Customer custody
Current continuity state
SproutPad is currently operated by one person. This page separates the
exit controls available today from dependencies and roadmap controls
that are not live.
Current one-operator reality.
Moving the source repository into the SproutPad GitHub organization
gives the code a stable home, but it does not create a second
registrar custodian, provider operator, or decision maker. If the
operator is unreachable, registrations do not disappear, but some
customers may still depend on SproutPad-controlled registrar or DNS
accounts to change delegation or obtain transfer authority.
Available today
Customer exit controls
Export
On-demand exports
export_project returns a non-secret leave package
with zone data, retained edge assets, deploy references, ledger
history, and rebuild notes. export_dns_zone returns
a BIND-format zone file. These reduce recovery work; they are
not automatic failover.
Name.com
Name.com self-service transfer-out
A signed-in human can disable SproutPad renewal, unlock a
domain, and retrieve its transfer authority through a one-shot
path. SproutPad marks custody transferred only after separated
observations show the domain is absent from SproutPad's source
registrar. That proves exit from SproutPad custody; it does not
independently identify or attest the gaining registrar.
Cloudflare Registrar
Legacy Cloudflare operator assistance
Legacy Cloudflare Registrar domains can be transferred, but the
API used by SproutPad does not expose a safe unlock and
authorization-code flow. Self-serve transfer-out therefore stops
for those domains. The signed-in human requests operator
assistance from the dashboard path or by emailing
support@sproutpad.ai
with the exact domain; an operator unlocks via the Cloudflare
dashboard and discloses the one-shot authorization code only
through an authenticated ephemeral channel. Authorization codes
are never placed in email threads, chat, task JSON, or agent
results.
Boundary
Conversion is not transfer-out
Registrar conversion/import moves a domain between SproutPad's
registrar integrations and is disabled by default until
REGISTRAR_CONVERSION_LIFECYCLE_READY=true. When
enabled, Cloudflare-held domains require operator EPP handoff.
It is not the external transfer-out path and does not remove a
customer's right to leave.
Known limits
Controls that do not exist yet
These are material limits, not assurances hidden behind roadmap
language.
-
No second independent custodian
GitHub, registrar, DNS, compute, payment, email, and incident
authority do not yet have a separately accountable,
hardware-protected backup owner.
-
No third-party escrow
There is no qualified custodian holding a scoped encrypted
recovery packet or registrar authority.
-
No automatic customer-held exports
Project and zone exports are on demand; SproutPad does not yet
send scheduled, integrity-digested copies to a
customer-controlled destination.
-
No dead-man release control
There is no timer that releases credentials or transfer codes.
A mechanism that emails raw authorization codes on a timer would
add false-trigger and account-takeover risk and is not an
acceptable substitute.
Target state
Roadmap gates — not live
SproutPad will not describe these controls as active until they have
an accountable owner, retained evidence, and an exercised recovery
path.
-
Add independent authority
Establish a second accountable organization owner and provider
custodian with hardware-protected access, separately held
recovery codes, and recurring access drills.
-
Deliver current recovery material
Schedule versioned, integrity-digested leave packages to a
customer-controlled destination, with failure alerts and an
explicit retention and deletion policy.
-
Escrow only the minimum recovery authority
Use a scoped encrypted packet, separate its decryption key,
require multi-party release, log access, and rotate the packet
whenever provider authority changes.
-
Exercise both registrar paths
Drill Name.com self-service and legacy Cloudflare operator
assistance end to end. Confirm both the implemented separated
source-registrar absence signal and custody at the gaining
registrar during the drill; do not treat source absence alone as
destination evidence.