Privacy by Design
Herald was built on a simple premise: we should be technically incapable of reading your email address, even if we wanted to.
Data Flow Visualization
Client-Side Encryption
Your email is encrypted entirely in your browser using TweetNaCl.js before it ever touches our servers. We use NaCl box encryption (Curve25519-XSalsa20-Poly1305).
On-Chain Identity
Your encrypted data lives in a Solana Program Derived Address (PDA) controlled by your wallet. Only your wallet signature can authorize changes.
TEE Decryption
Decryption happens inside an AWS Nitro Enclave — a hardware-isolated Trusted Execution Environment. Memory is cryptographically zeroed after use.
Zero PII Storage
Our database stores only SHA-256 hashes. Even if compromised, attackers find zero email addresses or linkable identities.
What Herald Never Stores
Technical guarantee: Even with complete database access, we cannot link wallet addresses to email addresses or read notification contents. The cryptographic keys never leave the TEE.
GDPR Right to Erasure
Delete your IdentityAccount PDA anytime. The account closes, rent is returned to your wallet, and all future notifications are permanently blocked.
ZK Delivery Proofs
Every delivery generates a ZK-compressed receipt on Solana via Light Protocol. Verifiable proof without exposing recipient identity. Cost: $0.0001 per proof.
Our entire infrastructure is designed to be inspected. The code is open-source, the encryption happens in your browser, and the on-chain logic is verifiable.