Each scenario maps the five capabilities ratified May 1, 2026 — time-locked encryption, Bitcoin-anchored proof, auto-PII classification, leak fingerprinting, and the three-layer continuous architecture — to a piece of work that an organisation already needs to do.
A public company prepares its quarterly earnings release. Distribution to wire services, trade press, and regulators must happen exactly at 8:30am Pacific — not a second earlier. Today the secret holds because everyone signs an NDA. Tomorrow a single insider is enough to ruin a market.
Required tierCapsule Pro
Required add-onsNotarized Tier ($299/mo)
The flow
PR team uploads the embargoed PDF to /operator/lockbox.
Operator picks "Time-lock until..." → 2026-Q4-15 16:30 UTC. System computes drand round 28284567.
Capsule encrypts content_key to that drand round. Wire services receive the file immediately.
Recipients try to open at 16:29 UTC — server returns 425 time_locked.
At 16:30 UTC the drand network publishes the round signature. Any recipient now opens. Receipt chain captures every open.
02
Time-lock + crypto-shred composition
NDA-expiring documents (auto-shred)
A boutique investment bank signs a 3-year NDA on M&A target diligence files with 8 separate parties. After 3 years, every copy must become unreadable — not "policy-revoked", actually mathematically unrecoverable. Today the bank emails a follow-up "please delete" and hopes for the best.
Required tierCapsule Continuum
Required add-onsBig-4 Audit Bundle ($5K/yr)
The flow
Operator issues each file with envelope `painted_file` + ttl_seconds=94608000 (3 years) + crypto_shred_on_burn=true.
Recipients keep their .lockbox files on disk for the duration of due diligence.
On day 1095 the heartbeat returns burned. The wrap_key bytes in our DB are zeroed.
Every encrypted copy on every device on Earth becomes mathematical noise — not because of a policy flag, but because the only key on the planet capable of opening them no longer exists.
03
Perceptual hash inventory · Meta PDQ
Leak attribution from screenshot
A confidential pricing slide surfaces on Twitter at 11pm. The CISO has 200 vendors, partners, and internal staff who could have leaked it. Manual inquiry takes weeks. By then the share price has moved. The investigation costs more than the leak.
Required tierCapsule Pro
Required add-onsForensic Pack ($15K/incident or $30K/yr retainer)
The flow
CISO drags the leaked image directly from Twitter into /operator/forensics.
Browser hashes the image with Meta PDQ (256-bit DCT-based perceptual hash, BSD-licensed).
POST /api/protect/detect runs Hamming-distance match against every issued image in the org.
Returns within 30 seconds: `lockbox_file_id, recipient_label: "John Doe @ vendor.co", issued_at: 2026-03-12 14:08, receipt: nd-rcpt-xyz`.
CISO has the answer before the morning news cycle.
04
Auto-PII classification · Microsoft Presidio
Auto-tier sensitive HR docs
HR uploads 500 PDFs from 2024 — performance reviews, severance agreements, medical accommodations, training records. The CISO needs each one classified to the right envelope. Manual review = 40 hours of HR time. Manual review = errors that become leak vectors.
Required tierCapsule Continuum
Required add-onsRisk Engine (included in Continuum)
The flow
Operator drags 500 PDFs into bulk upload.
Capsule extracts text in-process and runs Microsoft Presidio (MIT, NER + regex + checksum) on each one.
Operator reviews on a single screen with the system's reasoning per file.
Operator one-click confirms. 500 envelopes applied in 90 seconds.
05
Bitcoin-anchored proof · OpenTimestamps
CISO compliance proof — verifiable 3 years later
A regulator opens an investigation in 2029. They demand proof that a specific document was issued in this exact form on a specific date in 2026. The CISO needs to demonstrate this without asking the regulator to "trust our log". Audit trails written by the company being audited carry zero weight in court.
Every file issued through Capsule gets a SHA-256 hash submitted to OpenTimestamps at issue time.
Within 24 hours the hash is anchored in a Bitcoin block via Merkle aggregation. Free, anonymous, no NoData involvement.
In 2029 the auditor receives a `.ots` file alongside the original document.
They run `ots verify file.pdf.ots` standalone (open-source CLI). Returns: "this exact byte sequence was committed to Bitcoin block 875432 on 2026-03-12 14:08 UTC".
The auditor needs nothing from NoData to verify. The proof stands even if NoData ceased to exist.
A sales rep emails a sensitive customer list to a prospect, then forwards it via WhatsApp Web, then drops it into a Slack channel "for visibility". 30 minutes later the deal collapses and the rep needs to nuke the file. Today: 3 emails to IT, 3 hopes that the recipients haven't already saved local copies.
Required tierCapsule Pro
Required add-onsForensic Pack ($15K/incident — only if leak surfaces)
The flow
Sales rep used Capsule for the original send. Same envelope, same content_key — different delivery surfaces.
Manager opens /operator/lockbox, finds the file, clicks "Burn".
Layer A (control): next license call from any viewer fails with 410 burned. Open viewers wipe in-memory plaintext within 60 seconds (heartbeat).
Layer C (destruction): wrap_key zeroed in DB. Any cached `.lockbox` becomes unrecoverable on every device.
Layer B (forensics): if a screenshot of the file surfaces later, the recipient name is woven into every pixel. Receipt id clickable on /verify-pack.
Want to see one of these on your data?
30-minute live POC. No sales call required. Drop a file, watch the chain build.