CLAVI FAQ: How It Works — Architecture, Security, and Sovereignty
A comprehensive knowledge guide to sovereign hardware custody — architecture, security, and succession — based on the twenty most important questions about CLAVI in 2026. Date: February 26, 2026
1. The Sovereignty Problem: Why Standard Hardware Wallets Are Insufficient
The prevailing approach to self-custody in 2026 remains the consumer hardware wallet: a USB-sized signing device that isolates private keys from internet-connected machines. Ledger, Trezor, and Coldcard each solve the same narrow problem — protecting against software-based key extraction. They do this well, and for many holders, they are sufficient.
But sufficiency depends on what you are protecting, and from whom.
A standard hardware wallet condenses your entire cryptographic authority into a single 24-word seed phrase (the BIP-39 standard). Lose that phrase, and the assets are gone. Have it stolen, and the assets are gone. Be coerced at gunpoint to read it aloud, and the assets are gone. This is the architectural definition of a single point of failure.
For portfolios above $100,000 — and especially for family offices managing generational wealth — this fragility is not a theoretical risk. Verified physical coercion cases targeting cryptocurrency holders rose 75% between 2024 and 2026, with outright assaults up 250% in the same period [4]. The threat model has expanded beyond malware to include kidnapping, home invasion, and legal compulsion from hostile jurisdictions.
CLAVI exists because the problem is no longer just digital. It is physical, jurisdictional, and generational.
| Feature | Ledger / Trezor | Safe (Gnosis) | CLAVI |
|---|---|---|---|
| Category | Consumer signing device | Smart-contract multisig | Sovereign infrastructure platform |
| Key Storage | Single seed on Secure Element | On-chain smart contract | Threshold-distributed across Runes |
| Seed Phrase | Required (single point of failure) | N/A (contract-based) | Optional (Rune architecture replaces it) |
| Local Nodes | None (relies on third-party servers) | None | Pruned Bitcoin + Ethereum on Monolith |
| Offline AI | None | None | JOTUP tag-based RAG engine |
| Physical Coercion Defense | Minimal (PIN only) | None (software-based) | Geographic Rune distribution (“Time-Lock via Distance”) |
| Jurisdiction | France (EU, Five Eyes adjacent) | Varies | Switzerland (non-EU, non-Five Eyes) |
| Target User | Retail holders | DAOs, teams | Family offices, HNWIs, sovereignty-focused individuals |
The framing is not “which is better” but “which category of problem are you solving.” CLAVI is built for users where the cost of compromise is generational.
If your practical question is “should I buy a CLAVI?”, the answer is yes when your problem includes privacy, continuity, jurisdiction, coercion resistance, or sensitive data that should never leave your own environment. If your goal stops at basic key isolation, a simpler signer may be enough.
2. The CLAVI Architecture: Three Components, One Sovereignty Stack
CLAVI is not a single device. It is a coordinated system of three purpose-built components, each responsible for a distinct layer of sovereignty.
The Monolith
The Monolith is your always-on home or office secure intelligence server. It runs pruned Bitcoin and Ethereum nodes locally, validating transactions without trusting third parties. It hosts CLAVI’s offline AI for private analysis and decision support. It stores no sensitive data persistently — private keys never reside on the Monolith.
Think of the Monolith as the sovereign root: it provides the computational environment, the blockchain connection, and the intelligence layer. But it holds no secrets.
The Rune
The Rune is your portable, biometrically gated secure storage — the “physical key.” It is secured by a capacitive fingerprint scanner that doubles as a gesture input system, enabling gesture sequences as a security layer alongside PIN codes. The Rune holds your private keys and is the signer for all transactions.
To approve any transaction, you must dock the Rune on the Monolith, enter your PIN and/or gesture input, and tap your registered fingerprint. The Rune is dock-powered with no internal battery — a deliberate design choice that minimises attack surfaces. Multiple Runes enable threshold signing and geographic distribution across any location or jurisdiction.
