Trust, in plain words.

01Two trust domains

The platform is split into two machines with different rules. The split is the whole point.

PrinciplesAI runs across two trust domains that are physically and network-wise separate.

The production intake box carries no large-language-model SDK imports at all. The sandbox VPS carries vendor API keys and nothing else — no Airtable token, no GitHub credential, no Cloudflare credential, no SSH key to any other machine.

Communication is one-way at the network layer: production HTTPS-POSTs jobs to the sandbox drop service and HTTPS-GETs results back. The sandbox has no IP, hostname, or credential for any production machine. If the sandbox is compromised, the blast radius stops at three rotatable vendor API keys.

02Production intake is AI-free

Stages 1–5 — Health, Map, Detect, Triage, Select — are deterministic code. No models are called. Enforced three ways.

The intake pipeline runs five stages against — tracked bodies across — jurisdictions, and every stage is plain code, not inference. No LLM SDK is installed on the production box. No model key exists on the production box. Every sift, dedupe and ranking decision is made by rules a developer can read.

The "no LLM keys on production intake" rule is enforced by three independent layers so the prohibition survives human error:

• Pre-commit hook — developer machine. Blocks any commit that adds an LLM SDK import to the intake stages.
• CI gate — every push to the production repository. Fails the build if any Stage 1–5 module imports anthropic, google.generativeai, or any sibling.
• Weekly launchd scan — drift catcher. Greps the deployed tree on a schedule and alerts on any appearance, so even a hand-edit after deploy is caught.

This three-layer enforcement is why we can tell an in-house counsel, without hedging: the pipeline that selects which stories you see runs no AI.

03The sandbox VPS

Where models are allowed to run. Hetzner CX23 in Nuremberg, surrounded by walls.

Everything that requires a language model — Stage 6 claim extraction, the two judges, draft alert composition — runs only inside a single dedicated virtual server.

Vendor keys sit in /etc/pai-sandbox/vendors.env at mode 600. The VPS holds a bearer token for its own HTTPS drop endpoint and nothing else outbound-facing. There is no Airtable token on the box. There is no GitHub, Cloudflare, or AWS credential. There is no SSH key configured for any other machine.

nftables enforces a default-deny egress policy. Outbound HTTPS is permitted only to the three vendor API hostnames plus Let's Encrypt's ACME endpoint for cert renewal. DNS is pinned to 1.1.1.1. Everything else times out at the kernel — a compromised process cannot reach an exfil destination that isn't one of four whitelisted hosts.

04The three judges

Three independent model families. Decorrelated errors. All reason from bundled documents, never from training recall.

Stage 6 is structured as one extractor plus two independent judges — three different model families, so a fabrication that slips past one is unlikely to slip past the other two.

Judges reason from documents, not training recall. Sonnet and Sonar are prompted to reason only from the source documents bundled into each job. They must not rely on their training-data memory of the regulation, authority or prior cases. A claim requiring context that isn't in the bundled sources returns "weak — insufficient context" rather than a speculative verdict.

05The deterministic validator

The gate that makes the model's output safe to trust. Written in code, not in a prompt.

Whatever the three models return is treated as untrusted input until it passes a validator running on the production side. The validator is code, deterministic, and auditable.

• Verbatim evidence. Every claim's evidence_snippet is checked against the source bytes held on production. If it isn't a verbatim substring, the claim is rejected outright.
• Source integrity. Source bytes are re-hashed after the round-trip and compared to the hash dispatched with the job. Any drift fails the claim.
• Verdict allowlist. Judge verdicts must come from a known judge-ID allowlist. Unknown signers are discarded.
• Shape and bounds. JSON shape, character bounds and field types are checked before any downstream use.

Only claims that clear this validator reach Airtable. Nothing the sandbox returns is trusted to be safe HTML, safe JSON, or even truthful. Source: src/stage6_validator.py, 23 tests.

06Six properties of the sandbox

The sandbox contract. Six rules the VPS must keep, in addition to the hard rules in §08.

