Does on-device processing create a device-management burden?
It removes one rather than adding one. Because the traveller's profile is encrypted on their own device and special-category data never enters the employer's systems, the employer's device estate is not carrying a new sensitive-data class that mobile device management must protect. Deployment reflects the same principle: pilots run time-boxed with no HRIS or API integration required, so the architecture can be evaluated without touching the systems it is designed to keep clean.
What happens when the edge goes offline?
The primary artefact is offline-first by construction: the traveller's dossier is generated before travel and carried on the device. For authority and credential freshness, our published position is that offline validity is a decay curve rather than a binary: full scope while fresh, narrower scope past declared thresholds, with the failure posture chosen in advance rather than left to whatever the code does unwatched. The limit is stated in the same essay that proposes the design: decay handles staleness, not sudden compromise, and any design claiming otherwise is hiding the interval rather than declaring it.
How fresh is the risk intelligence?
The risk layer is built from public, institutional instruments with published update cadences, and treating refresh as an architectural requirement is a documented design consequence: the underlying legal reality demonstrably moves in both directions, so a static jurisdiction table is wrong within a year. Cadence is documented per source, and each claim in our library carries its verification date. We do not pretend everything is real-time; we declare what is fresh and when it was checked, which is also how this website treats its own content.
Can the audit trail be re-identified?
The audit artefact contains no attributes to reverse. The bespoke dossier goes to the traveller; the organisation retains a trait-free, date-stamped proof that assessment occurred, with method and scope but no demographics and no risk-category residue. We take the aggregation problem seriously enough to cite its foundational literature ourselves: combinations of innocuous attributes are re-identifying, which is precisely why the module that synthesises the most attributes retains the fewest. Where population-level visibility is needed, techniques with mathematical guarantees for representation without individual exposure are established and cited.
Will data-protection teams block a novel architecture?
The pattern runs the other way in our experience of the problem, because this architecture removes a liability the data-protection function already carries rather than adding a system it must police. The informal records that accumulate under duty-of-care pressure are a documented regulatory exposure; an architecture in which the attribute is never centrally retained deletes that exposure at its source. For the questions a data protection officer will actually ask, the reference library exists so the diligence can start before the first conversation.
How is this different from travel risk management providers?
Established providers are strong at monitoring, assistance, and response, and this platform does not compete on that axis. The axis it occupies is the one the sector's own materials do not address: how to individualise protection for travellers whose characteristics change their risk, without building a register of those characteristics. The obligation comes from the travel risk management standard; the prohibition comes from data protection law; the gap between them is documented at length, with sources. Intelligence feeds from established providers are, structurally, the kind of input our risk layer consumes, which makes the relationship complementary rather than substitutive.
Who has independently validated this?
No one yet, and we will not imply otherwise. What exists today: a structured readiness assessment we performed ourselves against KTH Royal Institute of Technology's published IRL framework, with the evidence documented and the report public; a forty-claim source library that survived a hostile verification pass, with the corrections published rather than buried; and a public security page whose statements are checkable from your own browser. Independent scrutiny is what design-partner pilots and accelerator review exist to provide, and we would rather earn that description than borrow it. When our validation posture changes, this answer will change, with its date updated.