Three guards.One ledger.

Policy PDFs, SOPs, and event-log extracts are parsed inside the customer enclave. No document bytes, no embeddings, and no model prompts ever cross the network boundary. ZAAP returns structured fields — never the raw source.

• 01On-prem OCR runtime; no external model calls during extraction
• 02Per-document sha256 captured at ingress and pinned to the audit ledger
• 03Field-level redaction for PII, PHI, and CJI before any downstream use
• 04Egress allowlist enforced at the network layer, not just in code

Every model output crosses a strongly-typed Pydantic schema before it enters the system. Unknown keys, malformed enums, and out-of-range numerics are rejected at the boundary with a recorded violation — not silently coerced into the database.

• 01Strict schema on every model output; unknown keys cause rejection
• 02Enums resolve against the LookupTable registry — never free text
• 03Numeric fields enforce min/max and unit; currency carries ISO 4217 code
• 04Every reject writes a typed violation to the audit ledger with the raw payload hash

Approvals, gate outcomes, evidence uploads, ROI updates, and incident triggers are written to an append-only ledger. Each entry is content-addressed by sha256 and linked to the prior entry, producing a tamper-evident chain per initiative.

• 01Append-only writes; updates produce a new entry, never a mutation
• 02sha256 per entry; prev-hash chain per initiative; verifiable on demand
• 03Linked artifacts (evidence, decisions, gate outcomes) carry their own hashes
• 04Re-Review Triggers and kill-switch events are first-class ledger entries