If you stop checking in, your sealed message reaches the people you chose. We hold none of it.
It runs on your own infrastructure. Our side is one billing row. The message and recipients never reach us.
You check in on your schedule. Miss your check-ins, and the switch advances through four stages on its own.
The Durable Object alarm advances the state. Check-in resets it. No state-changing path is reachable from outside the owner.
Eight properties, enforced structurally. The full proofs are on the security page.
One send per recipient, never two, by runtime guarantee.
Our billing holds no handle to any switch.
The monitor token can read status, nothing more.
An unreachable recipient triggers a named alert.
Your email leaves our records and Stripe once fulfilled.
Every release is signed with minisign.
Every line is on GitHub under MIT.
It runs on your Cloudflare. If we vanish, it keeps firing.
Self-host it, have us build it, or let us watch it. The code is the same in all three.
Every line of the switch is on GitHub under MIT. The paid Kit adds a guided setup. The runtime is identical.
Clone the repository, verify the signed release, and deploy to the Cloudflare Workers free tier. The full verification walkthrough is on the security page.