Section navigation
Custody Posture Framework
Standard Context: ARCS v1.0 Published by: Vega Commons Project, Inc.
1. Purpose
This document provides a structural representation of the privacy and custody stack, clarifying where existing privacy mechanisms operate and where operator custody architecture introduces a distinct control plane.
2. Infrastructure Layers
Each layer mitigates a distinct exposure surface. No single layer replaces the others. Custody posture is defined at the operator layer, where records are created, persisted, and made reachable by legal process.
┌───────────────────────────────────────────────────────────┐
│ CONTENT-LAYER INFERENCE │
│ (Stylometry, contextual uniqueness, reidentification) │
└───────────────────────────────────────────────────────────┘
▲
┌───────────────────────────────────────────────────────────┐
│ OPERATOR CUSTODY LAYER [ARCS] │
│ (App logs, persistence defaults, backups, analytics) │
└───────────────────────────────────────────────────────────┘
▲
┌───────────────────────────────────────────────────────────┐
│ VENDOR STORAGE LAYER [ZDR / API] │
│ (Prompt/response retention, safety monitoring, legal holds)│
└───────────────────────────────────────────────────────────┘
▲
┌───────────────────────────────────────────────────────────┐
│ TRANSPORT / LINKABILITY LAYER [Blind Signatures / Proxies]│
│ (Session correlation, longitudinal profiling) │
└───────────────────────────────────────────────────────────┘
▲
┌───────────────────────────────────────────────────────────┐
│ NETWORK LAYER [VPN / TLS] │
│ (IP metadata, routing visibility) │
└───────────────────────────────────────────────────────────┘
3. Exposure Surface by Layer
| Layer | Primary Risk Surface | Typical Mitigation | Residual Exposure |
|---|---|---|---|
| Network | IP-level association and routing metadata | VPN, TLS | Content remains visible to service endpoints |
| Transport / Linkability | Provider profiling across sessions | Unlinkable inference, blind signatures | Single-session content remains readable; user context can re-link |
| Vendor Storage | Persistent retention by provider | ZDR contracts | Exceptions, safety flags, legal holds; contractual not architectural |
| Operator Custody | Application logs, backups, analytics copies | Architectural minimization of record creation | Business records explicitly retained by enterprise election |
| Content Inference | Identity extraction from writing patterns | Minimization and contextual redaction | Inference capability continues to scale |
4. Custody Posture Spectrum
| Posture | What Exists | Production Surface | Production Cost Profile |
|---|---|---|---|
| Non-Custodial | Ephemeral session artifacts; limited metadata; final outputs only if explicitly saved | Minimal historical corpus | Lower volume-driven review burden |
| Bounded Retention | Time-limited logs; class-based controls | Moderate; defined windows | Medium discovery and expert cost |
| Custodial (Default) | Durable prompt/response corpora; backups; analytics copies | Extensive; multi-system persistence | High review, expert, and dispute cost |
Custody posture determines whether deliberative logs become durable enterprise records. Privacy mechanisms operate within a custodial environment by governing access to existing records. Non-custodial architecture governs whether those records are created and retained on operator infrastructure.
5. Relationship Between Custody and Privacy Controls
Custody controls and privacy controls operate at different layers. Privacy controls govern access to, linkage of, and permissible use of existing records. Custody controls govern whether records are created and retained on operator infrastructure. As inference capabilities reduce the cost of extracting identity from content, minimization of record creation and retention addresses an exposure surface that access-based controls do not reach.
Vega Commons Project, Inc. | Custody Posture Framework | v4 | April 2026