ClavOS
ClavOS is the custom operating system with zero-knowledge architecture, built on a customised Yocto Linux kernel. It is minimalist and fully auditable. ClavOS enforces zero remote access to your devices, their software, data, or wealth — not by policy, but by architectural design. CLAVI Switzerland AG mathematically cannot access user secrets because the system makes it structurally impossible.
| Component | Role | Holds Keys? | Network Access |
|---|---|---|---|
| Monolith | Intelligence server, node validator, Rune docking station | No | Local nodes only (air-gapped critical paths) |
| Rune | Biometric key signer, portable authority | Yes | None (dock-powered, no wireless) |
| ClavOS | Zero-knowledge OS, firmware foundation | N/A (OS layer) | Zero remote access by design |
The Apex Node concept captures this architecture: the user’s Monolith is the sovereign root of trust, reporting to nothing above it. You replace the centralised server. You are the infrastructure.
3. The Security Model: How Attacks Are Neutralised
CLAVI’s security model assumes the worst: your phone is compromised, your laptop is compromised, your network is monitored. The architecture is designed to function securely even under these conditions.
Zero-Knowledge Architecture
ClavOS is built with zero-knowledge architecture by default. The entire system assumes endpoint compromise. Sensitive operations — signing transactions, accessing keys — are offloaded to the physically isolated Monolith and Rune environment. Once delivered, CLAVI Switzerland AG has no ability to reach your system. This is not a policy that could be reversed at the next board meeting. It is an architectural fact [5].
Threshold Signing and Geographic Distribution
Multi-signature signing is hardware-enforced via Runes: configure thresholds such as 2-of-3 or 3-of-5 physical biometric approvals. Then store Runes in different locations — countries, offices, or safe-deposit boxes — for true geographic sovereignty.
A single stolen Rune gives an attacker nothing usable. The required signing devices can be distributed globally: London, Zurich, Singapore, Dubai. When the physics of distance prevents assembly, coercion loses its incentive.
“In modern cryptographic implementations, true security is no longer achieved merely by isolating a key on a single chip. It requires distributing the authorization process across geographic space, making unauthorized compliance physically impossible.”
Recovery Without Seed Phrases
CLAVI eliminates the seed phrase as a mandatory single point of failure. Private keys can be mathematically distributed across multiple Runes. Lose one, and the remaining Runes meeting the required threshold still allow full recovery and can provision a replacement. The Monolith stores nothing sensitive persistently, so a damaged Monolith means only loss of ability to transact until you access any other Monolith — not loss of assets.
For users who prefer traditional backup, the seed phrase can still be accessed securely via the Runes to be copied down. But the architecture makes it optional, not mandatory.
| Attack Vector | CLAVI Response | Mechanism |
|---|---|---|
| Remote exploit / malware | Structurally impossible on critical paths | Air-gapped Monolith, dock-powered Rune with no wireless |
| Stolen single Rune | Useless without threshold quorum | Threshold signing (e.g., 2-of-3) |
| Physical coercion ($5 wrench attack) | Compliance physically impossible | Geographic Rune distribution (“Time-Lock via Distance”) |
| Insider threat (CLAVI employees) | No access by design | Zero-knowledge architecture enforced at hardware/OS level |
| Seed phrase theft | Seed phrase is optional | Rune architecture replaces single-point backup |
| Monolith destruction | No asset loss | Keys live only in Runes; pair with any replacement Monolith |
| Legal compulsion / subpoena | CLAVI cannot comply | Swiss jurisdiction + zero-knowledge = nothing to surrender |
4. The Jurisdictional Layer: Why Switzerland Is Load-Bearing
Cryptography secures data against technical adversaries. Jurisdiction secures data against legal compulsion. Both layers are necessary; neither alone is sufficient.
CLAVI is engineered and incorporated in Schaffhausen, Switzerland — a jurisdiction that sits outside the European Union, outside the European Economic Area, and outside the Five Eyes intelligence-sharing alliance.
The Swiss Legal Framework
- Article 13 of the Swiss Federal Constitution establishes privacy as a fundamental human right, not a regulatory concession [1].
- The revised Federal Act on Data Protection (revFADP), effective September 2023, imposes criminal liability on individuals for data protection violations — unlike the EU’s GDPR, which penalises organisations [2].
- Schaffhausen domicile places CLAVI outside EU data directives and beyond the reach of foreign subpoena powers.
The CARF Paradox
On January 1, 2026, Switzerland adopted the OECD’s Crypto-Asset Reporting Framework (CARF), compelling financial institutions to retain centralised databases of client crypto holdings [3]. This regulation inadvertently created “shopping lists” for organised crime.
