# Suvegasoft FAQ — GenAI Implementation Questions Answered > Straight answers about GenAI implementation — costs, timelines, security, and how we work. 16 questions answered. - Canonical: https://suvegasoft.co.uk/faq/ ## General Questions ### What is GenAI and how can it help my business? GenAI (Generative AI) refers to AI systems that can create new content, code, insights, or responses based on patterns learned from data. Unlike traditional software that follows explicit rules, GenAI can understand context, generate human-like text, and solve complex problems. **How it helps your business:** - **Automate knowledge work**: Answer customer questions, generate reports, summarize documents - **Enhance decision-making**: Analyze data and provide insights faster than manual review - **Improve customer experience**: 24/7 support, personalized recommendations, instant responses - **Reduce costs**: Automate repetitive tasks while maintaining quality - **Scale expertise**: Make specialized knowledge accessible across your organization The key is implementing GenAI strategically on high-impact use cases where it delivers measurable ROI. ### Is GenAI right for my company? GenAI is a good fit if you have: **✅ Clear use cases** - Repetitive knowledge work (document analysis, customer support) - Need to scale expertise without linear hiring - Data-heavy processes that require human judgment **✅ Realistic expectations** - Understand AI has limitations (hallucinations, accuracy trade-offs) - Willing to invest in proper implementation (not just API calls) - Ready to measure ROI and iterate **✅ Basic readiness** - Have digital data (documents, transcripts, databases) - Ability to integrate with existing systems - Team willing to adopt new tools **❌ Not a good fit if:** - No clear problem to solve ("AI because everyone's doing it") - Expecting 100% accuracy with zero human oversight - Can't dedicate resources to implementation and maintenance **Not sure?** [Book a free consultation](/contact) and we'll assess your specific situation. ### How secure is GenAI? Can I trust it with sensitive data? Security depends entirely on **how** you implement GenAI. We prioritize security at every level: **Data Privacy** - Your data never trains public models (we use zero data retention APIs) - Sensitive data can stay on-premises or in your private cloud - HIPAA, SOC 2, and GDPR-compliant architectures available **Infrastructure Security** - Encrypted data in transit and at rest - Role-based access controls - Private vector databases (not public cloud services) - Audit logs for all AI interactions **RAG vs Fine-tuning** - **RAG**: Your data stays in your vector database, only retrieved when needed (more secure) - **Fine-tuning**: Creates a custom model but requires more careful data handling **Our Approach** 1. Security assessment during discovery 2. Architecture designed for your compliance requirements 3. Penetration testing and security audits 4. Ongoing monitoring and updates We've built GenAI systems for healthcare (HIPAA) and finance (SOC 2) with strict compliance requirements. ### Do I need AI expertise in-house to work with you? **No, you don't need AI experts on your team.** That's exactly why companies hire us. **What you DO need:** - **Domain experts**: People who understand your business problem and data - **Technical contact**: Someone who can coordinate with engineering teams (if integration needed) - **Decision maker**: Someone who can approve architecture and provide feedback **What we handle:** - LLM selection and configuration - Prompt engineering and optimization - Vector database setup - RAG/fine-tuning implementation - Integration with your systems - Testing, monitoring, and maintenance - Knowledge transfer and documentation **Our approach:** 1. We learn your business requirements 2. We build and test the solution 3. We train your team to use and maintain it 4. We provide ongoing support if needed **After implementation, your team runs the system** with our documentation and support. We design for operational simplicity, not AI complexity. ## Our Services ### What's the difference between RAG and fine-tuning? Both customize LLM behavior, but in fundamentally different ways: #### RAG (Retrieval-Augmented Generation) **What it does:** Gives the LLM access to your documents on-demand **Best for:** - Knowledge bases, documentation, FAQs - Frequently updated information - Compliance requirements (audit trails) - Lower cost, faster implementation **How it