• Plain completions only. No function calling, no tools, no code execution, no web browsing, no file_search, no computer-use. Each model call is text in, JSON text out. Vendor SDK calls are audited to confirm tools is empty.
• No production credentials inside the sandbox. The VPS holds only vendor API keys and its own drop-token. No Airtable token, no GitHub credential, no Cloudflare credential, no SSH key, no AWS key.
• One process per call. Each invocation is a fresh Python subprocess: read one input file, make one API call, write one output file, exit. No long-lived agent, no daemon holding state, no shared interpreter.
• nftables egress allowlist. Outbound traffic is dropped by default. Allowed: HTTPS to the three vendor API hosts plus Let's Encrypt's ACME endpoint.
• Production pulls; sandbox cannot push. Communication is one-way at the network layer: production HTTPS-POSTs jobs and HTTPS-GETs results. The sandbox has no path back in.
• Output is treated as untrusted input. The deterministic validator on the production side is the gate. Nothing the sandbox returns is trusted on face value.

07The publish chain

The AI helps build the platform but cannot publish to it. Two barriers — one structural, one a hard operating rule.

The live member-facing site is served by Cloudflare Pages (project pai-platform, custom domain app.principlesai.org). The Pages project has no Git auto-build wired in — it accepts uploads only via wrangler pages deploy, run interactively on the controller's workstation against an OAuth session tied to his personal Cloudflare account. The AI assistant holds no Cloudflare API token, no Cloudflare account password, and no separate wrangler session of its own. The OAuth refresh token on disk is the controller's, not the AI's.

On top of that structural absence, a hard operating rule forbids the AI from invoking the wrangler binary at all. Even when the AI prepares a deploy-ready change, the AI prints the command and stops; the controller types it. There is no auto-pilot mode where the AI can publish.

A second repository, DaveLong38/pai, exists for the next-generation Next.js member surface. The AI's GitHub account has no push access to it — every attempt returns Repository not found. When that codebase becomes the live publish path, it will be wired through the same controller-only chokepoint.

The result: no AI can publish. Every item that reaches the member site has been staged for review by a human, approved twice (Stage 5 Select and post-Stage-7 editorial review), and uploaded to Cloudflare by the controller.

08Hard rules, no exceptions

The specific commitments we can't loosen without rebuilding the architecture. Listed so they can be audited.

• No LLM keys on the production intake box. Stages 1–5 run with zero LLM SDK imports. Verified by grep at deploy.
• No production credentials inside the sandbox VPS. The sandbox holds vendor API keys only. No Airtable token, no SSH key, no GitHub credential, no Cloudflare credential.
• No tools, no function calling, no web browsing, no code exec in any LLM call. Plain text completions only, audited at deploy. Perplexity Sonar's built-in web search is the single declared exception, scoped to Judge B only.
• Judges reason from documents, not training data. Sonnet and Sonar are prompted to reason only from the source documents bundled into each job.
• One process per call. Each LLM invocation is a fresh Python process: read one file, call one API, write one file, exit.
• Default-deny egress on the sandbox. nftables allowlist of three vendor hosts plus Let's Encrypt only.
• Sandbox cannot push to production. Communication is one-way: production-initiated only.
• Deterministic validator on every LLM output. Claims must carry a verbatim evidence snippet; verdicts must come from the judge-ID allowlist; source bytes are re-hashed after return.
• Two human gates. Stage 5 Select and post-Stage-7 editorial review. Every published item is approved twice.
• No AI can publish. The live site is uploaded only by the controller running wrangler pages deploy on his own workstation. The AI holds no Cloudflare API token and is forbidden by hard rule from invoking wrangler.

09Known gaps

Honest about what the architecture doesn't yet cover.

