Privacy & Verification Architecture
How VeraCita handles your documents and sources during citation verification. Written for procurement reviewers at law firms and university research offices.
How verification works: three modes
VeraCita processes citation verifications in one of three modes. By default, uploaded documents use Zero-Knowledge mode -- our infrastructure never sees your source. Standard mode (for public web URLs) routes through our Swiss-hosted orchestration in memory only -- never written to disk. Workspace administrators can enforce Zero-Knowledge for all sources in their workspace, eliminating any code path that could expose sources to our infrastructure.
The core difference is structural, not contractual. In Zero-Knowledge mode, there is no code path by which our infrastructure can access your source -- not by employees, not under a subpoena. We engineered it that way so the privacy claim is verifiable, not just promised.
Data flow by mode
Each diagram shows the path a source document takes from your browser to the AI verification engine and back. All paths stay within Switzerland.
Standard Mode
Source transits Lambda memory (~10s). Never written to disk. Swiss residency throughout.
Zero-Knowledge Mode
Source goes browser to Bedrock directly. MTG only receives token counts for billing. No code path to source content.
Strict ZK (Enterprise)
Identical to Zero-Knowledge mode. Per-source toggle is disabled -- all sources are ZK regardless of user preference.
Mode comparison
All values are accurate as of the architecture deployed on this date. Andy Christen (founder) reviews this page before any update is published.
| Standard | Zero-Knowledge | Strict ZK (Enterprise) | |
|---|---|---|---|
| Default for | Public web URLs | Uploaded documents | Every source in the workspace |
| Source persists in MTG infrastructure | Transit only (~10s in Lambda memory) | Never | Never |
| Source persists in MTG durable storage | Never | Never | Never |
| Source persists in AI provider cache | ~5 min ephemeral (encrypted, account-scoped) | ~5 min ephemeral | ~5 min ephemeral |
| Data residency | Switzerland (Zurich, AWS eu-central-2) | Switzerland (Zurich, AWS eu-central-2) | Switzerland (Zurich, AWS eu-central-2) |
| Source used to train AI models | No | No | No |
| MTG can access source under subpoena | Yes (during the ~10s transit window, not logged) | No code path exists | No code path exists |
| Per-user mode toggle | Available | Available | Disabled by workspace admin |
How is this different?
Most citation-verification services route your source through their backend. Their privacy policy may say "we do not train on your data" or "we delete after processing," but their infrastructure has the source. Employees can query logs. A court order can compel production.
Zero-Knowledge mode is structurally different. Your source travels from your browser directly to the AI provider, signed with short-lived credentials (15-minute lifetime) issued only to your session. Our servers handle the authentication and the billing report. Nothing else.
Credentials are erased the moment your verification completes. The browser does not retain the AWS access keys after the result is rendered. Even if the keys had been retained, they would expire in at most 15 minutes. There is no path for the browser to call the AI provider again without re-authenticating against your existing login.
There is no server-side log that could contain your source. There is no database entry. There is no code path. A subpoena served on MindtheGap Sarl for a Zero-Knowledge session would yield nothing -- not because we deleted it, but because we never had it.
"We engineered it so we cannot see your work, not just promised not to." That is the procurement-defensible claim. The architecture diagram above is the evidence.
Procurement-friendly facts
Primary: AWS eu-central-2 (Zurich).
AI fallback provider: Azure Switzerland North.
No data transits through US or non-EU/CH regions.
AWS Certificate Manager with automatic renewal.
SigV4 signed requests for Bedrock calls.
MindtheGap Sarl holds no decryption keys for user content.
Verification results: 30 days (unless user exports).
Billing metadata (token counts, claim counts): up to 24 months.
Logs: access logs 90 days, no content in logs.
EU GDPR: compliant (applicable to EU data subjects).
SOC 2 Type II: planned (target 2027).
ISO/IEC 27001: under evaluation (target 2027).
Available via AWS Artifact on request.