works:** Query → Search your docs → Inject relevant context → Generate answer **Example:** "Answer customer questions using our product documentation" #### Fine-tuning **What it does:** Trains a custom model on your specific data/style **Best for:** - Specialized writing styles or formats - Domain-specific jargon or responses - When response consistency is critical - Tasks that don't require external knowledge **How it works:** Train model on your examples → Model learns patterns → Generates similar outputs **Example:** "Write customer emails in our brand voice and tone" #### Which to choose? **Start with RAG if:** - You have documents/knowledge to reference - Information changes frequently - You need transparency (see what sources were used) - Budget/timeline is limited **Consider fine-tuning if:** - You need a specific output style - RAG alone doesn't deliver the quality you need - You have thousands of high-quality examples - Response format consistency is crucial **Often, the best solution combines both**: RAG for knowledge + fine-tuning for style. ### Do you build custom AI models or use existing ones? **We use existing foundation models (like GPT-4, Claude, Llama) and customize them** for your specific use case. Here's why: #### Why we don't train models from scratch - **Cost**: Training a foundation model costs millions of dollars - **Time**: Takes months/years and massive datasets - **Performance**: Existing models (GPT-4, Claude, Gemini) are extremely capable - **Unnecessary**: 99.9% of business needs don't require it #### What we do instead **1. RAG (Retrieval-Augmented Generation)** - Connect existing LLMs to your knowledge base - No model training required - Updates in real-time as your data changes **2. Fine-tuning** - Customize existing models on your specific data - Teaches style, format, domain-specific responses - Much cheaper and faster than training from scratch **3. Prompt Engineering** - Craft instructions that guide model behavior - Optimize for your specific use case - Iterate quickly based on results **4. Model Selection** - Choose the right model for your needs (cost vs. capability) - OpenAI GPT-4, Anthropic Claude, Meta Llama, etc. - Open-source vs. proprietary trade-offs #### The result? You get **production-ready AI in weeks, not years**, leveraging billions of dollars of R&D from leading AI labs, customized precisely for your business needs. ## Pricing & Budget ### How much does a GenAI implementation cost? **Investment ranges from $15K to $150K+** depending on complexity, but most projects fall in the $30K-$75K range. #### What affects cost? **1. Scope & Complexity** - Simple RAG chatbot: Lower end - Multi-agent workflow automation: Higher end - Fine-tuned model + RAG + integrations: Higher end **2. Data Preparation** - Clean, structured data: Lower cost - Messy, unstructured data needing cleanup: Higher cost - Multiple data sources requiring integration: Higher cost **3. Integration Requirements** - Standalone application: Lower cost - Integration with existing systems (CRM, ERP): Higher cost - Enterprise SSO, compliance, audit logs: Higher cost **4. Custom Development** - Using off-the-shelf tools: Lower cost - Custom UI/UX: Medium cost - Complex business logic: Higher cost #### What's included? - Discovery and requirements gathering - Architecture design - LLM selection and configuration - Development and testing - Integration with your systems - Documentation and knowledge transfer - Post-launch support (typically 30-90 days) #### Ongoing costs After implementation, expect **monthly costs of $200-$5,000+** for: - LLM API usage (pay-per-token) - Vector database hosting - Infrastructure (cloud hosting, monitoring) - Optional: Maintenance and improvements **Want a specific quote?** [Book a consultation](/contact) and we'll scope your project in detail. ### Do you offer fixed-price projects? **Yes, we offer both fixed-price and time-and-materials (T&M) engagements**, depending on project clarity and scope. #### The Fixed-Price Model **When it works:** - Well-defined requirements - Clear acceptance criteria - Limited unknowns or integration complexity - Shorter timelines (8-12 weeks) **Examples:** - "Build a RAG chatbot for our product documentation" - "Implement AI-powered email categorization" - "Create a summarization tool for customer support tickets" **Benefits:** - Predictable cost - Clear deliverables - Lower financial risk **Limitations:** - Less flexibility for changes mid-project - Requires thorough