# Privacy Posture Checklist

The Gateway can help operators make privacy posture visible and testable. It does not guarantee anonymity by itself.

## Checkpoints

- Device or group identity is assigned intentionally.
- DNS resolver and upstream behavior match the intended policy.
- Route ownership is visible before apply.
- Fallback behavior is explicit.
- Direct escape paths are blocked or documented.
- Leak checks are run for DNS, WebRTC, QUIC, and route behavior where applicable.
- Telemetry blocking expectations are documented.
- Support bundle redaction is understood.
- Remaining risks are written down.

## Report Format

- Deployment mode:
- Identity separation goal:
- DNS expectation:
- Route expectation:
- Fallback expectation:
- Leak checks performed:
- Observed behavior:
- Remaining risks:
- Evidence links: