TurtleShell Join waitlist

Trust and security

A trust model with fewer assumptions and clearer boundaries.

TurtleShell is designed so ownership, authorization, storage, and operations reinforce the same promise: people and teams should not need to trust invisible platform superpowers.

Design stance The DID holder has root authority. The platform has zero implicit access.

That principle shapes how requests are authorized, where data lives, and how tenants move.

Security Manifesto

Our five commitments to your data sovereignty.

These principles are not aspirational. They are architectural constraints baked into every layer of the system.

I

Sovereignty by Cryptography

Your data is not protected by our "terms of service" — it is protected by the laws of mathematics. If you do not sign the request, the vault does not open. Even we cannot bypass this.

II

Isolation and Privacy as a Human Right

In the physical world, you have a front door. In Turtle Shell, your data lives in a physically isolated compartment. There are no "shared tables" where a leak in one can lead to a flood in another.

III

The Shell is Portable

You carry your shell; you are not trapped in ours. True sovereignty means you can pack your data, your identities, and your permissions and move to any node in the world without losing a single bit of authority.

IV

Authority is Not Identity

We do not need to know who you are to know you are authorized. By using ZCAP-LD, we replace invasive profiles with cryptographic "hall passes" that grant specific access without requiring a name.

V

Zero-Trust Infrastructure

We assume the infrastructure is compromised. Therefore, data is encrypted at rest, in transit, and gated by keys that never leave your control.

How it holds up

The manifesto in practice.

Signed invocations only

Every capability invocation is cryptographically signed, and delegation chains are validated before access is allowed.

Storage isolation by tenant

Tenants do not share tables. They live in separate databases, buckets, or directories depending on deployment profile.

Encryption always on

Tenant data is protected with a layered key hierarchy and encrypted at rest by default.

Revocable delegation

Capability grants can be revoked without erasing the owner-first model or changing who fundamentally controls the tenant.

Portable archives

Export and import are part of the trust story because people need a credible path to move their stores elsewhere.

Operational observability

Metrics, traces, structured logs, and admin audit records help operators prove what happened and diagnose issues safely.

What TurtleShell enforces

  • Identity-bound ownership of the tenant
  • Cryptographic verification for invocations and delegations
  • Tenant isolation at the storage boundary
  • Portable data and replication-aware architecture

What deployments still manage

  • Which backend profile is used in a given environment
  • How nodes are operated, monitored, and updated
  • Operational policies for backup, scale, and incident response
  • How admin capabilities are granted and governed

Next step

Talk to us if your product needs a stronger ownership boundary.

We are especially interested in teams building identity-native apps, regulated data flows, and owner-controlled collaboration models.

Join the waitlist See the platform flow