upfront scoping (1-2 weeks discovery) - Change requests may incur additional costs #### Time & Materials (T&M) **When it works:** - Exploratory or R&D projects - Evolving requirements - Complex enterprise integrations - Longer engagements (3-6+ months) **Benefits:** - Flexibility to adapt as you learn - Pay only for actual work - Ideal for iterative development **Limitations:** - Cost less predictable (we provide estimates and caps) - Requires ongoing collaboration #### Our recommendation? **Start with fixed-price discovery (2-4 weeks)** to define requirements, then choose: - Fixed-price for implementation (if scope is clear) - T&M for implementation (if uncertainty remains) This hybrid approach minimizes risk while maintaining flexibility. ## Technical Details ### Which LLMs do you work with? **We're model-agnostic and work with all major LLM providers**, selecting the best fit for your specific use case. #### Proprietary Models (API-based) **OpenAI** - GPT-4, GPT-4 Turbo, GPT-4o (most capable, higher cost) - GPT-3.5 Turbo (fast, cost-effective for simpler tasks) - **Best for**: General-purpose tasks, complex reasoning, code generation **Anthropic Claude** - Claude 3.5 Sonnet, Claude 3 Opus (strong reasoning, large context window) - **Best for**: Long documents, nuanced understanding, safety-critical applications **Google Gemini** - Gemini Pro, Gemini Ultra (multimodal, massive context window) - **Best for**: Huge context needs, Google Cloud integration #### Open-Source Models (Self-hosted or API) **Meta Llama** - Llama 3.1, Llama 3.2 (open-source, no API fees) - **Best for**: Cost sensitivity, data privacy, customization **Mistral AI** - Mistral Large, Mixtral (European, performant, open-weights) - **Best for**: EU data residency, cost-effective fine-tuning **Others** - Cohere, AI21 Labs, Together AI, Fireworks AI, etc. #### How we choose **1. Use case requirements** - Task complexity → Model capability - Response speed → Model size/latency - Context length → Context window size **2. Cost vs. performance** - GPT-4 for critical tasks - GPT-3.5 or Claude Haiku for high-volume, simpler tasks - Open-source for cost-sensitive or high-privacy needs **3. Compliance & data residency** - EU data? → Mistral or self-hosted Llama - HIPAA? → Private deployment or BAA with OpenAI/Anthropic **Our approach: Start with the best model, then optimize for cost** once we've proven the use case. Most production systems use a mix of models for different tasks. ### How do you handle data privacy and security? **Data privacy and security are non-negotiable**. Here's our comprehensive approach: #### Data Handling Principles **1. Zero Data Retention** - Use LLM providers with zero data retention policies (OpenAI API, Anthropic) - Your prompts and responses are NOT used to train models - Data processed and immediately discarded **2. Private Infrastructure** - Self-hosted vector databases (your cloud or on-premises) - Private VPCs and network isolation - No shared infrastructure between clients **3. Data Encryption** - TLS 1.3 for data in transit - AES-256 encryption for data at rest - Encrypted vector databases (pgvector with PostgreSQL encryption, Qdrant with encryption-at-rest) #### Compliance & Governance **HIPAA Compliance** - Business Associate Agreements (BAAs) with LLM providers - Encrypted PHI handling - Audit logs for all access - Regular security assessments **SOC 2 & GDPR** - Role-based access control (RBAC) - Data residency options (EU servers for EU data) - Right to deletion and data portability - Privacy by design principles **Industry Standards** - OWASP Top 10 security practices - Regular penetration testing - Vulnerability scanning - Incident response plans #### Technical Controls **Access Control** - Multi-factor authentication (MFA) - SSO integration (Okta, Azure AD, etc.) - Least privilege access - Session management and timeouts **Monitoring & Logging** - All AI interactions logged (without PII if needed) - Real-time anomaly detection - Security event alerts - Audit trails for compliance **Data Minimization** - Only collect data necessary for the task - Anonymize/pseudonymize when possible - Regular data cleanup and retention policies #### Your Options **1. Cloud-based (Most Common)** - Your private cloud (AWS, Azure, GCP) - Managed services with encryption - BAA-compliant LLM APIs **2. Hybrid** - Sensitive data on-premises - Non-sensitive processing in cloud - Secure API gateway **3. Fully On-Premises** - Open-source LLMs (Llama, Mistral) - Self-hosted vector databases - Complete data control We design the architecture to meet YOUR security and compliance requirements, not force you into a one-size-fits-all solution. ### Can AI run entirely on our infrastructure? **Yes.