Sure. Let me explain this without the technical language. --- ## What happens today (before any changes) When a student pastes an NCBE question and clicks "Generate": 1. The question text travels from their browser to **your server** 2. Your server sends the question to the AI (via Vercel's gateway) to build the grading rubric 3. Your server gets the rubric back, scrubs the question text out, and stores the rubric 4. The student writes their essay, submits it, and your server grades it using the rubric The question text lives on your server for about 20 seconds (steps 1-3), then it's gone. It's never saved to the database — but it does pass through your server's memory. ## What Phase 1 + Phase 2 change **Phase 1** adds a contractual layer: when your server sends the question to the AI, it now says "delete this immediately after you process it." Vercel has actual signed agreements with Anthropic, Google, etc. to honor this. So the AI provider doesn't keep the question either. **Phase 2** takes the grading rubric (which was built from the question) and deletes it from your database after the student gets their score. So there's no lasting "answer key" sitting in your system tied to that NCBE question. After Phase 1 + 2, your posture is: - "The question text passed through our server briefly during processing but was never stored" - "Neither we nor the AI provider retained the question" - "The rubric we built from the question was deleted after grading" ## What Phase 3 adds on top of that Phase 3 changes **who talks to the AI.** Instead of: > Browser → Your Server → AI → Your Server → Browser It becomes: > Browser → AI (directly, through a thin relay) → Browser → Your Server (receives only the rubric, never the question) The student's browser talks to the AI itself. Your main server never sees the question text at all — not even for 20 seconds. **The incremental gain:** You can say "our servers never receive the question" instead of "our servers receive it briefly but don't store it." The first claim is stronger in a courtroom because there's nothing to argue about — no memory window, no "what if your server logged it accidentally," no "what if a crash dump captured it." **The tradeoff:** This is a significant engineering rebuild. It requires: - A new authentication system (short-lived tokens so the browser can talk to the AI on your behalf) - Restructuring the upload flow so the browser does the heavy lifting - The "Generate" button only works with JavaScript enabled (right now it works without JS too) - New attack surfaces to manage (someone could try to abuse the AI relay) - More things that can go wrong for the student (network issues between their browser and the AI, vs. your server and the AI) ## The question for your legal team Is the difference between these two claims worth the engineering cost and UX risk? **Claim A (Phase 1+2):** "The question passes through our server transiently during processing. It is never stored. Neither we nor the AI provider retain it." **Claim B (Phase 1+2+3):** "Our servers never receive the question. The student's browser communicates directly with the AI. We receive only the generated rubric, which is deleted after grading." Claim B is tighter. But Claim A is already strong — "transient processing without retention" is a well-understood concept in data privacy law. The question is whether the NCBE copyright risk specifically requires Claim B, or whether Claim A is sufficient. --- That's the tradeoff. Want me to revise the Phase 1 and Phase 2 plans now with the VP review fixes applied, and leave Phase 3 as a documented option pending legal guidance?