Guides · Governance

Founder succession: encoding "hit by a bus" into your company's key management

"Bus factor of one" gets joked about until it isn't a joke. If a founder dropped offline tonight, the question isn't whether the company would survive emotionally. It's whether anyone could open the bank account, deploy a hotfix, or restore the backups by Monday morning.

11 min read · Updated 2026-05-25

TL;DR

Identify every tier-zero credential the company can't operate without. For each, design a threshold split (typically 3-of-5) across people whose lives don't fail correlated: co-founders, leadership, board, outside counsel. Wrap the technical split in a legal layer (operating agreement provisions, sealed envelopes with the will). Document the recovery procedure in a runbook accessible without the secrets it describes. Rehearse annually. Treat it as part of the company, not part of the founder.

Step 1 — The honest inventory

Most founder-succession failures aren't about cryptography. They're about not knowing the list. Before any threshold split, write the inventory. For a typical software company, the tier-zero set looks something like:

Domain registrar account. Lose this and you lose email, DNS, SSL — fatal.
Email admin (Google Workspace, Microsoft 365) super-admin. Controls every employee's mailbox and SSO bridge.
AWS / GCP / Azure root account. The whole production environment.
Database root credentials and any backup-encryption keys. Customer data lives here.
Code signing keys / mobile app store credentials. Ability to ship updates.
Source-control admin (GitHub / GitLab) organization owner.
Payment processor admin (Stripe, etc.). Revenue path.
Bank account online-banking primary credentials and any wire-transfer signing keys / hardware tokens.
Cap-table / equity management tool admin.
Customer-facing TLS certificate private keys (if not auto-rotated by ACME / cert-manager).
Any vendor account where the recovery path is "verify ownership via the founder's email." This list is longer than it looks.

If your team can't reconstruct that inventory in an hour, the inventory itself is the first artifact to produce. Everything else follows.

Step 2 — Threshold design

For founder-succession purposes, the threshold is balancing three things: (1) availability after a founder is gone, (2) collusion resistance among the remaining team, and (3) collusion resistance against external actors who might compromise multiple holders at once.

The default: 3-of-5

For early-stage companies with two or three co-founders, a 3-of-5 across co-founders + leadership + outside counsel + board chair is a workable starting point.

Co-founder A.
Co-founder B.
Head of Finance (or COO).
Outside counsel.
Board chair (or lead investor's designated contact).

Properties:

Survives loss of any two custodians (including both co-founders simultaneously).
No subset of three is fully internal to operating leadership — outside counsel and board chair break that.
The "natural" quorum during normal operations (co-founder + Head of Finance + one of counsel/board) requires deliberate convening.

A 3-of-5 in practice. Three custodians convene; the other two are intentional redundancy for incapacity, unreachability, or rotation events.

When to go to 3-of-7 or larger

Later-stage companies, fund-management entities, or businesses where the tier-zero secret is itself extraordinary (a CA root key, a multi-billion-dollar treasury wallet) benefit from a wider distribution. The tradeoff: more custodians means recovery is slower and harder to execute correctly under time pressure.

What not to do

Don't make the threshold all co-founders. Failure modes correlate (same office, same flight, same dinner, same falling-out).
Don't include a custodian who can't be reached for weeks at a time. An unreachable custodian is a missing portion. If they routinely travel without secure comms, they're not a custodian.
Don't put your spouse as the only non-employee. Their incentives are entangled with yours, and they may be unreachable in the same incident that takes you offline.

Step 3 — Separate the secrets across thresholds where it matters

It's tempting to put every tier-zero secret behind the same 3-of-5. Don't, when separation buys you safety. Some secrets should require different quorums:

Operational secrets (production access, DB credentials): a quorum the team can convene quickly. Co-founders + operational leadership.
Financial secrets (bank wires, treasury keys): a quorum with Finance + counsel + at least one board representative. Slower, more deliberate, harder to compel.
Existential secrets (signing root keys, domain registrar, the keys that are the company): the widest threshold, the slowest path, the most ceremony.

