Three demands that cannot all be met at once
Organisations operating across multiple jurisdictions share documents with counterparties, regulators, and auditors as a routine part of business. Each time they do, three competing demands are in play.
Qatar's PDPPL, Saudi Arabia's PDPL, Malaysia's PDPA, and the EU's GDPR each impose constraints on where data can travel and how it must be handled. An organisation subject to multiple frameworks simultaneously faces regulatory requirements that pull in different directions.
- 01
Sovereignty
Data must remain under the governance of the jurisdiction in which it originated. Transferring data across borders may breach local data residency requirements under PDPPL, PDPL, or similar frameworks.
- 02
Utility
Business relationships require sharing information. A counterparty cannot conduct due diligence, a regulator cannot assess compliance, and an auditor cannot verify controls without access to relevant data.
- 03
Privacy
Documents contain far more than the specific facts a recipient needs. Sharing a full compliance report to prove one fact exposes all other facts in that report, most of which the recipient has no legitimate interest in receiving.
Why traditional approaches fail
Every conventional method for cross-border data sharing satisfies at most two of the three demands. The third is always sacrificed.
- 01
Full document transfer
Sovereignty + Privacy lost
Sending the complete document satisfies the utility requirement but transfers all data across the border and exposes all sensitive fields. Two out of three demands fail.
- 02
Data localisation
Utility lost
Keeping all data in the originating jurisdiction satisfies sovereignty and privacy requirements but prevents the business relationships that require shared information.
- 03
Manual redaction
Sovereignty risk remains
Redacting sensitive fields before sharing reduces privacy exposure but the underlying document still crosses jurisdictional boundaries. Sovereignty requirements are not addressed by covering text on a page.
How selective disclosure resolves the trilemma
Selective disclosure separates the act of proving a claim from the act of sharing the data that supports it. An organisation can prove to a counterparty that a specific compliance fact is true without transmitting the document that contains that fact.
The mechanism works through cryptographic signatures applied at the field level. Each disclosed claim carries a proof that it was derived from an authenticated source document, without the source document itself crossing the border. The recipient can verify the proof independently.
UK Patent Application GB2604344.8, filed 27 February 2026 by Blade Labs Holdings (Singapore), covers the technology enabling this approach: selective disclosure, boundary detection (automatically identifying which fields are subject to disclosure restrictions under applicable regulations), and cryptographic disclosure provenance (generating verifiable records of what was shared, when, and to whom).
All three demands satisfied
Sovereignty
Source document stays in originating jurisdiction
Privacy
Only the disclosed claim travels, not the full document
Utility
Recipient receives a cryptographically verifiable proof
ZeroH Disclosure in practice
ZeroH Disclosure is the platform implementation of this technology. It connects to documents in Google Drive, SharePoint, and Outlook. It detects PII and classifies data fields against the applicable regulatory schema. A compliance officer selects which claims to disclose, and the platform generates a Proof Pack.
A Proof Pack contains the selected claims, the cryptographic proof linking those claims to the authenticated source, and an audit trail. The source document does not leave the organisation's environment. The counterparty receives the Proof Pack and can verify each claim independently.
ZeroH Disclosure was deployed at the QFC Digital Asset Lab with Al Rayan Bank in September 2025. It is currently in alpha. The platform supports PDPPL (Qatar), PDPL (Saudi Arabia), PDPA (Malaysia), and GDPR (EU).
The regulatory context
Data protection regulations in the GCC and ASEAN are tightening. Qatar's PDPPL introduced binding data residency requirements for organisations in the QFC. Saudi Arabia's PDPL extended its scope to personal data processed inside the Kingdom regardless of where the processor is based. Malaysia's PDPA amendments broadened definitions of personal data and strengthened cross-border transfer restrictions.
Financial institutions operating across these jurisdictions increasingly find that standard compliance workflows built for GDPR do not map cleanly onto GCC frameworks. The sovereignty trilemma is not an edge case. It is a routine challenge for any institution with counterparties or regulators in multiple jurisdictions.
Frequently asked questions
Organisations sharing data across borders face three competing demands at once: keep data within the originating jurisdiction (sovereignty), share enough data to conduct business (utility), and protect sensitive information from exposure (privacy). Traditional approaches satisfy two of these at the expense of the third.
Sharing a full document satisfies utility but sacrifices both privacy and, where the document contains cross-border transfers, sovereignty. Keeping data local satisfies sovereignty and privacy but eliminates utility. Redaction preserves some privacy but still requires transmitting the underlying document, which may violate sovereignty requirements.
Selective disclosure allows an organisation to prove a specific claim (for example, "this entity is PDPPL-compliant") without transmitting the underlying data that supports that claim. The receiving party receives a cryptographically verifiable proof, not the source document. Sovereignty is preserved because the underlying data does not leave its jurisdiction. Privacy is preserved because only the disclosed claim is shared. Utility is preserved because the receiving party can verify the claim.
ZeroH Disclosure currently supports PDPPL (Qatar), PDPL (Saudi Arabia), PDPA (Malaysia), and GDPR (EU). This covers the primary regulatory frameworks for financial institutions operating across GCC and ASEAN markets.
A Proof Pack is a structured disclosure artifact generated by ZeroH Disclosure. It contains the specific claims that an organisation has chosen to share, the cryptographic proof that those claims are supported by an authenticated source document, and an audit trail recording when the disclosure was generated and by whom. The Proof Pack travels to the recipient without the source document.
UK Patent Application GB2604344.8, filed 27 February 2026 by Blade Labs Holdings, covers three components: selective disclosure (choosing which claims to share), boundary detection (automatically identifying which data fields are subject to disclosure restrictions), and cryptographic disclosure provenance (generating verifiable records of what was disclosed, when, and to whom). The inventor is Sami Aftab Mian.
ZeroH Disclosure integrates with Google Drive, SharePoint, and Outlook. This allows compliance teams to process documents from their existing document management workflows without migrating data to a new system.
See how ZeroH Disclosure handles cross-border compliance sharing.
Learn about ZeroH Disclosure