The first question is always the same
Every tactical team that evaluates a digital mission tool asks the same question before they ask about features, AI, or integration: where does the data go? The question is not idle curiosity. It is the product of experience. Operators have watched colleagues face legal review, Congressional inquiry, and media scrutiny for decisions made in seconds under conditions that no reviewer will ever replicate. Military records are subject to FOIA. Digital tools create records. Records create exposure.
The rational response for an operator is to minimize digital footprint. Do not use the system. Do not log the decision. Do not create the record that can be taken out of context five years later. Call it paranoia if you want. It is risk management from the people who bear the consequences.
Any system designed for these users that does not address this concern first will be rejected. The capability does not matter if the tool creates liability.
Principle 1: Local-first by default
Data generated by the team stays on the team's hardware unless the team explicitly promotes it. There is no default upload, no background sync to enterprise systems, no telemetry that phones home. The mesh connects team nodes. The Lattice bridge exists for when the team decides to share. But the default state is local.
This is a technical architecture decision, not a policy. The software does not have a setting that says 'disable upload.' It has an architecture where upload does not exist until the team creates a promotion rule. Local is the design center, not the fallback.
Principle 2: The team owns the data lifecycle
Missions are created, executed, and destroyed by the team. The mission encryption key is derived from the operator's PIN and device hardware identity. When the team ends the mission, the key is destroyed. When the key is destroyed, every detection, assessment, transcription, and recommendation encrypted under it becomes mathematically unrecoverable. The team does not request deletion. The team executes destruction.
Classification-tiered timers enforce destruction even without team action. TOP SECRET data self-destructs after 6 hours. SECRET after 12 hours. CUI after 24 hours. The system does not accumulate data indefinitely. The classification level determines the maximum lifespan, enforced cryptographically on each node.
Principle 3: AI recommends, the operator decides, always
The DoD Responsible AI Strategy requires that AI systems are governable, reliable, and have clear human accountability. EdgeLance implements this through evidence-coupled AI. Every detection links to the source frame, model version, and confidence score. Every recommendation includes an escalation ladder (OBSERVE, IDENTIFY, DETER, INTERCEPT, ENGAGE) bounded by rules of engagement. The operator can accept, override, or reject any recommendation, and the decision is logged with the operator's identity.
The AI cannot initiate action without operator confirmation, change ROE, authorize engagement, or override an operator decision. The evidence chain makes every AI recommendation auditable, and the operator's override authority is absolute. Architectural, not configurable.
Principle 4: Build for the worst day, not the demo
NVG mode drops display brightness to 0.01 with a green monochrome filter compatible with AN/PVS-31A and ENVG-B goggles. Stealth mode simultaneously disables WiFi, Bluetooth, NFC, cellular, notifications, screen wake, and audio. Duress PIN triggers covert mission destruction with a normal-looking unlock for the adversary and a silent GPS alert to the team. Geofence enforcement auto-wipes classified data if the device crosses a defined boundary.
These are the operating conditions that define whether operators trust the system enough to carry it. A tool designed for a demo works in a conference room. A tool designed for the worst day works in a building with no power, no comms, NVGs on, and hostiles in the next room. The design target determines whether the tool gets used.
Principle 5: Biometrics stay with the team lead
EdgeLance integrates wearable readiness data from nine providers: Apple HealthKit, WHOOP, Garmin, Oura, Fitbit, Polar, Withings, Samsung Health, and Health Connect. Readiness scores are normalized into a common format and displayed in the mission dashboard. The data is useful for team leads assessing fatigue, stress, and recovery status.
But the readiness data is team-level only. It is encrypted under the mission key. It does not flow through the Lattice bridge unless the team lead explicitly promotes it. Command cannot access individual biometric data without the team's consent. Enforced by the encryption architecture, not by policy. The data physically cannot be decrypted by anyone who does not hold the mission key.
If an operator's heart rate spikes to 180 during a breach, that data stays with the team lead. No enterprise dashboard, no automated JOC alert, no line item in a post-mission medical review unless the team lead decides otherwise. The operator's biometrics belong to the operator's team.
Trust is earned by architecture, not promises
Vendors make privacy commitments. Contracts include data handling clauses. Policies promise controlled access. Operators trust none of it because they have seen commitments change, contracts get amended, and policies get reinterpreted after the fact. The only commitment an operator trusts is one enforced by mathematics.
AES-256-GCM cannot be reinterpreted by a policy change. PBKDF2 with 100,000 iterations cannot be amended by a contract modification. A three-pass key zeroization cannot be undone by a FOIA request. The system's privacy guarantees are cryptographic, not contractual. People who have learned not to give trust respond to math, not promises.
Mission intelligence for the team in the fight. Not surveillance tracking for everyone outside it.