AnalysisMarch 30, 2026

ZeroH Disclosure: Deterministic Data Privacy for Regulated Cloud Storage

Rule-based selective disclosure that keeps sensitive data on institutional infrastructure while supporting cloud collaboration across Google Drive, SharePoint, and Outlook.

By Blade Labs

The Problem

Cloud collaboration tools have become the default for document workflows inside regulated institutions. Staff upload employment contracts, financial agreements, and compliance records to Google Drive, SharePoint, and Outlook. The problem is that doing so sends those documents to third-party infrastructure outside the institution's control.

For institutions subject to Qatar's Personal Data Privacy Protection Law, QFC Data Protection Regulations, AAOIFI disclosure requirements, or QCB data handling guidelines, this creates a direct conflict. The regulations require that sensitive data remain within a defined jurisdiction and that access be controlled, logged, and auditable. Standard cloud storage tools do not provide these controls at the field level.

The choice institutions face is a false one: restrict cloud collaboration to protect data residency, or permit collaboration and accept the compliance gap. ZeroH Disclosure is built to remove that trade-off.

Deterministic, Not Probabilistic

Most data protection tooling today applies machine learning to detect sensitive content. A model assigns a confidence score, and an action is taken based on whether that score crosses a threshold. In a regulated context, this creates two problems: the system can be wrong, and the decision cannot be traced back to a specific regulatory article.

ZeroH Disclosure takes a different approach. There is no AI involved. Each field in a document is explicitly classified by the institution as Protected, Hidden, or Visible. Each role is assigned a defined view based on those classifications. The logic is rule-based and directly traceable to the regulation or internal policy that drives it.

  • No probabilistic outputs: every decision follows an explicit rule
  • No AI hallucination risk: classification is deterministic and repeatable
  • Every disclosure is auditable: traceable to a specific field classification and role definition
  • Ali Insights analysis is regulation-based document analysis, not generative AI

When a regulator asks why a specific field was disclosed to a specific party, the answer is a rule reference, not a model confidence score. That distinction matters for audit purposes.

How It Works

ZeroH Disclosure operates across four stages, from document upload to regulator submission.

01

Document classification

Each document field is classified as Protected (never disclosed, always redacted), Hidden (excluded from certain role views), or Visible (included in role view). Classification is set by the institution and applies to every version of the document.

02

Selective disclosure by role

Five standard role views are applied: HR, Finance, Legal, External, and AI. Each role receives a version of the document containing only the fields their classification permits. BBS+ cryptographic signatures ensure each disclosed view is verifiable and tamper-evident.

03

Version control and anchoring

Every document version moves through Draft and Anchored states. When a document is anchored, a Verifiable Credential is issued and the version is recorded on the Hedera network. Documents are stored on Qatar IPFS nodes so sensitive data never leaves the institution's infrastructure.

04

Proof Pack for regulators

ZeroH Disclosure assembles a Proof Pack from its own records when a regulatory submission is needed. The package includes DPIA, PIA, DCR, ROPA, AISRA, and QAR documentation. Items are generated from platform records, not constructed manually.

Role-Based Views

The same employment contract produces five distinct views depending on the recipient's role. The example below shows how Protected, Hidden, and Visible classifications determine what each role sees.

HR
  • Employee NameVisible
  • SalaryVisible
  • Contract TermsVisible
  • Compliance StatusVisible
  • Internal NotesVisible
Finance
  • Employee NameHidden
  • SalaryVisible
  • Contract TermsHidden
  • Compliance StatusHidden
  • Internal NotesHidden
Legal
  • Employee NameHidden
  • SalaryProtected
  • Contract TermsVisible
  • Compliance StatusVisible
  • Internal NotesHidden
External
  • Employee NameProtected
  • SalaryProtected
  • Contract TermsProtected
  • Compliance StatusVisible
  • Internal NotesProtected
AI
  • Employee NameProtected
  • SalaryProtected
  • Contract TermsProtected
  • Compliance StatusProtected
  • Internal NotesProtected
Visibleincluded in this role view
Hiddenexcluded from this role view
Protectedalways redacted, never disclosed

Regulatory Coverage

ZeroH Disclosure is designed to support compliance with the primary data governance frameworks applicable to financial institutions in Qatar and the QFC.

