How Herald works
A privacy-preserving notification layer for Solana DeFi — from wallet to inbox, with zero PII exposure.
Registration Flow — Zero PII Exposure
Client-side encryption ensures Herald never sees your email address
Connect Wallet
Phantom, Solflare, or Ledger connects via wallet-adapter
Enter Email
Plaintext entered in form field — stays browser-only
Client-Side Encryption
Email encrypted using TweetNaCl.js before transmission
Sign Transaction
Wallet signs register_identity() instruction
IdentityAccount PDA Created
Seeds: ["identity", wallet_pubkey]
- • Wallet public key
- • Encrypted blob (in TEE)
- • Opt-in preferences
- • Plaintext email
- • Even with DB access
- • Without your private key
User registers
A wallet holder visits notify.herald.xyz, connects their wallet, and enters their email address. The email is encrypted in the browser using TweetNaCl.js — plaintext never leaves the device.
On-chain storage
A Solana transaction calls register_identity() on the Herald Anchor program. The IdentityAccount PDA stores the encrypted email blob, nonce, SHA-256 hash, and opt-in flags.
Protocol sends alert
A DeFi protocol calls POST /v1/notify with a wallet address and message. Herald looks up the IdentityAccount on-chain, decrypts the email inside a Nitro Enclave (TEE), and dispatches via AWS SES.
ZK receipt written
After confirmed delivery, Herald writes a ZK-compressed receipt leaf to Solana via Light Protocol. Cost: ~$0.0001. The protocol never learns the user's email at any point.