Threshold Vault does not store your switch, your message, or your recipients. The switch runs on infrastructure you own, and the code that runs it is open.
Three columns. What runs on your own Cloudflare. The single billing row on our side. And what never reaches us under any circumstance.
Eight structural properties. Each is enforced by how the system is built, not by a promise.
The firing path runs inside a single-writer critical section on a Durable Object. Twelve concurrent triggers produce one send per recipient, never two, by structural guarantee of the runtime.
Our billing service holds no handle to any switch. A lapsed or cancelled subscription writes one row in our database and can do nothing else. The switch runs on the customer's own infrastructure.
Monitoring subscribers give us a token that authorizes reading /status only. The token cannot reset, fire, or reconfigure the switch. We see liveness, never internals.
If a trigger fails to reach a recipient after the retry window, the owner gets a separate alert naming the unreachable recipient. Silent failure on inheritance delivery is structurally prevented.
Customer emails are removed from our records and from Stripe once the purchase is fulfilled. Immediately for Kit, after the 30-day support window for Managed, on cancellation for Monitoring.
Every release is signed with minisign. The public key is in the repository and on this page. A verify command and the expected output are provided below.
Every line of the switch is on GitHub under MIT. Cloneable, auditable, runnable on your own Cloudflare. The same code that ships in the paid kit ships free in the open repo.
The switch runs on your own Cloudflare Workers free tier. If we vanish tomorrow, every deployed switch keeps running and firing on schedule. We are not a custodian. We are a code source.
A four-stage machine driven by a Durable Object alarm. A check-in resets it. No state-changing path is reachable from outside the owner.
The Durable Object's single-writer guarantee makes concurrent fires structurally impossible. Twelve concurrent alarm invocations produce one send per recipient, never more.
The switch solves one problem: delivering instructions when you cannot. It is not general device security. We are explicit about both sides.
The runtime protects what the procedure preserves. These rules close the gaps the code cannot.
The product is the source. This domain, our copy, our brand are auxiliary to the runtime. If we vanish tomorrow, every deployed switch keeps firing.
Five artifacts published alongside the code. Each is independently verifiable.