The Strategic Memo

Back to thirdrailsystems.ee
MEMO · 2026Strategic

The Strategic Memo: Resolving the ISO 31030 Catch-22.

A founding-team paper on why duty-of-care and GDPR collide, and how a minimum-disclosure architecture makes that collision obsolete.

Tallinn, Estonia7-minute readv1.0 · founding team
I

The Thesis

Institutional safety requires deep visibility. Human privacy requires absolute discretion. For two decades, enterprise security programmes have treated these mandates as a trade-off to negotiate. We treat them as a system to engineer.

Third Rail Systems OÜ is the minimum-disclosure compliance layer for enterprise travel risk. We materially decouple risk intelligence from human identity, so that fulfilling your duty-of-care obligation toward marginalised employees stops being the thing that creates your worst GDPR liability.

Thesis in one line
Institutional safety and human privacy are not in tension. They are in the wrong place on the stack. Move identity off-device and the tension dissolves.
II

The Catch-22

ISO 31030 made it unambiguous: organisations must take reasonable steps to provide localised mitigations for marginalised travellers, including LGBTQ+, disabled, and neurodivergent cohorts, whose risk profile diverges sharply from the generic average. That is the duty-of-care mandate.

GDPR Article 9 made the opposite unambiguous: centrally collecting, processing, or inferring demographic identity is a special-category data operation that most enterprises are structurally unequipped to justify on lawful-basis grounds. That is the privacy liability.

The result is a compliance catch-22. Programmes that honour ISO 31030 tend to accumulate a toxic, regulated data lake. Programmes that respect GDPR tend to issue generic-average risk dossiers that fail the very people ISO 31030 was written for.

The "Shadow HR" failure mode
Well-intentioned teams, blocked by the official stack, end up tracking vulnerable travellers on informal spreadsheets. The enterprise now carries every risk of the toxic data lake and none of its audit-grade protections.
III

Earned Secrets

Third Rail Systems was founded on earned, not inherited, operational truths.

Our CEO, Levi Hankins, served 20 years as a US Navy combat veteran and served the bulk of that career under "Don't Ask, Don't Tell." He has first-hand, deployed experience of what happens when institutional safety systems cannot safely see the people they are meant to protect. That is not a case study for us. It is the starting point of the company.

Our CTO, Jeremy Stabile, is a SecOps and GRC architecture expert with multinational enterprise experience. He has spent years watching enterprise programmes buckle under the weight of data they should never have centralised in the first place.

Why this matters commercially
Enterprises buy from founders who have stood on the other side of the problem, and from architectures designed by engineers who have watched the legacy pattern fail from the inside. Our thesis is not borrowed from a pitch deck. It was paid for in career risk and in years of enterprise GRC delivery.
IV

The Architecture

Our architecture is built on a single contract: identity-bearing inputs never leave the traveller's device. Everything else follows from that one constraint. A stateless, multi-agent deliberation engine processes a traveller's traits in transient memory and writes none of them to a database.

On-Device Processing

The traveller's profile is encrypted locally. Special-category data never enters your HRIS.

Stateless Threat Synthesis

The system cross-references destinations against local penal codes without centrally logging demographic inputs.

Safety Dossier

Your Global Travel Risk team receives a sanitised, actionable mitigation plan. You get the audit trail; your DPO avoids the data.

This is a deliberate inversion of the industry default. Most travel-risk platforms collect more identity data to produce more specific output. We produce more specific output by collecting less identity data, and by refusing to retain any of it at the synthesis layer.

Independently evidenced
Third Rail Systems OÜ has been evidenced at Innovation Readiness Level 5 under the KTH Royal Institute of Technology Innovation Readiness Level (IRL) framework. The core stateless synthesis logic has been fully engineered and evidenced against a sovereign 30-country risk database (ILGA, U.S. State Department, Wheelmap, TGEU), proving the stateless concept functions without persistent data storage.
V

Governance Posture

Every architectural decision maps cleanly to a defensible compliance artefact.

GDPR
We do not centralise "special-category data." The enterprise remains the Controller of standard itineraries; Third Rail acts as a Processor.
EU AI Act
Built to meet EU AI Act high-risk obligations, with mandatory human-in-the-loop oversight and immutable vector logging. Final classification under review with counsel.
ISO 31030
Verifiable, date-stamped evidence that the organisation assessed intersectional threats prior to deployment.

Proudly registered in Tallinn, Estonia, ensuring a strict European corporate footprint outside direct US jurisdiction. The Estonia advantage is not branding; it is part of the defensive posture.

VI

The Pilot

We run paid, time-boxed enterprise pilots, typically 4 to 6 weeks, that require zero API integration with your HRIS. That is not a convenience feature; it is a statement about the architecture. If our system needed your HRIS, we would have already failed the thesis.

The pilot produces three artefacts: a signed architecture fit-assessment, a sample Safety Dossier for a live destination, and a compliance binder your DPO can actually file.

Next step
20-minute architecture fit-call. No HRIS integration required.
Forward
Email this memo to a colleague

Hand it to your DPO, ERG lead, or Global Travel Risk team. Pre-filled subject and pitch.

Third Rail Systems OÜ · Tallinn, Estonia · EU-Native

Further reading: the Exposure series

v1.0 · Tallinn · EU-Native