Foundational Vision — Trust Institution for Irreversible Human Transitions¶
The Reframe¶
This is not SaaS. This is a trust institution.
We are building a custodian for irreversible human transitions: - Death - Disappearance - Identity severance - Evidence preservation - Authority transfer
This puts us closer to: - Certificate authorities - Escrow agents - Trustees - Notaries - Archive custodians
...than to a typical software startup.
Why This Matters¶
The Hidden Question¶
"Why does this feel heavier than normal software?"
Because it is.
We are designing systems people rely on when everything else has failed.
When someone uses our software: - They may be dying - They may be fleeing abuse - They may be protecting evidence against powerful adversaries - They may be planning for a future where they cannot verify anything
The software must act correctly when the user cannot check if it's acting correctly.
Governing Principles¶
1. Process Fidelity, Not Truth Claims¶
We never say "X is true." We say: - "On [date], [actor] submitted [artifact]" - "On [date], [condition] was met" - "On [date], [action] executed per documented process"
The audit trail IS the truth. The process IS the product.
Why: This survives legal and adversarial reality. We don't need to prove someone is dead. We need to prove we followed the documented process when the executor submitted a death certificate.
2. Irreversibility is Delayed, Not Denied¶
Every irreversible action has: - Challenge windows - Abort paths - Staged execution - Logged justification
True irreversibility should exist only when: - Legal authority has transferred - Data has been exported or decrypted - User explicitly waived reversibility in advance
Why: Mistakes happen. Systems fail. People recover unexpectedly. The cost of delayed execution is low. The cost of premature irreversibility is catastrophic.
3. Fail Safely (Product-Specific)¶
Not all failures are the same:
| Product | Failure Mode | Rationale |
|---|---|---|
| WitnessVault | Fail closed | Evidence against adversaries; false release is dangerous |
| GhostProtocol | Fail closed | Identity protection; false exposure is dangerous |
| FinalFile | Fail open | Family needs access; false lockout is cruel |
| LastMile | Fail open | Dying person's wishes should be honored |
| ParentTrap | Fail open | Care coordination must continue |
Why: "Fail safely" means different things depending on what's at stake.
4. The Audit Trail IS the Product¶
Legal defensibility comes from: - Timestamped event records - Hash-chained, tamper-evident logs - Process documentation - Cryptographic proof of state transitions
Not from: - Truth assertions - "Verified" badges - Our opinion on what happened
Why: Courts, executors, and adversaries will examine our records. They must be unimpeachable.
5. Design for Adversarial UX¶
Users of this system are: - Grieving - Afraid - Overwhelmed - Sometimes coerced - Sometimes desperate
Every interaction must assume emotional fragility.
Requirements: - No irreversible action without typed confirmation - No dark patterns, ever - Visible state at ALL times - "Nothing has happened yet" reassurance where true - Copy that assumes the worst emotional state
Why: A confusing dialog box at the wrong moment can cause irreversible harm.
6. The Platform Must Outlive the Company¶
End-of-life software that dies with the company is a moral failure.
Commitments: - Guaranteed export in documented, open format - Schema designed for portability - Platform dead man's switch (if we disappear, users get their data) - Consideration of open-source escrow
Why: Someone planning their digital estate needs to trust that the plan will execute in 20 years, not just while the startup exists.
What We're NOT Building¶
Not a Social Network¶
No feeds, no likes, no engagement metrics. Users come here for serious purposes and leave.
Not a Growth-First Startup¶
We optimize for trust and correctness, not viral loops. Slow, steady adoption of people who genuinely need this.
Not a Legal Service¶
We don't provide legal advice. We provide process documentation and custodial services. Lawyers interpret; we record.
Not a Truth Oracle¶
We don't verify death. We record that someone submitted a death certificate. We don't verify identity. We record that someone passed authentication.
The Core Abstraction¶
All products share one primitive:
"Data that must remain inaccessible until conditions are met."
This is implemented through: - Encryption (data is unreadable without keys) - Triggers (conditions that release keys/access) - Access Control (who can do what, when) - Audit (proof of what happened)
Every product is a different UX on top of this primitive.
Product Stack¶
WitnessVault (Foundation)¶
The core primitive: encrypted storage with dead man's switch. - If I don't check in, release to designated parties - For journalists, activists, abuse survivors, whistleblowers
FinalFile (End-of-Life)¶
Estate planning vault with executor management. - Documents, accounts, instructions for after death - Death verification triggers release to executor
LastMile (Active Dying)¶
Support for the dying process itself. - Bucket lists, legacy recording, family coordination - For the final months, not the aftermath
ParentTrap (Care Coordination)¶
Sibling coordination for aging parent care. - Who's doing what, who's paying what - Shared visibility, reduced resentment
ExitMap (Escape)¶
Leaving high-control groups. - Secure planning when devices may be monitored - Resource connections, identity rebuilding
GhostProtocol (Identity Severance)¶
Disappearing from dangerous situations. - New identity logistics - Triggered if user stops checking in (presumed compromised)
Success Metrics¶
Not Traditional SaaS Metrics¶
We don't optimize for: - Daily active users - Time in app - Viral coefficient - Feature velocity
What We Optimize For¶
| Metric | Why |
|---|---|
| Triggers executed correctly | Core function works |
| False positive rate | Trust requires near-zero |
| Time to executor access | Families shouldn't wait |
| Audit trail completeness | Legal defensibility |
| Export success rate | Continuity commitment |
| Support tickets on critical paths | Confusion = danger |
The Ultimate Test¶
"Did the system act correctly when the user could no longer verify it?"
That's the only question that matters.
Risks We Accept¶
Slow Growth¶
Trust takes time. We accept slower adoption in exchange for deeper trust.
Higher Support Burden¶
Emotional situations require human support. We budget for this.
Legal Complexity¶
Death, estates, and jurisdiction are legally complex. We accept this complexity.
Limited Features¶
Class C (zero-knowledge) encryption means we can't build some features. We accept this limitation.
Risks We Refuse¶
Growth-at-Trust-Cost¶
We will not add features that compromise security for growth.
Dark Patterns¶
We will never use manipulative UX, even if it increases conversion.
Data Monetization¶
User data is never sold, mined, or used for behavioral profiling.
Premature Scale¶
We will not scale faster than our ability to maintain trust.
This document defines what we're building and why. Technical implementation details are in the architecture documents.