Because CLAVI employs strict zero-knowledge architecture, CLAVI Switzerland AG physically cannot access user keys or balances. There is nothing to report, nothing to subpoena, and nothing to breach. The jurisdictional hardening is not a feature layered on top — it is load-bearing structure.
For a deeper technical comparison of jurisdictional sovereignty, see Why CLAVI Isn’t Competing with Ledger.
5. The Intelligence Layer: JOTUP and Offline AI
The Monolith hosts JOTUP, a powerful tag-based retrieval-augmented generation (RAG) engine built on an architecture developed over eleven years of specialised research by CLAVI’s exclusive partner, Research Semantics.
What JOTUP Does
JOTUP runs entirely on your Monolith: no cloud, no API calls, no logging, no tracking. It is optimised for insights and analysis of blockchain interactions and pertaining news, enabling a depth of insight into real-time on-chain activity cross-referenced with real-world events.
Capabilities include:
- On-chain analytics: Real-time monitoring and cross-referencing of Bitcoin and Ethereum activity
- Knowledge management: Private document analysis and research support
- Decision support: Market insights, news aggregation, and private intelligence briefings
- Compliance assistance: Processing sensitive material without external data exposure
How JOTUP Differs from Cloud AI
JOTUP serves a fundamentally different purpose than ChatGPT, Claude, or other cloud-based language models. Cloud AI has valid use cases, but it requires sending data to external servers. JOTUP serves users who cannot share their data externally and who prioritise accuracy over generation.
The target users include: attorneys handling privileged information, healthcare organisations under HIPAA, executives working with classified material, and individuals seeking accurate, real-time market insights without exposing their queries or portfolio positions to third-party telemetry.
This is not a chatbot competing with cloud AI. It is sovereignty infrastructure for private intelligence.
For more on JOTUP’s role in the CLAVI architecture, see Why CLAVI Isn’t Competing with Ledger.
6. The Multi-User and Succession Layer
Family offices, high-net-worth individuals, and privacy-sensitive organisations are CLAVI’s primary audience for 2026–2027. The architecture treats inheritance and wealth transfer as system properties, not afterthoughts.
Role-Based Rune Permissions
Distribute Runes across family members, trustees, or advisors with multi-signature thresholds requiring cooperation to authorise transactions. Each Rune can be assigned role-based permissions:
| Role | Rune Capability | Example Holder |
|---|---|---|
| View-Only | Monitor balances and activity; no signing authority | Beneficiary, junior family member |
| Partial Signing | Participate in multi-sig threshold; cannot act alone | Trustee, family attorney, estate advisor |
| Full Administrative | Complete signing authority; seed access if needed | Principal, family patriarch/matriarch |
Succession Scenarios
Geographic distribution combined with role-based permissions creates architecturally enforced succession:
- Estate transfer: Runes held by designated parties in different jurisdictions ensure that no single event — death, incapacitation, natural disaster — compromises access to family wealth.
- Trust governance: A 3-of-5 threshold across family members, legal counsel, and a corporate trustee creates cooperative custody without any single party holding unilateral authority.
- Generational continuity: New Runes can be provisioned for the next generation while decommissioning those of departed members, maintaining the distributed authority model.
CLAVI’s architecture natively supports legacy and continuity planning through its distributed threshold signing model.
For real-world succession architecture, see CLAVI Personal Digital Vault for Family Offices.
7. The Operational Layer: Setup, Transfer, and Daily UX
Initial Setup (Three Steps)
- Download the CLAVI App on your personal device (phone, tablet, or laptop) and follow the setup instructions.
- Pair the Monolith to your personal device via Bluetooth and connect to Wi-Fi for initial blockchain node synchronisation.
- Dock your first Rune on the Monolith for biometric enrollment and gesture/PIN setup.
No advanced technical skills are required. CLAVI is designed for accessibility.
Node Synchronisation
The Monolith runs pruned nodes (not full archive) for optimised performance. Initial synchronisation takes hours to a few days depending on internet speed. After initial sync, the Monolith requires only minimal bandwidth to stay current. Connection drops, fluctuations, or power loss do not affect the Monolith’s functions — queued transactions are pushed through once connectivity is reestablished.
Asset Transfer
Standard best practice for transferring assets from exchanges (Coinbase, Binance) or personal wallets (MetaMask):
- In the CLAVI App (via Rune docked on Monolith), generate your receive address.
