QiXCite Privacy and Data Flow
This page documents exactly what data leaves Microsoft Word, what stays local, and what is stored in IOA Cloud for QiXCite verification workflows.
Data Flow Summary
- Citation existence checks send citation text and routing metadata; full documents are not required.
- Authority Alignment is opt-in and can be disabled with No external processing.
- When Authority Alignment is enabled, only a minimized and redacted context excerpt is sent for processing.
- Gateway evidence payloads store preview, length, and SHA-256 hash; they do not persist full input text.
- Internal evidence-sink endpoints require service-to-service token authentication.
Field-Level Egress Matrix
| Workflow | Outbound Fields | Stored Artifact Fields | External Provider Processing |
|---|---|---|---|
| Citation Validate / Document Scan | `citation`, `jurisdiction`, request metadata | `input_text_preview`, `input_text_length`, `input_text_sha256`, citation results, evidence metadata | No LLM-required external processing for baseline existence checks |
| Authority Alignment (enabled) | Redacted + minimized excerpt, `citation`, `audit_id` | Alignment verdict, rationale, authority excerpt hash, review state, lineage metadata | Yes, for alignment inference only |
| Authority Alignment with `No external processing` | None for alignment inference path | `insufficient` alignment state with explicit privacy-mode rationale | No external processing |
Controls Enforced
- Explicit consent toggle before excerpt processing for Authority Alignment.
- Strict privacy mode to hard-block outbound Authority Alignment processing.
- Best-effort PII redaction and context window minimization before alignment requests.
- Token-authenticated internal evidence endpoints (`X-IOA-Internal-Token`).
- TLS verification controlled by environment policy, without hardcoded bypass.
What This Means for Firms
- You can run baseline citation verification without enabling external LLM text processing.
- You can enable Authority Alignment only when needed and with explicit user consent.
- Audit artifacts are defensibility-oriented and avoid full raw text persistence in gateway fallback bundles.