Audience: Customer security review, procurement, buying committee. This is the customer-shareable summary of our continuity plan. The full internal runbook with named custodians and credential procedures is available under MNDA.
What we acknowledge honestly
AssetShop SCO is, at the time of this document, a solo-founder operation. Bus factor is 1. This is a real risk. It is acknowledged, not hidden. This continuity plan is the mitigation.
The plan does not eliminate the risk. It ensures that no customer loses operational continuity, data, or audit-chain integrity if the founder becomes unavailable.
The 4-tier custody chain
If the founder is unreachable for more than 7 days, or in any of the trigger conditions documented in our internal runbook, custody flows down a 4-tier chain:
- Tier 1: Designated successor (family / spouse / estate executor). Activates the runbook; coordinates with Tier 2.
- Tier 2: Founder's lawyer. Holds credentials in legal escrow; releases per Tier-1 instruction.
- Tier 3: IP escrow firm. Holds source repository; releases per the escrow agreement triggers.
- Tier 4: A reference customer's CTO, named in your MSA Exhibit J. Keeps customer tenants operational during transition.
The named individuals at each tier are documented in our internal runbook and reviewed every 90 days.
What happens in the first 24 hours
If continuity activation is triggered, the response window is bounded:
- Hours 0-2: Tier 2 retrieves credentials from escrow; notification routing reassigned away from the founder.
- Hours 2-12: Read-only access granted to acting operator; operational state confirmed; last successful anchor batch verified.
- Hours 12-24: All customers receive a status communication.
Your tenant continues to operate throughout. The audit chain continues to anchor on schedule. No customer data is lost. No service interruption beyond a possible 1-2 hour partial-outage window during credential handover.
The audit chain · why your data remains verifiable forever
Even in the worst-case wind-down scenario, your audit chain remains independently verifiable:
- Every audit chain Merkle root is anchored to Base L2 (public blockchain)
- The
@assetshop/verify-clitool is open-source under MIT license - Your audit firm can verify your historical chain against the public chain without needing AssetShop to exist
This is the design principle that makes "ERPs remain authoritative" a verifiable property rather than a marketing claim. It is also what makes continuity verifiable: your records survive AssetShop's continuity, by design.
Anchor wallet recovery (mission-critical)
The Base L2 anchor wallet signs every Merkle root that proves the audit chain is tamper-evident. Loss of this key would permanently break chain continuity for every existing customer. The recovery design:
- Primary key is held in Cloud KMS (asymmetric ECC-P256K1). The key never leaves the HSM. It is durable in KMS.
- IAM access to the KMS key is controlled by IAM role. Tier 2 has standing IAM admin permission with a 24-hour activation delay (security feature).
- Backup multi-sig: the anchor contract is configured with a 2-of-2 multi-sig of primary KMS key + a backup signing key. The backup seed phrase is stored on paper in a sealed envelope filed with Tier 2 (lawyer escrow). Primary key loss does not break continuity.
- Quarterly drill: the 2-of-2 multi-sig signing is tested every quarter to verify both keys remain valid.
The 30-day operational handover
If the founder does not return, we execute a 30-day structured handover:
- Week 1: Stabilize. Escrow credentials retrieved. Acting operator engaged.
- Week 2: Codebase orientation for acting operator.
- Week 3: Operational practice. Drills run against staging.
- Week 4: Hands-on operations. All customer tickets handled by acting operator.
By day 30 we send a final resolution status to every customer: normal operations resumed, permanent operator assigned, or wind-down initiated.
Operating reserve
AssetShop maintains a Continuity Reserve account separate from operating accounts, sufficient to maintain operations for 90 days without commercial activity. This includes cloud infrastructure, audit chain anchoring (Base L2 gas), domain / DNS / SSL renewals, acting operator compensation if engaged, and legal + custody fees. The reserve is maintained at or above the 90-day floor at all times.
Wind-down protection (worst case)
If neither founder return nor acting operator is feasible, the wind-down protocol guarantees:
- 90 days of read-only access maintained while you migrate
- Full data export delivered within 30 days of wind-down notice
- Full audit chain export with verify-cli signed manifest within 30 days
- Pro-rated refund of any prepaid annual fees
- 1 year of continued anchor-chain integrity maintained by a designated customer CTO. After 1 year, the chain becomes a static historical record — but still verifiable forever via the public Base L2 anchor and the open-source verify-cli.
Where this lives contractually
The continuity plan is referenced in:
- MSA §14: Continuity provisions
- MSA §15: Wind-down protocol
- MSA Exhibit J: Named Tier-4 customer custodian for your tenant
- DPA §11: Data export and audit chain export commitments
These are not informal commitments. They are contractually binding.
Drill cadence
The continuity plan is rehearsed:
- Annually: Credential retrieval from escrow tested end-to-end
- Quarterly: Anchor wallet multi-sig signing verified
- After each Founding-5 signing: Acting operator runs a deploy drill in staging
The drill log is available to customers under MNDA on request.
What this plan does NOT solve
Honest framing — the limits of this plan:
- This plan does not eliminate bus factor 1. It mitigates impact. Hiring a CTO is the only true mitigation.
- This plan does not guarantee 100% uptime through the transition. A 1-2 hour partial outage during credential handover is plausible.
- This plan does not commit to a permanent successor by name. Wind-down is a real possibility for a solo-founder venture.
- This plan's usefulness depends on the founder maintaining the custody chain. Quarterly review is mandatory; lapses degrade the plan.
These limitations are honest. They are still vastly better than no plan.
Bottom line for your security review
| Your team will ask | Our answer |
|---|---|
| Is there a single point of failure? | The founder is. Mitigated by this plan, not eliminated. |
| What if the founder is hit by a bus tomorrow? | 4-tier custody chain activates within hours; full operations within 30 days. |
| Do we lose our data? | No. Data is preserved. Audit chain is verifiable forever via public Base L2 anchor. |
| Do we lose our service? | Possible 1-2 hour partial outage during credential handover. Full service continuity within 24 hours. |
| Is this rehearsed or theoretical? | Drilled annually. Anchor multi-sig drilled quarterly. |
| Is this contractually binding? | Yes. MSA §14, §15, Exhibit J, DPA §11. |
This is honest, calibrated, and contractually-backed. We do not pretend bus factor is solved. We do guarantee operational and data continuity.
Reviewing the full internal runbook: available on signed MNDA. Email AssetShopCo@gmail.com.
This Continuity Plan is provided as a counsel-ready draft.