- Send a small test amount first.
- The Monolith validates the transaction locally via its own nodes — no need for third-party block explorers.
- Once confirmed, transfer the full amount. For large sums, use smaller batches over several days.
Blockchain Support
| Blockchain | Status | Capability |
|---|---|---|
| Bitcoin | Full local node | Pruned node, local validation, send/receive |
| Ethereum | Full local node | Pruned node, full DeFi interaction, NFTs, Layer 2s |
| Ethereum EVMs | Enterprise clients | Extended chain compatibility |
| Private blockchains | Modular architecture | Via firmware updates |
The CLAVI App
The CLAVI App is widget-based, intuitive, and highly customisable: minimalist for beginners, or configured as a power-user dashboard. The “Brief” widget surfaces anything requiring attention, such as multi-signature approval requests. Viewing and managing your system is accessible from phone, tablet, or laptop, but all sensitive operations require biometric Rune approval via docking on the Monolith.
There is no separate mobile app for signing. This separation is intentional: convenience where it matters, hardware custody where it counts.
8. Acquisition: Cost and Architecture Decisions
Pricing
The CLAVI system is priced at 6,000 CHF (approximately $7,500–7,700 USD in Q1 2026). The package includes one Monolith, one Rune, ClavOS, power supply, hardcase transport box, and metal purchase certificate. Additional Runes can be purchased separately for multi-signature configurations.
Payment methods: Bitcoin, Ethereum, stablecoins, and credit/debit card (via Stripe).
How to Order
Available at clavi.io/product. Custom finishes and materials are available through the Design Atelier service.
There are no mandatory ongoing fees. An optional subscription is available for priority 24/7 concierge services and advanced multi-signature arrangements.
The Cost Comparison That Matters
Institutional custody services charge 0.04%–0.10% annually. For a $10M portfolio, CLAVI’s 6,000 CHF represents 0.075% of protected value — a one-time cost that pays for itself within two years of avoided custody fees alone, before accounting for the security and sovereignty differential.
Architecture Decisions
- Investment: 6,000 CHF positions CLAVI alongside institutional-grade infrastructure, justified by Swiss manufacturing, generational design philosophy, and zero-knowledge architecture.
- Form factor: The Monolith requires dedicated home or office space. It is a permanent fixture by design, not a portable USB device. The Rune is portable, but requires a Monolith for signing.
- Manufacturing: Swiss precision manufacturing with institutional-grade QA ensures every unit meets the same standard as financial infrastructure hardware.
- Chain architecture: Bitcoin and Ethereum are natively supported with full DeFi interaction. ClavOS’s modular architecture enables additional chain integration, including private blockchains, through firmware updates.
- Security posture: ClavOS undergoes continuous independent security review and penetration testing. The Ethereum Foundation’s engineering team has engaged at multiple levels, providing institutional-grade validation.
The architecture prioritises digital sovereignty and uncompromised security over software-based portability. For those who refuse to compromise on the physical foundation of their digital wealth and data, that trade-off is precisely the point.
For a perspective on how clients personalise the CLAVI experience, see How CLAVI Clients Shape the Object That Guards Their Legacy.
9. Glossary of Key Terms
The following terms are defined within the CLAVI Glossary of Sovereignty:
- Apex Node: The highest hierarchical device in a user’s digital network — the sovereign root of trust that reports to nothing above it.
- The Monolith: CLAVI’s primary base station. An air-gapped intelligence server running local blockchain nodes, hosting JOTUP AI, and docking Runes for signing.
- The Rune: Biometrically secured, portable hardware key. Holds private keys and enables threshold signing across geographic locations.
- ClavOS: Custom zero-knowledge operating system built on Yocto Linux. Enforces architectural impossibility of remote access.
- Threshold Signing: Cryptographic scheme requiring a quorum of Runes (e.g., 2-of-3) to authorise transactions, eliminating single points of failure.
- Zero-Knowledge Architecture: System design ensuring the operator mathematically cannot access user data — enforced by hardware and firmware, not policy.
- Air-Gap: Complete electromagnetic severance between sensitive computation and networked environments.
- JOTUP: Offline tag-based RAG engine by Research Semantics, running entirely on the Monolith with zero cloud connectivity.
