Every serious deployment faces the same geometric fact: computation does not float in the abstract; it runs somewhere. The moment data leaves a tenant-controlled zone — VPC, browser sandbox, or air-gapped floor — you inherit a boundary problem. The question is not only encryption in transit but whether the content itself is appropriate for the sink on the other side.
Filtering before the model
A practical first control is an information filter: strip purchase-order references, aggressive pricing lines, and counterparty names before any call that might log prompts externally. That is not a substitute for legal review; it reduces accidental exfiltration and yields an audit trail of what was removed.
Minimum sufficient input
Tariff lookup rarely needs a full commercial invoice. The orchestrator can work from minimum sufficient input — product terms, origin, destination, and sometimes an explicit HS code — and refuse to guess codes the user never stated. Smaller prompts are cheaper, clearer, and easier to reason about under DPIA-style review.
When the schedule guesses for you
Batch pipelines sometimes auto-pick the first HS match when the user supplied no code. That HS code bypass must be flagged for human review: the rate is only as good as the match, and the liability stays with the operator, not the model.
On-premise and VPC paths
Regulated tenants often require an on-premise path: run extraction and normalisation inside their network, then exchange only normalised rate structs with downstream narration. The same code paths can be repointed to local or dedicated endpoints without changing the contract surface.
Click any highlighted phrase to ask Vidhi about that concept with this page as anchor context.
For the full walkthrough agent, open /vidhi/.