AAOIFI FAS 4

Disclosure Requirements for Islamic Financial Institutions

Governs what financial information Islamic institutions must disclose and to whom. ZeroH Disclosure applies field-level classification to ensure disclosure rules are enforced at the document level, not the system perimeter.

Qatar PDPPL

Personal Data Privacy Protection Law

Qatar's primary data protection legislation. Requires that personal data be collected and processed with consent, stored securely, and transferred only under defined conditions. ZeroH Disclosure supports PDPPL compliance through on-premise data residency on Qatar IPFS nodes and granular access logging.

QFC DPR 2005

Qatar Financial Centre Data Protection Regulations

Applies to entities within the Qatar Financial Centre. Sets data processing obligations, individual rights, and cross-border transfer requirements. The Proof Pack includes a Qatar Adequacy Report (QAR) assembled from platform records.

QCB DH

Qatar Central Bank Data Handling Guidelines

Operational guidelines from the Qatar Central Bank covering how regulated financial institutions handle customer and transactional data. ZeroH Disclosure version control and anchoring supports the record-keeping requirements.

Frequently Asked Questions

What is ZeroH Disclosure?

ZeroH Disclosure (formerly Privacy Cloud) is a module within the ZeroH platform that manages document privacy for regulated cloud storage. It classifies document fields as Protected, Hidden, or Visible, then applies role-based views so each recipient sees only the fields their role permits. Documents are stored on Qatar IPFS nodes and every version is anchored on the Hedera network with Verifiable Credentials. ZeroH Disclosure is currently in alpha.

How does ZeroH Disclosure differ from a traditional DLP system?

Traditional Data Loss Prevention systems use probabilistic pattern matching to detect sensitive content and block or flag transfers. ZeroH Disclosure uses a deterministic, rule-based approach: each field is explicitly classified as Protected, Hidden, or Visible, and each role receives a defined view. There is no AI inference, no probabilistic output, and no hallucination risk. Every disclosure decision is traceable to a specific rule, making it auditable by regulators without ambiguity.

What is the Proof Pack?

The Proof Pack is an evidence package that ZeroH Disclosure assembles for regulatory submissions. It contains the documentation regulators typically require to demonstrate compliance: Data Protection Impact Assessment (DPIA), Privacy Impact Assessment (PIA), Data Classification Report (DCR), Records of Processing Activities (ROPA), AI System Risk Assessment (AISRA), and Qatar Adequacy Report (QAR). Each item in the Proof Pack is generated from the platform's own records, not assembled manually.

Which regulations does ZeroH Disclosure cover?

ZeroH Disclosure is designed to support compliance with AAOIFI FAS 4 (disclosure requirements for Islamic financial institutions), the Qatar Personal Data Privacy Protection Law (PDPPL), QFC Data Protection Regulations 2005 (QFC DPR), and Qatar Central Bank Data Handling guidelines (QCB DH). The regulatory coverage reflects the primary data governance frameworks applicable to financial institutions operating in Qatar and the QFC.

How does role-based disclosure work?

When a document is uploaded, each field is classified as Protected, Hidden, or Visible. Five role views are then applied: HR sees all fields; Finance sees salary-related fields only; Legal sees contractual terms; External parties see compliance-relevant fields only; and AI systems see metadata only. The same underlying document produces five distinct views. BBS+ cryptographic signatures ensure each view is verifiable and that the selective disclosure cannot be tampered with after anchoring.

What integrations does ZeroH Disclosure support?

ZeroH Disclosure integrates with Google Drive, SharePoint, Outlook, and ZeroH Space. When files are uploaded to a connected cloud storage account, ZeroH Disclosure scans them continuously. Non-compliant files are quarantined automatically. Compliant files are classified, versioned, and anchored. The integration layer means institutions do not need to change their existing document workflows to gain the privacy and compliance controls.

What does "on-premise data residency" mean in practice?

Sensitive data never leaves the institution's own infrastructure. Documents are stored on Qatar IPFS nodes rather than on a shared multi-tenant cloud. The anchoring record on Hedera contains a cryptographic hash and Verifiable Credential, not the document content itself. This means regulators and auditors can verify that a document existed in a specific state at a specific time without the document ever being transmitted to an external system.