Architecture brief
The privilege record, end to end.
How a question becomes a defensible record: tenant isolation, per-matter keys, provider routing to no-train endpoints, and a SHA-256 hash chain anchoring the audit ledger.
01Questionmatter-scoped · tenant-isolated
02Privilege basis recordedAC / WP / AC+WP · rationale
03Provider routeno-train endpoint · provider · model · route reason
04Responseinline citations into matter documents
05Privilege log entryauto-drafted · counsel-edited
06Audit ledgerSHA-256 chained · hash a3f1…7c2b
Tenant isolation
Every matter lives inside its tenant with row-level checks on every query. No cross-tenant reads, by construction.
Per-matter keys
Documents and transcripts are encrypted with keys scoped to the matter, so access ends where the matter ends.
Provider routing
Each message routes to OpenAI or Anthropic no-train endpoints. Provider, model, and route reason are written to the record.
Audit ledger
Each event is SHA-256 chained to the one before it. A verifier runs on read; if the chain ever breaks, a banner shows until it is reconciled.
Want the full brief as a PDF? Email counsel@onprivilege.com and we’ll send it over.