** We match the deployment model to your requirements — including fully self-hosted and on-device setups where no data ever leaves your infrastructure. #### Deployment options - **Cloud APIs** (OpenAI, Anthropic, Google): fastest to ship, best frontier-model quality - **Private cloud / VPC**: managed models inside your own cloud account - **On-premise or on-device**: open-weight models running entirely on hardware you control #### Proof it works in production Our dental documentation solution runs 100% on-device in clinics — the practice owns the hardware, the models, and every byte of patient data. No cloud dependency, no data processing agreements with third-party model providers. #### Compliance-driven deployment HIPAA, GDPR, or sector-specific rules often dictate where data can flow. We treat those constraints as inputs to the architecture, not obstacles — see our [On-Device AI service](/services/on-device-ai/) for how local inference works in practice. ### How do you handle compliance? **We handle it from the start**, not as an afterthought. Compliance requirements shape the architecture — where data flows, which models can be used, what gets logged — so they need to be in the design from day one. #### Track record Our clinical trials platform passed **FDA 21 CFR Part 11** review — one of the strictest regulatory frameworks for electronic records and signatures. We've also built systems under HIPAA and GDPR constraints, including fully on-device deployments where data never leaves the premises. #### How we approach it - **Requirements first**: we map your regulatory constraints during discovery, before any architecture decisions - **Audit-ready documentation**: we document data flows, model choices, and validation results in a form your auditors can use - **Deployment to match**: cloud, private cloud, or on-premise — whatever your rules require If your industry has specific requirements, [tell us about them](/contact) — chances are we've designed for something similar. ## Implementation Process ### How long does implementation typically take? **Most GenAI implementations take 6-16 weeks** from kickoff to production, depending on complexity. #### Typical Timeline Breakdown ##### Phase 1: Discovery & Planning (1-2 weeks) - Understand your use case and requirements - Review existing data and systems - Define success metrics - Select LLM and architecture - Create detailed implementation plan ##### Phase 2: Data Preparation (1-3 weeks) - Data collection and cleaning - Document processing (PDFs, text, structured data) - Vector database setup - Embedding generation - Test data quality ##### Phase 3: Development (2-6 weeks) - Build core RAG/agent system - Prompt engineering and optimization - Integration with your systems - UI/UX development (if needed) - Initial testing and refinement ##### Phase 4: Testing & Refinement (1-3 weeks) - User acceptance testing - Performance optimization - Accuracy improvements - Edge case handling - Security and compliance review ##### Phase 5: Deployment (1 week) - Production infrastructure setup - Final testing in production environment - Documentation and training - Go-live support #### Timeline by Project Type **Simple RAG Chatbot**: 6-8 weeks - Example: FAQ bot for product documentation **Medium Complexity**: 10-12 weeks - Example: Customer support agent with CRM integration **Complex Implementation**: 14-20 weeks - Example: Multi-agent workflow automation with fine-tuning #### What affects timeline? **Faster:** - Clean, well-structured data - Simple use case - Few integrations - Quick decision-making **Slower:** - Data cleanup required - Complex business logic - Multiple system integrations - Compliance requirements - Stakeholder alignment challenges #### Can you go faster? **Yes, with trade-offs:** - Start with MVP (4-6 weeks) → Iterate - Use pre-built components where possible - Accept "good enough" vs. perfect - Defer non-critical integrations We'll work with your timeline during discovery to find the right balance between speed, quality, and scope. ### What do you need from us to get started? **To kick off a GenAI project, we need three things: access to stakeholders, access to data, and a clear problem statement.