Subprocessors
| Subprocessor | Purpose | Region | Data received |
|---|---|---|---|
| Amazon Web Services (AWS Bedrock) | Primary AI inference | AWS eu-central-2 (Zurich) | Source text during verification (Standard and ZK modes); ephemeral prompt cache up to 5 min |
| Microsoft Azure OpenAI | Fallback AI inference (Standard mode only); embedding generation | Azure Switzerland North | Source text during Standard mode fallback only; document embeddings (no full source text) |
| Amazon Web Services (Aurora, Lambda, CloudWatch) | Database, compute, monitoring | AWS eu-central-2 (Zurich) | Account metadata, verification results, billing records -- no source content |
| Stripe Inc. | Payment processing and subscription billing | United States / EEA (Stripe infrastructure) | Payment card data (handled exclusively by Stripe -- MTG receives only a billing token and plan status, no card numbers) |
| Cloudflare (html-extractor fallback) | Fallback HTML extraction for public web URLs (Standard mode only, invoked only when primary Lambda extraction fails) | Cloudflare Workers (global edge, fallback path) | Public URL text only -- no user documents, no uploaded source files. Not used in Zero-Knowledge mode. |
Data Processing Agreement: view DPA / download PDF -- or request a counter-signed copy at legal@veracita.ai.
Common procurement questions
In Zero-Knowledge mode: no. Your source travels directly from your browser to AWS Bedrock using short-lived credentials scoped to your session. Our Lambda functions are not in the call path. No employee can query a log or database to retrieve your source, because we never received it.
In Standard mode: your source transits through our Lambda function in memory for approximately 10 seconds during orchestration. We do not log source content. Employees do not have routine access to Lambda memory; access requires AWS console permissions that are restricted and audited. The source is never written to any persistent store.
In Zero-Knowledge mode: we cannot produce content we never had. A valid legal demand would yield only billing metadata (claim counts, token counts, timestamps) -- nothing about the content of your source. This is not a deletion policy; it is a structural impossibility.
In Standard mode: a subpoena served during an active verification session (the ~10s Lambda transit window) could theoretically compel production of the in-memory state. We do not log source content, so outside that narrow window, there is nothing to produce.
Source content is never retained by MindtheGap Sarl in any mode. Verification results (claim outcomes, scores) are retained for 30 days and then deleted, unless you export them first. Billing metadata (token counts, claim counts, mode used) is retained for up to 24 months for billing dispute resolution. Application logs (error traces, latency) are retained for 90 days and contain no source content.
All processing occurs in Switzerland. Primary infrastructure runs on AWS eu-central-2 (Zurich region). The fallback AI provider (Azure OpenAI) runs in Azure Switzerland North (also within Switzerland). No data transits through the United States, the European Union (outside Switzerland), or any other non-Swiss jurisdiction.
Uploaded documents are stored in your browser's IndexedDB on your own device. They are not uploaded to our servers before verification begins -- they are sent directly to the AI provider during the verification call, and only then.
Your data subject rights
Under Swiss FADP (nDSG) and EU GDPR (where applicable), you have the following rights regarding the personal data we hold about you:
- Right of access: request a copy of the personal data we hold about you (account metadata, billing records, verification result summaries).
- Right to rectification: request correction of inaccurate personal data.
- Right to erasure: request deletion of your account and all associated data. Source content is never stored, so there is nothing to erase on that front. Billing records required for legal compliance are retained for the statutory period.
- Right to data portability: request your verification results in a machine-readable format (JSON or CSV).
- Right to object: object to any processing of your personal data where we rely on legitimate interest as the legal basis.
- Right to restrict processing: request that we restrict the processing of your data in certain circumstances.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email legal@veracita.ai with the subject line "Data Subject Request". We will respond within 30 days. Identity verification may be required before we can act on your request.
You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.
Contact and DPA requests
For procurement inquiries, Data Processing Agreements, or security questionnaires, contact legal@veracita.ai.
This page reflects the technical architecture as deployed. Andy Christen (founder, MindtheGap Sarl) reviews all updates before publication. Factual corrections or clarification requests are welcome.
MindtheGap Sarl, registered in Geneva, Switzerland.