineers work against sanitized environments and synthetic data, behind a documented air-gap with audit logging. Every prime engagement begins with a written disclosure for the prime's flow-down file.
Bifurcated architecture

Two environments. One contract. A documented air-gap between them.

The operating model is structural, not procedural. Sensitive data classes are physically and logically separated from the offshore engineering plane. The prime sees the boundary in the disclosure pack; the agency never sees us at all.

CONUS · US persons
Onshore plane

U.S.-citizen personnel on U.S. soil. The only environment cleared to handle live agency data, controlled information, and any work touching law-enforcement, judicial, or healthcare systems.

  • Engagement manager & technical liaison — single accountable contact for the prime PM. Every status, escalation, and change request flows here first.
  • Live data handling — any production pull touching CJI, PHI, FCI, CUI, or agency PII is performed by the onshore team inside the prime's authorization boundary.
  • CJIS-cleared operations — for engagements touching law-enforcement, court, or dispatch systems: fingerprinted, background-checked U.S. personnel on a CJIS-aligned workstation.
  • Acceptance, KT, and deployment — final review, agency-facing artifact handoff to the prime, and production deployment gates.
Data classes handled here
CUIFCICJIPHIAgency PIILive production data
Lahore · Engineering
Offshore engineering plane

Senior engineers in Lahore working against sanitized environments, synthetic data sets, and API contracts that do not expose live agency endpoints. Where the bulk of the build happens, never against production data.

  • Codebase development — feature work against mock data and contract tests. Pull requests gated by onshore review before any live-data deployment.
  • Synthetic-data engineering — schema-faithful but content-scrubbed datasets generated for development and regression testing. Real records never leave the onshore plane.
  • Document & engineering artifact production — architecture docs, runbooks, statutory-format templates, dashboards, all reviewed onshore before release.
  • Workstation controls — managed devices with disk encryption, DLP egress monitoring, no removable-media write, audit log forwarding to onshore SIEM.
Data classes handled here
Synthetic dataMock fixturesPublic-domain artifactsCodebase & configs
Compliance frameworks

The frameworks a prime compliance officer is looking for.

Specific claims with status, scope, and target dates. Where a framework is in-progress, a target date is on the page. Where a framework applies on a per-engagement basis, the posture statement explains how.

SOC 2 Type II
In progress
Operational cybersecurity controls. Independent audit of access, change management, monitoring, and incident response over a 6 to 12 month observation window.
Scope
Engineering platform, ticketing, code repos, identity provider, production deploy pipeline.
Target
Type II report Q4 2026 · Bridge letter on request
Auditor
CPA firm engaged; readiness assessment complete
CJIS Security Policy
Posture
Required for law-enforcement, court, and dispatch work. Personnel fingerprinting, background checks, U.S.-citizen on U.S. soil, encryption to FIPS 140-2/3 standards.
Onshore
Fingerprinted, background-checked U.S. personnel for any CJIS-touching engagement.
Offshore
Never touches CJI. Sanitized-fixture work only, gated behind onshore review.
Evidence
Personnel attestations and workstation hardening report provided to the prime's CJIS coordinator.
StateRAMP / TX-RAMP
Aligned
Cloud architectures we design are StateRAMP-aware. We do not hold an authorization ourselves; we build inside the prime's authorization boundary using controls that map to StateRAMP and TX-RAMP categorization.
What we do
Architecture, control mapping, SSP narrative drafts, control evidence collection, and 3PAO response support.
Boundary
All work performed inside the prime's authorization boundary on prime-managed cloud accounts.
Section 508 / VPAT
Applied
Required for all government digital interfaces. WCAG 2.2 AA validation, screen-reader regression, PDF/UA conversion, plain-language editing pipelines. VPAT 2.5 ITI authored per delivered surface.
Methodology
axe DevTools automated · NVDA & VoiceOver manual · keyboard-only walkthroughs · PDF/UA validation.
Deliverable
A signed VPAT ships with every accessibility-scoped engagement. Prior VPATs reviewable under NDA.
NIST 800-171 / CMMC
Aligned
Standard hygiene for any prime serving federal customers. 110-control baseline implemented across access management, audit, configuration, incident response, and media protection.
Posture
Self-assessment complete · SSP & POAM maintained · gap remediation tracked quarterly.
CMMC
Level 2 alignment for engagements requiring it; assessment via prime-led joint scope.
HIPAA · IRS Pub 1075
Posture
Required for healthcare, eligibility, and tax-data engagements. BAA execution as subcontractor under prime BAA. Pub 1075 onshore handling for FTI; offshore plane never touches FTI or PHI.
BAA
Mutual or prime-flow-down BAA executed before any PHI exposure.
FTI
Handled exclusively by U.S. personnel on U.S. soil per IRS Pub 1075 §9.3.
State-by-state offshore restrictions

Where we can serve directly. Where the prime needs to disclose. Where a waiver is required.

The U.S. state landscape on offshore subcontracting is fragmented; an offshore-shy compliance officer needs a prepared answer, not a research project. This is ours, kept current. Always confirm against the live solicitation language before bid.

