Skip to content
BHTN
Four planes · Six steps · 19/19 STRIDE
Technology

Zero-Residency Data Architecture

ZeRDA replaces the at-rest storage layer with a motion-first runtime. Four functionally-distinct transport planes, per-transfer ephemeral keys with hybrid post-quantum wrap, and architectural destruction after use. This page is the technical overview.

Watch the demo The four planes
01 Pipeline

Every transfer walks six steps.

Each step is enforced by architecture, not policy. Data moves forward or it is destroyed — it never pauses at rest.

01

Encrypt & Fragment

Per-transfer ephemeral keys with standards-based AEAD and erasure coding. No single fragment is usable on its own.

02

Distribute

Fragments fanned out across four planes on ephemeral infrastructure. Memory-only — never persisted.

03

Authorize

Time-bound, single-use grants issued. No single component can reconstruct on its own.

04

Reassemble

Shards combined under one grant in volatile memory. Plaintext exists only in memory, never on disk.

05

Utilize

Application or user consumes the data. Plaintext lifetime measured in milliseconds.

06

Re-encrypt & Destroy

New keys, new fragments, new locations. Original ciphertext and its location markers are cryptographically destroyed.

02 Topology

The pipeline at a glance.

One sender, one receiver, four planes between them. Payload rides the bulk relay; redundancy shards cross the critical mesh; the reassembly layout and key envelope travel their own planes. A stateless discovery service and a relay coordinator keep the mesh self-healing — without a network load balancer. Nothing touches disk in between.

Pipeline topology
BHTN · ZeRDA
ZeRDA pipeline topology Sender and Receiver on either side. Critical mesh, key-custody service, metadata queue, and CA service above. Bulk relay below. Encrypted fragments flow across all four planes between sender and receiver. Critical · Metadata · Key-Custody Planes Bulk Plane · Bulk Relay Sender SDK Encrypt · Fragment Go · In-process Receiver SDK Reassemble · Wipe Memory-only Critical Mesh mTLS · Multi-hop Gossip redundancy Key Custody Wrapped envelope Intent Queue Intent + redemption CA Service Identity · mTLS Ctrl In Gateway Ctrl Out Gateway Bulk Relay Payload · Volume path Encrypted stream · Authorized on Intent match Critical · Metadata · Key-Custody beams Bulk relay (bulk plane) mTLS pipe / service link
Four planes · Six steps · Self-healing mesh Swipe →
03 Architecture in motion

Watch data move through ZeRDA.

Captured directly from our 3D runtime visualizer. Every node, beam, and fragment corresponds to a real service and real data path in the deployed pipeline.

ZeRDA runtime · live capture
BHTN · Demonstration

Encryption, fragmentation, dual-plane transport, authorization, reassembly, and destruction — all running live.

04 Four planes

Structural separation of duty.

Payload, redundancy shards, reassembly layout, and key custody travel four functionally-distinct planes — each with separate mTLS identity and network path. No single plane, and no strict subset short of the recovery threshold, yields anything usable.

Plane I Payload throughput

Bulk Plane

Carries the bulk ciphertext subset — the majority of the payload — over a high-throughput encrypted channel. Carries no key material, no reassembly layout, and no authorization state. The bulk ciphertext alone reconstructs nothing.

  • High throughput
  • AEAD encryption
  • No layout, no keys
Plane II Erasure-coded shards

Critical-Redundancy Plane

Carries the critical ciphertext subset as erasure-coded shards over an mTLS-authenticated mesh. Any sufficient subset of shards recovers the subset; fewer than the threshold recover nothing. Multi-hop routing removes single-point-of-compromise risk.

  • k-of-n erasure code
  • mTLS mesh
  • Threshold-gated
Plane III Reassembly layout + intents

Metadata Plane

Carries the encrypted reassembly layout and receiver intents under a bounded, fail-closed TTL. Gates reconstruction — no intent, no reassembly. Sees no payload bytes and no key material.

  • Encrypted layout
  • Intent-gated
  • TTL-bounded
Plane IV Wrapped-key release

Key-Custody Plane

Holds the wrapped per-transfer key envelope in memory and releases it only on a single-use redemption token bound to the recipient’s operational-certificate fingerprint. Destroys the envelope on release. Sees no payload data.

  • Wrapped envelope
  • Single-use redemption
  • Memory-only
Payload-bearing planes

Two paths, two protocols.

