Customer custody

Current continuity state

SproutPad is currently operated by one person. This page separates the exit controls available today from dependencies and roadmap controls that are not live.

Current one-operator reality.

Moving the source repository into the SproutPad GitHub organization gives the code a stable home, but it does not create a second registrar custodian, provider operator, or decision maker. If the operator is unreachable, registrations do not disappear, but some customers may still depend on SproutPad-controlled registrar or DNS accounts to change delegation or obtain transfer authority.

Available today

Customer exit controls

Export

On-demand exports

export_project returns a non-secret leave package with zone data, retained edge assets, deploy references, ledger history, and rebuild notes. export_dns_zone returns a BIND-format zone file. These reduce recovery work; they are not automatic failover.

Name.com

Name.com self-service transfer-out

A signed-in human can disable SproutPad renewal, unlock a domain, and retrieve its transfer authority through a one-shot path. SproutPad marks custody transferred only after separated observations show the domain is absent from SproutPad's source registrar. That proves exit from SproutPad custody; it does not independently identify or attest the gaining registrar.

Cloudflare Registrar

Legacy Cloudflare operator assistance

Legacy Cloudflare Registrar domains can be transferred, but the API used by SproutPad does not expose a safe unlock and authorization-code flow. Self-serve transfer-out therefore stops for those domains. The signed-in human requests operator assistance from the dashboard path or by emailing support@sproutpad.ai with the exact domain; an operator unlocks via the Cloudflare dashboard and discloses the one-shot authorization code only through an authenticated ephemeral channel. Authorization codes are never placed in email threads, chat, task JSON, or agent results.

Boundary

Conversion is not transfer-out

Registrar conversion/import moves a domain between SproutPad's registrar integrations and is disabled by default until REGISTRAR_CONVERSION_LIFECYCLE_READY=true. When enabled, Cloudflare-held domains require operator EPP handoff. It is not the external transfer-out path and does not remove a customer's right to leave.

Known limits

Controls that do not exist yet

These are material limits, not assurances hidden behind roadmap language.

  • No second independent custodian GitHub, registrar, DNS, compute, payment, email, and incident authority do not yet have a separately accountable, hardware-protected backup owner.
  • No third-party escrow There is no qualified custodian holding a scoped encrypted recovery packet or registrar authority.
  • No automatic customer-held exports Project and zone exports are on demand; SproutPad does not yet send scheduled, integrity-digested copies to a customer-controlled destination.
  • No dead-man release control There is no timer that releases credentials or transfer codes. A mechanism that emails raw authorization codes on a timer would add false-trigger and account-takeover risk and is not an acceptable substitute.
Target state

Roadmap gates — not live

SproutPad will not describe these controls as active until they have an accountable owner, retained evidence, and an exercised recovery path.

  1. Add independent authority Establish a second accountable organization owner and provider custodian with hardware-protected access, separately held recovery codes, and recurring access drills.
  2. Deliver current recovery material Schedule versioned, integrity-digested leave packages to a customer-controlled destination, with failure alerts and an explicit retention and deletion policy.
  3. Escrow only the minimum recovery authority Use a scoped encrypted packet, separate its decryption key, require multi-party release, log access, and rotate the packet whenever provider authority changes.
  4. Exercise both registrar paths Drill Name.com self-service and legacy Cloudflare operator assistance end to end. Confirm both the implemented separated source-registrar absence signal and custody at the gaining registrar during the drill; do not treat source absence alone as destination evidence.