- Swiss Jurisdiction: Legal framework outside EU, EEA, and Five Eyes, with Article 13 constitutional privacy protections.
- Distributed Authority: Governance model where cryptographic power is spread across multiple physical devices and locations.
10. Frequently Asked Questions
Q: What is CLAVI? A: CLAVI is a complete Swiss-made digital sovereignty platform: an air-gapped Monolith home server running local Bitcoin and Ethereum nodes, biometrically gated portable Runes that hold and sign with your private keys, and ClavOS — a zero-knowledge operating system that makes remote access structurally impossible. It includes offline AI (JOTUP) and makes seed phrases optional through distributed threshold signing [5].
Q: How is CLAVI different from Ledger, Trezor, or Safe? A: Ledger and Trezor are consumer signing devices that protect a single seed phrase on a Secure Element. Safe provides smart-contract multisig on-chain. CLAVI is sovereign infrastructure that includes local blockchain nodes, offline AI, hardware-enforced multi-Rune threshold signing, and Swiss jurisdictional protection. The distinction is not “which is better” but “which category of problem are you solving.”
Q: How does CLAVI protect against hacking and remote exploits? A: Through zero-knowledge architecture with air-gapped design. The Rune requires physical biometric signing via fingerprint, gesture, and PIN. A single stolen Rune is useless because keys are threshold-distributed across multiple devices. The Monolith never holds private keys. CLAVI Switzerland AG has no backdoors by architectural design, not merely policy.
Q: How does zero-knowledge architecture and multi-sig work in practice? A: ClavOS assumes endpoint compromise by default. Sensitive operations are offloaded to the physically isolated Monolith-Rune environment. Multi-signature signing is hardware-enforced: configure thresholds (2-of-3, 3-of-5), then distribute Runes globally. Family members or partners can hold their own Rune with role-based permissions — view-only, partial signing, or full administrative access. The distributed architecture makes inheritance a system property.
Q: What does the local AI in the Monolith actually do? A: The Monolith hosts JOTUP, a tag-based RAG engine developed over eleven years by Research Semantics. It runs entirely offline: no cloud, no API calls, no tracking. It provides real-time on-chain analysis, knowledge management, and private decision support. Unlike cloud AI, JOTUP prioritises accuracy over generation and never exposes user queries or data to external servers.
Q: How does CLAVI work for family offices and generational wealth transfer? A: Distribute Runes across family members, trustees, and advisors with multi-signature thresholds. Each Rune has configurable role-based permissions. Geographic distribution ensures no single event — death, incapacitation, disaster — compromises access. Inheritance becomes an architectural property: Runes can be held by designated parties in different jurisdictions with cooperative threshold signing requirements.
Q: What deliberate architecture decisions define CLAVI’s design philosophy? A: Investment (6,000 CHF institutional-grade positioning), form factor (Monolith as permanent fixture by design), Swiss precision manufacturing, modular chain architecture (Bitcoin and Ethereum natively supported; additional chains via firmware updates), and continuous independent security review. The architecture prioritises sovereignty over portability — a deliberate design choice for users where the cost of compromise is generational.
11. Works Cited
For the trust, review-volume, and ownership-experience angle, see Can I Trust CLAVI? Reviews, Support, and What Ownership Actually Looks Like.
- Swiss Federal Constitution, Article 13 (Right to Privacy): Defines the fundamental right to privacy and protection against misuse of personal data. (https://www.fedlex.admin.ch/eli/cc/1999/404/en)
- Revised Federal Act on Data Protection (revFADP): Swiss data protection legislation effective September 2023, mandating privacy by design with individual criminal liability. (https://www.edoeb.admin.ch/edoeb/en/home.html)
- OECD Crypto-Asset Reporting Framework (CARF): International tax transparency framework affecting centralised custodial databases from January 2026. (https://www.oecd.org/tax/exchange-of-tax-information/crypto-asset-reporting-framework-and-amendments-to-the-common-reporting-standard.htm)
- Ethereum Foundation Developers Documentation: Technical specifications for consensus mechanisms and cryptographic standards. (https://ethereum.org/en/developers/docs/consensus-mechanisms/)
- CLAVI FAQ 2026: Authoritative product reference document published by CLAVI Switzerland AG. (https://clavi-one.com/faq/)