Zero-Knowledge Architecture
A zero-knowledge architecture for anonymous baselining — designed to reveal patterns, not identities.
What "Zero-Knowledge" Means on Rilev
Rilev's "Zero-Knowledge Architecture" means Rilev does not have your real-world identity, cannot link your account to your data, cannot read your raw answers, cannot recover your private key, and cannot attribute individual results to you.
Five distinct properties, working alongside Rilev's two-layer anonymity architecture.
Zero Knowledge of Identity
Rilev does not collect or store your real-world identity. No name, email, phone number, or any other personal identifier is required or stored. We do not log your IP address — it is transiently hashed in memory for rate limiting and immediately discarded. We do not fingerprint your device. This is also Layer 1 of Rilev's anonymity architecture: your account is anonymous from the moment it is created.
What this means in practice
To be precise
Third-party infrastructure providers (hosting, payment processors, app stores) process their own standard metadata under their own privacy policies. This claim describes what Rilev — our code, our database, our team — knows.
Zero Knowledge of Linkability
Your account and your assessment data are stored in completely separate locations. There is no persistent readable link between them — your private key is the only bridge. This is also Layer 2 of Rilev's anonymity architecture: without that key, there is no readable ownership graph connecting results to an account.
What this means in practice
To be precise
During authentication, your device derives purpose-specific cryptographic keys from your private key using industry-standard key derivation (HKDF). Only these derived keys are sent to the server — the raw private key never leaves your browser. The server uses one derived key for account lookup and another for identity verification. A third derived key, which never reaches the server, is used by your browser to encrypt and decrypt the link to your data.
Zero Knowledge of Raw Answers
Raw answers never leave your device. Only aggregated scale scores reach the server. Rilev never sees how you answered any specific question.
What this means in practice
To be precise
The server stores aggregated scale scores (e.g., 'Depression severity: moderate'). It does not store individual question responses (e.g., 'Feeling like a failure: Nearly every day').
"Depression severity: 14/27 (moderate)"
"Feeling like a failure: Nearly every day"
Zero-Knowledge Key Recovery
If you lose your private key, recovery is possible only if you enabled it in advance. Recovery requires your Recovery ID, your Authenticator app, and your security answers. Rilev does not store those original factors — only a one-way verification record.
What this means in practice
To be precise
Recovery is optional and user-initiated. When enabled, Rilev stores only a one-way verification record derived from your recovery factors. That record lets us verify a valid recovery attempt, but it cannot reveal the factors themselves. The original Recovery ID, Authenticator factor, and security answers remain with you.
Zero-Knowledge Telemetry
Rilev Enterprise reveals workforce patterns without exposing individual employees. Anonymous scores are converted into group-level metrics only, with minimum group thresholds designed to prevent re-identification.
What organizations get
To be precise
Organizations can see group-level signals like '42% of this workforce shows moderate stress.' They cannot see individual-level results like 'John in accounting scored 18 on PHQ-9.'
"42% of this workforce shows moderate stress"
"John in accounting scored 18 on PHQ-9"
Five Properties, One Architecture
Each property is independently enforced. Breaking one does not break the others.
| Property | Protects Against | Mechanism |
|---|---|---|
Identity | Rilev knowing who you are | No PII collected — accounts are de-identified |
Linkability | Connecting account → data | No persistent link — private key is the only bridge |
Raw Answers | Seeing individual responses | Client-side scoring, aggregated scores only |
Key Recovery | Accessing your account | Recovery factors live only on your phone and in your memory |
Telemetry | Orgs seeing individual data | Aggregation-only pipeline, min thresholds |
What Zero-Knowledge Does Not Mean
Precision matters. Here is what our architecture does — and does not — claim.
Not a cryptographic zero-knowledge proof
Rilev is not using formal cryptographic proof systems. Here, "zero-knowledge" describes an architectural privacy model: Rilev does not have the information needed to identify you, link your account to your data, read your raw answers, or recover your key.
Third-party infrastructure still exists
Payment processors, app stores, hosting providers, and other service providers operate under their own privacy and logging policies. Rilev’s zero-knowledge claim describes what Rilev can know — not what every infrastructure layer on the internet can observe.
The server still processes anonymous data
The server still handles requests, stores aggregated scores, and generates reports. Zero-knowledge does not mean zero processing. It means Rilev cannot connect that processing to your real-world identity.
The Bottom Line
We can't identify you — because we never collected your real-world identity.
We can't link your account to your data — because only your private key can resolve the connection.
We can't read your raw answers — because they never leave your device.
We can't restore access on your behalf. If enabled in advance, zero-knowledge recovery can only be completed by you.
For enterprise clients, we can't expose individual results to employers — because the enterprise pipeline outputs aggregates only.