** Here's the detailed breakdown: #### 1. People & Access **Key Stakeholders** - **Business owner**: Understands the problem and success criteria - **Technical contact**: Can provide system access and answer integration questions - **End users** (optional but helpful): Will test and provide feedback - **Decision maker**: Can approve architecture and budget **Time Commitment** - Discovery: ~4-8 hours over 1-2 weeks (interviews, data review) - Development: ~2-4 hours/week (check-ins, feedback) - Testing: ~4-8 hours (UAT, refinement) #### 2. Data & Systems **What We Need** - **Sample data**: Representative subset of your documents, FAQs, transcripts, etc. - **Data access**: API keys, database credentials, or export capabilities - **System documentation**: Existing integrations, tech stack, architecture diagrams - **Security requirements**: Compliance needs (HIPAA, SOC 2, etc.) **Data We'll Request** - For RAG: Documents, FAQs, knowledge base content (PDFs, text, structured data) - For Fine-tuning: Training examples (input/output pairs) - For Agents: API documentation, workflow diagrams - For All: Sample queries/questions you want to handle **Don't Worry If** - Data is messy (we'll help clean it) - Documentation is incomplete (we'll fill in gaps) - You're not sure what to share (we'll guide you) #### 3. Clear Problem Statement **Good Problem Statements** - ✅ "Our support team spends 10 hours/week answering the same questions. We want to automate this." - ✅ "We need to analyze 500 customer surveys per month. Takes 2 days. Want it done in hours." - ✅ "Our sales team struggles to find product info across 50+ docs. Want instant answers." **Poor Problem Statements** - ❌ "We want to use AI." (No specific problem) - ❌ "Make our website smart." (Too vague) - ❌ "Build us a chatbot." (No defined outcome) #### 4. Optional (But Helpful) - **Success metrics**: How will you measure if it's working? - **Current process**: What's the manual workflow today? - **Budget range**: Helps us scope appropriately - **Timeline**: Any hard deadlines or constraints? #### What Happens Next? **Week 1: Discovery Kickoff** 1. Intro call (30-60 min): Discuss problem, goals, constraints 2. Data review: We analyze sample data 3. Architecture proposal: We recommend an approach **Week 2: Planning** 1. Detailed scoping: Define features, timeline, cost 2. Contract and SOW: Finalize agreement 3. Kickoff: Start development! #### Don't Have Everything? **That's okay!** We can start with discovery to define what's needed. [Book a consultation](/contact) and we'll figure it out together. ### Do you do POCs first? **Yes.** Every engagement starts with a 2-week rapid validation phase before you commit to a full build. #### What the validation phase covers - **A thin working slice** of your use case, built against your real data — not a toy demo - **Measured results**: accuracy, latency, and cost numbers you can put in front of stakeholders - **A clear go/no-go recommendation** at the end #### Why we work this way GenAI feasibility is hard to predict from a whiteboard. Some use cases that sound difficult turn out to be straightforward; others that sound simple hit data-quality or accuracy walls. Two weeks of building against your actual data answers the question definitively. If it won't work, you'll know fast — before you've committed a full project budget. If it does work, the validation output becomes the foundation of the production build, so nothing is thrown away. See our [POCs & Feasibility Studies service](/services/pocs/) for details. ### What happens after launch? **We stay for the long term.** GenAI systems aren't fire-and-forget — models evolve, usage patterns shift, and edge cases surface in production that never appeared in testing. #### Included in every project - **Monitoring**: every system we ship includes observability, so you can see accuracy, latency, and cost in production - **Documentation and handover**: your team understands how the system works and how to operate it - **Go-live support**: we're on hand during the launch window #### Ongoing support options - **Iteration**: new features, new data sources, expanded use cases - **Optimisation**: improving accuracy and reducing cost as usage data accumulates - **Model upgrades**: evaluating and migrating to newer models as they're released Our [Evals & Observability service](/services/evals/) covers the measurement side: knowing whether your system is actually getting better, not just changing. ## Question not answered here? Ask us directly: https://suvegasoft.co.uk/contact/