How does ZeroH Privacy Cloud protect documents on Google Drive and SharePoint?

ZeroH sits as a preprocessing layer between your users and cloud platforms. Documents are versioned, privacy-checked against regulatory policies (Qatar PDPPL, AAOIFI, QFC), and stored on IPFS Qatar nodes before being released to the cloud platform. Every version is anchored on Hedera with a Verifiable Credential.

What is the difference between Draft and Anchored documents?

Draft documents are work-in-progress edits that have not been privacy-checked or anchored. They show a yellow "Draft" badge and cannot be shared. Anchored documents have passed privacy policy checks, are stored on IPFS, anchored on Hedera with a Verifiable Credential, and show a green "Anchored" badge with a version number.

How does tamper detection work?

Every anchored document version has its content hash recorded on Hedera. If the document is modified outside of ZeroH (directly on the cloud platform), the hash mismatch is detected, the file is quarantined, and the DPO is alerted with full forensic details.

Where is document data stored?

Original documents are stored on IPFS nodes hosted in Qatar, ensuring data residency compliance. Only privacy-processed versions are released to cloud platforms. Metadata and audit events are anchored on Hedera Hashgraph.

Technical Architecture

How ZeroH Cloud Privacy Works

Deterministic, rule-based privacy preprocessing. No AI, no probabilistic outputs. Data never leaves your on-premise or on-soil infrastructure.

100% DeterministicNo AI RequiredOn-Premise / On-SoilFull HITL ControlImmutable Audit Trail

Plugin Architecture

Documents are routed through the on-premise ZeroH Engine for classification, then published to cloud platforms via their native APIs.

PII never leaves your infrastructure

ZeroH Engine

On-Premise / On-Soil

Deterministic rule-based processing — no AI
Field-level PII detection and redaction
Regulatory mapping (AAOIFI, PDPPL, QFC)
Runs entirely within your infrastructure

Platform Capabilities

SharePoint and Google Drive are primary integration targets. Core privacy capabilities are available on both — delivery mechanisms differ per platform API.

Feature	SharePointPrimary	Google DrivePrimary
Continuous Monitoring	Full	Full
In-Editor Suggestions	Full	Full
Versioning	Full	Full
Field-Level Redaction	Full	Full
Share Links	Full	Full
Tamper Detection	Full	Full
Ali Insights	Full	Full
Context Menu	Full	Full

Key Differentiators

Deterministic Processing

Every privacy action is rule-based and auditable. No AI models, no probabilistic outputs, no hallucinations. Each suggestion traces directly to a regulation article.

On-Premise / On-Soil

Data never leaves your jurisdiction. The ZeroH Engine runs entirely within your infrastructure — whether on-premise data centers or sovereign cloud within national borders.

Full HITL Control

Human-in-the-loop at every decision point. No automated redaction without explicit user approval. Accept, edit, or reject each suggestion individually.

Selective Disclosure

How Selective Disclosure Integrates

From document ingestion to platform-specific rendering — every step enforces field-level privacy through deterministic classification and cryptographic proofs.

DocumentSource of truth

ZeroH EngineField classification

Role ProfileDisclosure rules

Platform ViewEnforced rendering

Protected/Hidden/Visible Classification at Engine Level

Every document field is deterministically classified before it reaches any cloud platform. Protected fields (regulated PII) are sealed at the engine level — no role can override.

Three-level classification: Protected, Hidden, Visible
Protected fields cannot be disclosed — enforced at engine, not UI
Classification persists across all platform views
Audit trail records every classification decision

Role-Based Views per Recipient

One document, multiple stakeholder views. HR sees everything. Finance sees salary fields. Legal sees terms. The AI engine sees only metadata. Same source of truth — different disclosure profiles.

Roles defined per organization, not per document
Binary Show/Hide per field per role
External advisors get minimum viable access
AI models receive only what BBS+ proofs can verify

BBS+ Cryptographic Proofs

Each disclosed view is accompanied by a zero-knowledge proof that the hidden fields satisfy specific constraints — without revealing the actual data.

Zero-knowledge: verifier learns nothing beyond the statement
Unlinkable: multiple proofs from same credential cannot be correlated
W3C Verifiable Credentials compatible
Selective disclosure at the cryptographic layer, not the application layer

Platform-Specific Enforcement

Each cloud platform enforces selective disclosure through API-based origination — ZeroH publishes processed files via platform APIs, with sidebar panels and task panes for in-app status review.

Google Drive: Drive API v3 files.create for direct document publication
SharePoint: Graph API PUT for direct file creation with metadata
Mobile: API origination works across all clients — web, mobile, API