The bulk and critical-redundancy planes each run a protocol matched to their artifact type — optimized separately for payload throughput and shard integrity. Neither is interchangeable with the other.

Volume path

Bulk Relay

High-throughput encrypted streaming for the bulk ciphertext subset. Direct sender-to-receiver channel secured end-to-end.

Integrity path

Critical Mesh

mTLS-authenticated gossip mesh carrying erasure-coded shards. Multi-hop routing removes single-point-of-compromise risk.

05 Cryptography & key management

Ephemeral, per-transfer, fail-closed.

Every transfer issues a fresh ephemeral key and signed grant token. Keys live only in memory, only long enough to authorize reconstruction, and are byte-wiped on release or TTL expiry — whichever comes first.

The per-transfer key never travels in the clear. It is wrapped under a hybrid post-quantum construction — a lattice-based key-encapsulation mechanism combined with an elliptic-curve exchange — so a captured envelope stays unrecoverable even to an adversary who later breaks classical cryptography. Harvest-now-decrypt-later is closed off by design.

TTLs are measured in seconds and configurable per deployment. After expiry, the payload is architecturally irrecoverable. There is no vault to restore from — the keys no longer exist.

Cryptographic primitives Standards-based, no custom crypto
  • NIST-approved AEAD
    Payload confidentiality + integrity
  • Hybrid post-quantum key wrap
    Per-transfer key encapsulation (lattice KEM + elliptic-curve)
  • NIST-approved signature
    Grant tokens, signatures
  • Ed-curve signature
    Identity + attestation
  • NIST HMAC
    Per-fragment integrity
  • Standards-based mTLS
    All inter-service communication
  • Reed-Solomon-class
    Erasure coding across shards
05b Validated at scale

Measurements, not projections.

The architecture is not a reference paper. The results below are from end-to-end runs on the live pipeline — not simulations, not isolated crypto benchmarks.

Sub-second
Class transfer latency

Full security stack — encryption, fragmentation, four-plane transport, reassembly — completes in the sub-second class on enterprise-grade links.

Enterprise
Grade throughput

Sustained throughput matches top-tier enterprise transfer tooling — with zero data at rest, not bolted-on encryption.

100%
Success at sustained concurrency

Zero dropped transfers across the full concurrency range tested. No soft failures, no partial reassembly.

Zero
Residency across auto-scaling

Mesh auto-scales without inspecting payload. Zero-residency guarantees are preserved at every scale point.

The takeaway is not a single headline number — it is that the full zero-residency security model runs at speeds enterprises already expect from their fastest transfer tooling, with none of the payload ever landing at rest.

06 Resilience & threat model

Validated against the full STRIDE.

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — every category enumerated, mitigated, and tested.

01

19/19 STRIDE mitigated

Every scenario in a full STRIDE threat model has been enumerated, mitigated in the architecture, and validated in tests.

02

Fail-closed TTL

Grant tokens expire cryptographically. There is no grace period, no admin override, no recovery mechanism. Expiration is permanent destruction.

03

Gossip redundancy

Critical mesh nodes are ephemeral and interchangeable. Fragments survive arbitrary node churn through probabilistic rebroadcast.

04

Per-fragment integrity

MAC and TTL enforced at the fragment level, not the session level. A tampered fragment is rejected independently of the rest.

05

Self-healing discovery

A stateless discovery service publishes the current trust anchor; a relay coordinator scores relay health and load and serves rank-ordered path selection — adaptive routing without a network load balancer. Clients recover from certificate-authority rotation with no operator intervention.

07 Deployment

Environment-agnostic, customer-hosted.

ZeRDA deploys into your AWS account via Terraform. BHTN provides the runtime, the modules, and the portal — you own the data path and the compliance posture.

Cloud-native

AWS, Azure, GCP, or hybrid. Full infrastructure-as-code. All runtime services run on ephemeral compute — no block storage, no object storage, no persistent volumes.

On-prem & air-gapped

No cloud dependency required. Mesh operates in fully isolated environments with on-prem key custody. Licensing supports signed-JWT offline mode.

Edge

Lightweight runtimes for constrained and edge environments. Same security model, smaller footprint.

Technical briefing

Get the deep dive.

Full threat model, crypto design, deployment reference, and benchmark methodology — available on request for technical evaluators under NDA.

Request Briefing See use cases