Confidential documents — PhD applications, personnel files, unpublished manuscripts — cannot pass through cloud APIs, but the best reasoning models live there. The solution is architectural, not procedural: local inference by default, entity-aware anonymization for calibration, and audit for verification. Privacy is a constraint that shapes system design, not a policy that agents follow.
#The problem
HAAK handles confidential material routinely: reviewing PhD applications (INDP admissions), assessing grant proposals, reading unpublished manuscripts under review. This material cannot be transmitted to cloud APIs — not because of a policy preference, but because of legal and ethical obligations to the people whose work and identities are in those documents.
At the same time, the most capable models (Claude, GPT-4, Gemini) are cloud services. A system that restricts itself to local models sacrifices capability. A system that sends everything to the cloud violates confidentiality. Neither extreme is acceptable.
#The architectural solution
Three layers, each providing a different tradeoff:
#Layer 1: Local inference (default)
All document processing runs locally via Ollama. No network traffic. The model sees the full document but the document never leaves the machine.
- Models: Qwen, DeepSeek, Llama, Phi — whatever runs on available hardware
- Capability: Adequate for structured tasks (extraction, classification, initial assessment)
- Limitation: Cannot match cloud model quality for nuanced reasoning
- When to use: Always, for any confidential material
#Layer 2: Entity-aware anonymization (calibration)
When cloud model quality is needed for comparison or calibration, documents are anonymized before transmission:
- Entity recognition: Names, institutions, specific identifiable details
- Cross-document consistency: The same entity maps to the same pseudonym across all documents in a batch — "Dr. Smith" becomes "Dr. Elm" everywhere, preserving relational structure
- Consistent hashing: Deterministic mapping so the same input always produces the same pseudonym, enabling cross-session consistency
- What's preserved: Argument structure, technical content, logical relationships
- What's removed: All personally identifiable information
The anonymized document can be sent to cloud APIs. The response is de-anonymized locally.
#Layer 3: Audit (verification)
After any anonymization pass, an audit agent verifies that no identifying information leaked through:
- Scans the anonymized output for entity remnants
- Checks that pseudonyms are consistent
- Reports any PII that survived the anonymization pass
- The audit itself runs locally
#Why architecture, not policy
A policy-based approach ("agents must not send confidential documents to cloud APIs") is fragile. It depends on every agent, every skill, every workflow respecting the policy at every invocation. One missed case — a search that accidentally includes a confidential document in context, a skill that calls a cloud API without checking — and the confidentiality guarantee fails.
An architectural approach makes the guarantee structural:
- Local inference is the default path. Cloud APIs require explicit opt-in.
- Anonymization is a gateway — documents pass through it before any cloud transmission.
- Audit is automatic — not a step the agent chooses to run, but a verification that runs as part of the anonymization pipeline.
The policy still exists (Constitution §6). But the architecture ensures compliance is structural rather than behavioral. An agent cannot accidentally send confidential material to the cloud because the pathway doesn't exist without explicit anonymization.
#Practical application
Built and tested during the INDP 2026 admissions cycle:
- 30+ PhD applications reviewed locally
- Cross-candidate comparison via anonymized cloud passes
- Zero confidentiality incidents
- Quality calibration: local-only reviews vs. anonymized-cloud reviews showed convergent assessments on rank-order, with cloud adding nuance on borderline cases
#Connection to externalization
The privacy architecture creates a tension with externalization (foundation 05): externalization says "write everything to disk"; privacy says "some things cannot leave the machine." The resolution is that externalization is about local persistence — writing to the file system, not to the cloud. All outputs remain on disk, reviewable and auditable, without ever traversing a network boundary.
#Constitutional implications
This foundation grounds one constitutional requirement:
Privacy and confidentiality (Constitution §6): "Confidential material never leaves the local machine without anonymization. Privacy is architectural — local by default, anonymization for calibration, audit for verification."
haak · foundation · 2026-02-24 · zach + claude
Foundations 10 — Privacy Architecture — 2026 — Zachary F. Mainen / HAAK