The two-domain design is operational end-to-end. A real Gemini + Sonnet + Sonar round-trip was demonstrated on 2026-04-17 with the fabrication-catching behaviour working as designed. Two gaps remain in scope for the next phase:

• Single-operator break-glass risk. Vendor API keys are held by a single key-holder (the controller). There is no break-glass operator today. A documented key-rotation and sandbox-flush playbook is queued.
• No external penetration test of the sandbox VPS. Commissioned once the sandbox has processed ~100 real stories, so the pentest target reflects production behaviour.

Residual risks we accept and monitor:

• Vendor API breach — data sent in prompts could leak. No PII is ever sent; only published-source text.
• Model fabrication that happens to match a verbatim source substring (rare; the second judge catches).
• VPS provider compromise — limited blast radius: vendor keys rotatable, no production access.
• Subtle factual errors that pass extractor + both judges + controller review. Corrections are issued on the alert itself, any briefing it appeared in, and the permanent claims ledger.

10Where your account data lives

Your account data is on a different machine from the one that runs the models. EU residency by default.

The PrinciplesAI application is hosted on DigitalOcean in Amsterdam (Netherlands, inside the EEA). The Airtable data layer — the editorial Content base, Lists, member preferences and the Claims Ledger — is hosted by Airtable in the United States. The Airtable transfer is governed by Standard Contractual Clauses.

Member content is never sent to the sandbox VPS. The sandbox only sees public regulatory source text: DPA press releases, court judgments, gazette notices. Your saved items, lists, annotations, searches and support correspondence stay in the account-data layer and are never part of an LLM prompt.

Backups are taken as on-demand snapshots before major changes, encrypted at rest under the hosting provider's default block-storage encryption, and held in a separate region from production. Access is restricted to the controller's authenticated session.

For organisations whose internal policy requires no US sub-processors in the data path, a single-tenant European deployment is available on request as part of an enterprise engagement, with a 6–8 week provisioning lead time.

11Sub-processors

Every sub-processor, what they do, where they sit, and what they touch. 30-day notice on any change.

The table below is the complete sub-processor register across both principlesai.org (public site) and app.principlesai.org (platform). Material changes are notified to active members at least 30 days in advance, with the opportunity to object.

12How AI sits under the Act

Our posture under the EU AI Act and under Article 35 of the GDPR.

PrinciplesAI is a deployer of third-party general-purpose AI systems, not a provider of AI models. The GPAI provider obligations in Articles 51–55 of the EU AI Act sit with the model providers, not with us.

Our use of AI falls into two tiers under the Act:

• Limited risk — source distillation, which generates synthetic text for published alerts. This triggers Article 50 transparency. AI-drafted alerts will carry an "AI-drafted" badge from 2 August 2026, when the Article 50 obligation takes effect. We rely on the editorial-control exception in Art. 50(2) because every alert is produced inside a controller-authored editorial framework and approved twice before publication.
• Minimal risk — pipeline scoring, tag classification, structured-field extraction, the three-judge claims checker (internal quality gate, not user-facing), and tip-source detection. No Act obligations beyond voluntary codes.

PrinciplesAI does not operate any AI system in the Annex III high-risk categories and does not operate any prohibited use under Article 5.

Under the GDPR, we have assessed whether an Article 35 DPIA is required and concluded it is not. We do not process special-category personal data, we do not engage in systematic monitoring of natural persons, and we do not perform large-scale evaluation of natural persons including profiling. The assessment is documented internally and available to a supervisory authority on request.

All three model providers retain API inputs and outputs for a limited window (typically up to 30 days) for abuse detection and then delete them. None are contractually permitted to use API content to train their models. Member personal data is never sent through any of these APIs.

13Member rights

All of them, not just the ones we like.

You have the full set of rights under Articles 15–22 of the GDPR:

• Access (Art. 15) — a copy of the personal data we hold on you.
• Rectification (Art. 16) — correction of inaccurate data.
• Erasure (Art. 17) — deletion of your data, subject to narrowly scoped legal retention obligations.
• Restriction (Art. 18) — stop processing while a question is being resolved.
• Portability (Art. 20) — a machine-readable export of your data.
• Objection (Art. 21) — object to any processing based on legitimate interest.
• Not subject to automated decision-making (Art. 22) — no decision producing legal effects is made about you by automated means without human review.

