The Thesis
Institutional safety requires deep visibility. Human privacy requires absolute discretion. For two decades, enterprise security programmes have treated these mandates as a trade-off to negotiate. We treat them as a system to engineer.
Third Rail Systems OÜ is the minimum-disclosure compliance layer for enterprise travel risk. We materially decouple risk intelligence from human identity, so that fulfilling your duty-of-care obligation toward marginalised employees stops being the thing that creates your worst GDPR liability.
The Catch-22
ISO 31030 made it unambiguous: organisations must take reasonable steps to provide localised mitigations for marginalised travellers, including LGBTQ+, disabled, and neurodivergent cohorts, whose risk profile diverges sharply from the generic average. That is the duty-of-care mandate.
GDPR Article 9 made the opposite unambiguous: centrally collecting, processing, or inferring demographic identity is a special-category data operation that most enterprises are structurally unequipped to justify on lawful-basis grounds. That is the privacy liability.
The result is a compliance catch-22. Programmes that honour ISO 31030 tend to accumulate a toxic, regulated data lake. Programmes that respect GDPR tend to issue generic-average risk dossiers that fail the very people ISO 31030 was written for.
Earned Secrets
Third Rail Systems was founded on earned, not inherited, operational truths.
Our CEO, Levi Hankins, served 20 years as a US Navy combat veteran and served the bulk of that career under "Don't Ask, Don't Tell." He has first-hand, deployed experience of what happens when institutional safety systems cannot safely see the people they are meant to protect. That is not a case study for us. It is the starting point of the company.
Our CTO, Jeremy Stabile, is a SecOps and GRC architecture expert with multinational enterprise experience. He has spent years watching enterprise programmes buckle under the weight of data they should never have centralised in the first place.
The Architecture
Our architecture is built on a single contract: identity-bearing inputs never leave the traveller's device. Everything else follows from that one constraint. A stateless, multi-agent deliberation engine processes a traveller's traits in transient memory and writes none of them to a database.
The traveller's profile is encrypted locally. Special-category data never enters your HRIS.
The system cross-references destinations against local penal codes without centrally logging demographic inputs.
Your Global Travel Risk team receives a sanitised, actionable mitigation plan. You get the audit trail; your DPO avoids the data.
This is a deliberate inversion of the industry default. Most travel-risk platforms collect more identity data to produce more specific output. We produce more specific output by collecting less identity data, and by refusing to retain any of it at the synthesis layer.
Governance Posture
Every architectural decision maps cleanly to a defensible compliance artefact.
Proudly registered in Tallinn, Estonia, ensuring a strict European corporate footprint outside direct US jurisdiction. The Estonia advantage is not branding; it is part of the defensive posture.
The Pilot
We run paid, time-boxed enterprise pilots, typically 4 to 6 weeks, that require zero API integration with your HRIS. That is not a convenience feature; it is a statement about the architecture. If our system needed your HRIS, we would have already failed the thesis.
The pilot produces three artefacts: a signed architecture fit-assessment, a sample Safety Dossier for a live destination, and a compliance binder your DPO can actually file.
Hand it to your DPO, ERG lead, or Global Travel Risk team. Pre-filled subject and pitch.
Third Rail Systems OÜ · Tallinn, Estonia · EU-Native
Further reading: the Exposure series
Three essays on the same architectural principle, viewed through different lenses: data lifespan, platform dependency, and the unequal distribution of exposure itself.
- Part OneNothing happened, and that was the point
Y2K was a fix delivered on time. The durable answer is collecting less.
- Part TwoThe Switch Someone Else Holds
Dependency is the vulnerability. Sovereignty is architectural, not geographic.
- Part ThreeExposure Is Not Democratic
Collected data lands hardest on the most exposed. The capstone of the trilogy.