Zero-Knowledge Technical Guide

This is the crawler-friendly architectural version: the key primitives, the data-plane model, and the trust boundary Rilev preserves elsewhere without publishing private implementation details.

Capability token

Sensitive records are addressed by a random capability that is intentionally separate from ordinary account identity.

One-way ownership proof

The identity plane stores a one-way proof rather than the raw capability, so a readable ownership link is not persisted on the account record.

Plane separation

Identity metadata and assessment data live in different storage domains. Operational queries should not produce a normal identity-to-clinical-data join.

Route enforcement

Protected handlers prove session ownership before reading or writing data-plane resources.

Why this matters

The architecture is designed so that ordinary administrative or database workflows do not reveal a direct ownership graph between account identity and clinical content.

The same idea shapes the API layer: data-plane reads and writes should require both an active session and proof that the session owns the capability being exercised.

Read product explainer Read anonymity guide