Zero-Persistence Architecture

Zero-persistence architecture is a system design philosophy in which no user data, session state, conversation content, or behavioral metadata is written to permanent storage at any point in the processing lifecycle.

Definition

Zero-persistence architecture is a system design approach in which no user data, session content, behavioral metadata, or operational logs are written to durable storage at any point during the data lifecycle. All processing occurs in volatile memory (RAM). When the computation completes—or the session terminates, or the TTL expires—the data ceases to exist. Not because it was deleted. Because it was never persisted.

This is a stronger guarantee than “no-log” policies (which promise not to write logs but may still have the technical ability to do so) and stronger than data retention minimization (which reduces how long data is stored but still stores it). Zero-persistence architecture eliminates storage as a system capability. The infrastructure cannot retain data because it has no mechanism for retention.

Why It Matters

In 2024, the average enterprise stored 142 terabytes of sensitive data across cloud environments, according to Rubrik’s State of Data Security report. Of that, 33% was classified as “dark data”—information the organization stored but could not locate, categorize, or delete on demand. This dark data represents a perpetual liability: it can be breached, subpoenaed, or leaked, but it cannot be managed because the organization does not know it exists.

The cost of this persistence is quantifiable. IBM’s 2024 data breach report found that organizations with data lifecycle management failures paid an average of $1.47 million more per breach than those with mature data governance. The longest-lived data—backup archives, log aggregates, compliance snapshots—represented the most common source of exposed records.

Zero-persistence architecture eliminates dark data by eliminating data. There is nothing to categorize, nothing to locate, nothing to fail to delete. The GDPR’s right to erasure becomes trivially satisfiable when the system has nothing to erase. The attack surface for a data breach approaches zero when there is no data to breach.

For AI applications specifically, zero-persistence addresses the training data problem: if prompts are never written to disk, they cannot be inadvertently included in future model training datasets—a concern that has driven regulatory action against multiple AI providers.

How It Works

Zero-persistence architecture is enforced through a combination of design constraints and runtime mechanisms:

RAM-only processing: All computation occurs in volatile memory. V8 isolates in Cloudflare Workers provide sandboxed execution with no filesystem access. Data exists in heap memory for the duration of a function invocation and is garbage-collected on completion.
No logging infrastructure: The system deploys without log collectors, storage, or forwarding. The logging pipeline does not exist—no Elasticsearch cluster, no S3 bucket, no Splunk instance.
TTL-based state: Where minimal session state is required (e.g., authentication nonces), it resides in Cloudflare KV with an explicit TTL. Entries auto-expire with no manual deletion required.
Cryptographic shredding: All data is encrypted with session-scoped keys. When the session terminates, keys are destroyed—rendering any leaked ciphertext indecipherable.
No backups: Zero-persistence systems do not back up user data because there is no user data to back up.
Audit by absence: Compliance verification involves proving no persistence mechanism exists. The architecture itself is the audit trail.

Stealth Cloud Relevance

Zero-persistence architecture is the foundational design constraint of Stealth Cloud. It is not a feature that can be toggled on or off—it is a structural property of the system, as fundamental as the choice of programming language or the network protocol.

In Ghost Chat, zero-persistence manifests at every layer. The PII stripping engine runs client-side, so personal data never reaches the server. The ephemeral infrastructure processes prompts in V8 isolates that exist for milliseconds. The encryption keys live in browser memory and are destroyed on session end. There is no database—not even an empty one. There is no log directory—not even a /dev/null redirect. The absence of persistence is not the result of deleting data after the fact; it is the result of never building the infrastructure to store it.

The three paradigms of cloud computing can be defined by their relationship to persistence. Public cloud: persist everything, retain indefinitely, delete on request (maybe). Sovereign cloud: persist within jurisdictional boundaries, retain per regulation, delete per policy. Stealth Cloud: persist nothing, retain nothing, delete nothing—because there is nothing to delete.

The Stealth Cloud Perspective

Zero-persistence is not a data retention policy—it is an architectural decision that makes data retention impossible. The Stealth Cloud Manifesto argues that the only trustworthy promise is one enforced by mathematics and physics, not by terms of service: if the system cannot store data, then no policy change, legal order, or security breach can compel it to produce what does not exist.