No raw case intake
The hub has no endpoint that accepts worker case content. None will be added. Free-text case fields are rejected at the schema gate before storage.
This page is the contract. Raw worker chats, case files, IDs, contact details, and private documents stay on the worker device or trusted NGO hardware unless an authorized user creates a sanitized submission. Sensitive PII is anonymized by the local Gemma 4 workflow before anything is submitted; the server runs a second PII detector before storage or display.
These are constraints in code. A pull request that breaks one of them does not ship.
The hub has no endpoint that accepts worker case content. None will be added. Free-text case fields are rejected at the schema gate before storage.
DueCare drafts; the user or trusted caseworker decides. The hub does not send messages, file complaints, or contact employers on anyone’s behalf.
DueCare is not a law firm, an emergency response service, or an official complaint authority. It cites public sources and routes to verified contacts.
Each row is a category of data and what the hub does with it. The enforcement column names the concrete local or server-side mechanism.
| Category | Stays local | May cross hub | Enforcement |
|---|---|---|---|
| Worker case content | Always | Never | Local Gemma 4 anonymization must happen before submission; server schemas reject raw case fields. |
| Worker names · IDs · contacts | Always | Never | Server-side PII detector rejects identifier-shaped strings before storage. |
| Document images | Always | Never | Object store rejects user-uploaded images. Pack assets are public-source only. |
Anonymized pattern_id (e.g. fee_request) | Originates locally | Yes. opt-in | Per-deployment opt-in. K-anon ≥ 30 floor or rejected. |
| Corridor / sector buckets | Originates locally | Yes. anonymized only | Anonymized buckets only; no time-of-day precision. |
| Public-source URLs | — | Yes (intended) | Reviewed by curators before publication. |
| Pack version + pull-time | — | Yes (audit) | For reproducibility of the audit log. |
| Subscriber emails | — | In email provider only | Stored in the third-party email provider. The hub never logs raw addresses. |
| Consented contributor contact | Optional | Only with explicit publication consent | Used for proposal follow-up; detector-class PII is redacted in admin/debug views. |
| Outbound emails / reports | — | Never auto-sent | No automated outbound channel exists. A human signs every artifact. |
Each mechanism is testable; each fails closed.
Sensitive PII is anonymized by the local Gemma 4 workflow before anything is submitted to the public hub.
The server runs a second PII detector that rejects raw-PII submissions before storage and redacts detector-class PII in admin/debug views.
Trend slices below k≥30 are not published. The floor is applied before any aggregate leaves the storage layer.
Packs, rules, tools, and signals all land as immutable rows. Corrections ship as new versions; nothing is silently rewritten.
Every write emits an audit row before the corresponding read becomes resolvable. Anyone can replay the feed.
Every pack and rule version is approved by a curator, content-hashed, and published with immutable metadata so historical packs stay verifiable.