This isn't just hygiene. It also means a compromise that reaches an operational quorum doesn't automatically reach the financial or existential ones.

Step 4 — The legal layer (this is the part founders skip)

A perfect cryptographic split does nothing if the law won't let your custodians act on it. Three pieces of paperwork to get right:

Operating agreement / bylaws provisions

Your operating agreement should explicitly authorize the threshold custodians, by role, to reconstruct and use credentials on behalf of the company in the event of founder incapacity. Without this, even after recovery, the company's lawyers may balk at executing transactions, vendors may refuse to honor the access, and the IRS / bank / customers may treat the actions as unauthorized.

Power of attorney (or its corporate analogue)

Designate, in writing, who has authority to act on behalf of the company in defined succession scenarios. The threshold custodians are the technical mechanism; the legal designation is what makes their actions binding.

Sealed envelope with the will (founders personally)

For founders whose personal holdings or estate interlock with the company (cap-table positions, founder-held secrets that span personal and corporate life), the recovery procedure should be referenced in the will. Not the secret itself — the procedure for recovering it. Estate-planning attorneys know how to do this; ask explicitly.

This guide is not legal advice. A founder-succession plan that touches estate, equity, and corporate authority should be reviewed by your attorney — and ideally by your board's counsel. Build the technical layer first so the legal review has something concrete to attach to.

Step 5 — The runbook

The recovery procedure must be discoverable without the secrets it controls. Write it as if you'd already vanished.

A workable structure:

Front-matter: what this document is, who should read it, who's authorized to act on it, where the legal authority comes from.
Inventory: the list of tier-zero secrets and which threshold each one falls under.
Custodian roster: who holds which portion. Names, roles, contact methods, alternates.
Per-secret recovery steps: how to convene the threshold, where to reconstruct (e.g., on shattr's decrypt tool on a fresh device), what to do with the recovered secret (rotate immediately, or use to perform a one-time action and then re-split).
Communication plan: who tells the team, the board, customers, and how.
Rotation playbook: after any single recovery event, every secret reconstructed should be rotated, and the threshold redistributed.

Store the runbook in at least two places: (1) the corporate document management system, with appropriate access controls; (2) a sealed copy with outside counsel.

Step 6 — Rehearse it, annually

Once a year, run a tabletop. Pick a quarter when nothing else is on fire. The exercise:

Pretend the primary founder is offline for the next 30 days.
Walk through the runbook. Convene the threshold for one tier-zero secret. Reconstruct it. Verify it works. Re-split with fresh portions.
Note every step that was harder than expected — a custodian unreachable, a contact info out of date, a vendor that wouldn't honor the legal authorization, a portion that turned out to be illegible.
Fix those things before next year's drill.

If your custodians have never executed the procedure together, you don't have a procedure. You have a document.

When to redistribute

Treat any of these as triggers to rotate portions:

A custodian leaves the company or the role.
A custodian's circumstances change in ways that affect their custody (divorce, relocation to a high-risk jurisdiction, public-facing role change).
Any single portion has been touched (used in a recovery, even a rehearsal).
Any of the legal documents change (new operating agreement, new will, new corporate structure).
It's been more than two years since the last rotation. Default rotation cadence keeps the split honest about its current custodian roster.

Founder-only secrets that the company shouldn't see

Some founder-held secrets shouldn't be recoverable by the company in normal operation — personal wallet seeds, personal email, founder's own estate documents. For these, the threshold is built around your personal succession, not the corporate one: family + counsel + (optionally) a long-time friend or fiduciary. The mechanics are the same; the custodian set is different. See the seed-phrase guide for the personal-custody patterns.

Start with one tier-zero secret

Don't try to roll out the whole succession plan in a weekend. Pick the single secret whose loss would be most catastrophic and split it. Then the next. The pattern is the same every time.

Split a secret → Create a team org How it works