Threshold Vault presents

A switch that fires on its own.

If you stop checking in, your sealed message reaches the people you chose. We hold none of it.

Get the kit Read the security model
i · Architecture

Where the switch lives.

It runs on your own infrastructure. Our side is one billing row. The message and recipients never reach us.

Your infrastructure
  • the Worker
  • the Durable Object timer
  • the alarm scheduler
  • the check-in endpoint
  • the recipient send path
  • control.html
Our side
  • a billing record for the active tier
  • for Monitoring: a read-only monitor token
  •   · switch URL, owner email
  • nothing else
Never transmitted
the sealed message bodyrecipient identities (with aliases)the check-in tokenowner personal data after retention
ii · How it works

Four stages, one alarm.

You check in on your schedule. Miss your check-ins, and the switch advances through four stages on its own.

Armed
The clock is running. All quiet.
Advances when now > deadline minus warning lead.
Warning
Emails you a reminder that the deadline is near.
Advances when now > deadline.
Grace
Emails you a final notice and waits.
Advances when now > deadline + grace.
Triggered
Sends your message to your recipients, once.
Terminal. A check-in re-arms it.

The Durable Object alarm advances the state. Check-in resets it. No state-changing path is reachable from outside the owner.

iii · Core guarantees

Built so it cannot betray you.

Eight properties, enforced structurally. The full proofs are on the security page.

Race-safe firing

One send per recipient, never two, by runtime guarantee.

Structural billing isolation

Our billing holds no handle to any switch.

Read-only monitoring

The monitor token can read status, nothing more.

Partial-delivery alerting

An unreachable recipient triggers a named alert.

Zero retention after fulfillment

Your email leaves our records and Stripe once fulfilled.

Signed releases

Every release is signed with minisign.

Open-source code

Every line is on GitHub under MIT.

Self-hosted by design

It runs on your Cloudflare. If we vanish, it keeps firing.

Full guarantees and proofs
iv · Pricing

Three ways to run it.

Self-host it, have us build it, or let us watch it. The code is the same in all three.

Self-Hosted Kit
$39
One-time
  • You host it, you hold the keys
  • Signed release plus an illustrated guide
  • Verify the build yourself
  • We don't keep your email after delivery
Get the kit
Managed Hosting
$300
One-time, plus 30 days support
  • We deploy it on your accounts
  • Sending domain, DKIM, end-to-end test
  • 30 days of email support
  • We delete your email after the window
Get set up
Switch Monitoring
$36
Per year, recurring
  • A weekly health check on your switch
  • We email you if it goes quiet
  • Read-only, never custody
  • We delete your email on cancellation
Start monitoring
Compare in full
v · Open source

The same code, free.

Every line of the switch is on GitHub under MIT. The paid Kit adds a guided setup. The runtime is identical.

Run it on your own Cloudflare.

Clone the repository, verify the signed release, and deploy to the Cloudflare Workers free tier. The full verification walkthrough is on the security page.

Repositorygithub.com/threshold-vault/dm-switchPublic · MIT
LicenseMITPermissive · forkable
Signed releasesminisignVerify before deploy
View on GitHub Full verification walkthrough
vi · FAQ

Questions we get.

A message you wrote in advance, to recipients you chose. It carries instructions, not keys. The secret stays in the shards you already distributed.
No. It runs on your Cloudflare account. We hold no token that can fire or reconfigure it, and the message never reaches us.
Checking in at any stage before Triggered resets the clock to Armed. You also get a Warning and a Grace notice by email before it fires.
For the Self-Hosted Kit, some command-line comfort helps. Managed Hosting sets it up for you. The illustrated guide walks through every step.
It is a read-only weekly health check. We confirm your switch is reachable and email you if it goes quiet. It can never fire or change your switch.
Your switch keeps running. It is your code on your infrastructure. There is no server of ours in the firing path.
No. The message and recipient list live in your Worker config on your account. Set them as secrets to hide them even from your own dashboard.
The vault splits a secret across people. The switch decides when to tell those people to act. Different problem, separate product.
Begin

Ready to leave instructions that act on their own?

Get the kit Read the security model