Serve directly under standard subcontract Standard subcontract + offshore-handling disclosure Restructuring or written waiver required
Posture · MD
State / framework
Maryland · State CISO directive
Restriction
Any offshore operations activity, including code development, ops staffing, or data processing on state contracts, requires a discretionary written waiver from the State CISO.
Our handling Waiver required
Posture · AZ · FL · MO · TX
State / framework
Medicaid Minimum Subcontract Provisions
Restriction
Medicaid Provider Participation Agreements restrict offshore handling of any Medicaid-related data; explicit disclosures and, in some scopes, restructuring required.
Our handling Waiver / restructure
Posture · CA
State / framework
California · Gov't Code §19130
Restriction
Restricts contracting out services that supplant state civil-service jobs and applies strict offshore controls to state data handling.
Our handling Onshore only for state data
Posture · NJ
State / framework
New Jersey · Statutory restrictions
Restriction
Statutory restrictions on offshore labor for state services. Scope varies by agency and program; bid-by-bid analysis required.
Our handling Onshore by default
Posture · State Medicaid agencies
State / framework
15+ states · State-specific Medicaid rules
Restriction
State-by-state Medicaid agency rules for offshore outsourcing range from disclosure-only to categorical prohibition. HIPAA BAA terms layered on top.
Our handling Per-state disclosure
Posture · CJIS states
State / framework
CJIS Security Policy (national)
Restriction
Law-enforcement, court, and dispatch systems require U.S.-citizen personnel on U.S. soil for any CJI touch. State CJIS coordinators vet personnel.
Our handling Onshore-only CJI
Posture · Most states
State / framework
Standard SLED procurements (non-restricted scopes)
Restriction
Permitting, environmental, GIS, public engagement, grant reporting, and document-production work on non-PII / non-CJI scopes proceeds under standard prime subcontract terms.
Our handling Serve directly
Disclosure protocol

Proactive disclosure is the engagement default.

Every prime conversation begins with a written disclosure of our operating model. The prime never has to ask. The flow-down file is built from day one.

Locked in teaming letter
01

Operating-model pack on first NDA call.

Architecture diagram, data-class matrix, framework status sheet, and per-state posture page delivered with the NDA.

02

Data-flow analysis with the prime.

Joint review of where the engagement's data falls on the matrix. Onshore-only vs. bifurcated scopes labelled before any technical conversation.

03

State-specific disclosure drafted.

For each target state on the bid, the disclosure language the prime would file with the agency, drafted for the prime's review.

04

Flow-down clause mapping.

Every clause that flows down from the prime contract is mapped to a specific Techtiz control or attestation. Gaps surfaced before subcontract signature.

05

Personnel attestation file.

Named-personnel attestations for any onshore-required work, citizenship and clearance status, delivered as a sealed file to the prime.

06

Continuous-compliance reporting.

Quarterly attestations to the prime PMO. Annual joint controls review. Incident-response runbook with prime + Techtiz contacts.

Pipeline intelligence

How we source pipeline intelligence, the clean way.

A prime asking how Techtiz sources pipeline has a clean, defensible answer. We subscribe to the structured procurement-intelligence ecosystem rather than scraping it from outside.

Authorized subscriber model

Inside the ecosystem, not adjacent to it.

Subscriber status places us inside the structured procurement-intelligence ecosystem with paid access, audit logs, and direct prime-outreach channels. The opposite of an offshore firm scraping public RFP archives.

Deltek GovWin · subscriber Bloomberg Government · subscriber SAM.gov · monitored
What we use it for

Pipeline, primes, and prep — never published commentary.

Subscription tools identify primes assembling teams for upcoming bids, recent awards, and capability-statement matches. We use them to find partners, not to publish marketing analyses of active solicitations.

Find primes assembling teams Capability-statement matching Award-history research
Frequently asked questions

Data Architecture & Personnel

Answers compliance officers and PMs need before subcontract flow-down paperwork moves.

Where does live agency data go in a Techtiz subcontract?

Live agency data touching CJI, PHI, FCI, CUI, or agency PII is handled by U.S.-based personnel on U.S. soil inside the prime's authorization boundary. Lahore-based engineers work against sanitized environments and synthetic data behind a documented air-gap.

Who is the accountable contact for the prime PM?

A U.S. engagement manager and technical liaison owns status, escalations, and change requests. Final acceptance, knowledge transfer, and production deployment gates stay onshore.

How are CJIS or law-enforcement systems handled?

For CJIS-touching work, fingerprinted and background-checked U.S. personnel operate on CJIS-aligned workstations. Offshore staff do not access live CJIS production environments.

Are per-state offshore restrictions documented?

Yes. Every prime engagement begins with a written disclosure for your flow-down file, including state-specific restrictions on where engineering may be performed.

How does follow-the-sun delivery work without exposing live data?

Offshore engineers develop against mock data and contract tests; pull requests pass onshore review before any live-data deployment. Three time zones compress cycles while keeping production data in CONUS control.