Exercise any of these by writing to privacy@principlesai.org. We commit to the GDPR statutory maximum of one month, and aim to respond faster in practice.

Retention at a glance:

14Security & incidents

Specifics, not certifications. Honest about what a sole-trader operation can and cannot promise today.

Encryption. TLS 1.3 in transit. DigitalOcean block storage is encrypted at rest by default. Airtable encrypts member data at rest under its own data-protection commitments.

Access control. PrinciplesAI is operated by a single founder — the controller holds the only production credential. No shared password. All administrative actions on the hosting platform are logged through the provider's audit log.

Incident response. Confirmed personal-data incidents are reported to affected members and to the Agencia Española de Protección de Datos (AEPD) within the 72-hour window required by Article 33 GDPR. As a sole-trader operation, the controller is the incident responder.

Correction notices. When a factual error reaches publication, a correction is issued on the alert itself, on any briefing the alert appeared in, and on the permanent claims ledger. We do not silently edit.

Honest gaps. PrinciplesAI does not currently hold a SOC 2 or ISO 27001 certification. No annual external penetration test on the account-data side. No 24/7 SOC. Two-factor authentication is not yet a member option. These sit on the roadmap before the first enterprise-tier engagement and will be named on this page only when they exist.

15Contact & changes

Direct line to the controller. 30-day notice on any material change to this page.

Controller. PrinciplesAI is operated by David Longford, established as a sole trader (autónomo) at 18 Avenida Oceano Atlántico, Albolote, Spain. Privacy, trust and data-protection questions go to privacy@principlesai.org. No ticket queue, no support bot — the mailbox is monitored personally.

DPO. PrinciplesAI is below the Article 37 GDPR threshold that mandates a DPO, so none is appointed. If that changes, this page will be updated and the DPO registered with the AEPD.

Supervisory authority. The lead authority is the Agencia Española de Protección de Datos (AEPD). Every member retains the right to lodge a complaint with their own national data-protection authority instead. www.aepd.es.

Changes to this page. Material changes — anything that affects how member data is processed, who can access it, where it is stored, or what rights members have — will be notified to active members by email at least 30 days in advance.

16Cookies

Two categories, both named. Strictly necessary runs without asking. Everything else waits for your consent.

Strictly necessary. Cloudflare sets _cfuvid and cf_clearance to protect the site against bots and abuse. These load before any consent prompt because the site cannot serve pages without them. They carry no identifier we can read and no behavioural profile.

Marketing — consent-gated. If you accept the marketing category on the Cookiebot banner, Crisp loads to power the chat widget on the public marketing site. Crisp sets a small number of first-party cookies so a returning visitor keeps their chat history. Crisp is hosted in Paris, France. Nothing marketing-category loads on app.principlesai.org — the member app carries no chat widget and no tracking.

No analytics, no advertising cookies. PrinciplesAI runs no Google Analytics, no Mixpanel, no Facebook Pixel, no LinkedIn Insight, no Hotjar, no session replay. Aggregate page-view counts are captured by a self-hosted Plausible instance (Hetzner, Germany) that does not set cookies at all, alongside a self-hosted GlitchTip error tracker — neither places a cookie on your browser.

Consent record. Cookiebot (Cybot A/S, Copenhagen, Denmark) stores your consent choice in its own cookie so the banner does not reappear on every page. The consent record is retained for 12 months and then refreshed — so you are asked again at least once a year.

Change your mind. Click the small Cookiebot icon fixed to the bottom-left of any marketing page to reopen the banner and change or withdraw any category. Withdrawal takes effect on the next page load; already-set cookies in withdrawn categories are cleared by the browser within the hour.

Authenticated app. app.principlesai.org sets only the session cookies Clerk requires to keep you logged in. No analytics, no marketing, no chat — and therefore no banner.