Seven holdings. Seven shields.

The seven sovereign holdings described on this page are a Phase 3 commitment, not an operational network. No shard custody agreement has been signed. No cloud provider in any of these jurisdictions is contracted. AION does not operate infrastructure in Reykjavik, Zurich, Singapore, Toronto, Santiago, Auckland, or Dublin today.

What is real today is the math: the four-of-seven threshold, the AES-256-GCM authentication, the Shamir split over GF(2⁸) — verifiable in your browser, every time. What is real today is the choice: when you seal, the seven shards appear on your device and you decide who holds each one — a sister, a lawyer, a safe deposit box, a steel plate. The threshold runs whether your seven live in those seven cities or in your own family.

The constellation below is the architecture AION is building toward, not the architecture AION has shipped. The same rule that governs the sanctuaries governs this page: AION will not photograph empty rooms and call them a network. When a holding is real, it will appear here with its stewardship agreement and the address that holds the shard. Until then, the page reads as a roadmap.

The seven were not picked because they like each other. They were picked because they answer to different pressure axes. A subpoena that works in one regime does not travel; a coalition that forms in one decade may not exist in the next; a treaty that binds a Western power may not bind a Pacific one.

Cloud providers are mixed across jurisdictions to avoid single-vendor correlation. Latency is not a primary criterion. AION is not a CDN.

• ReykjavikIceland

  Cold shard

  Cold-climate cooling, geographically remote, low correlation with Atlantic disruptions.

  Privacy regime: Iceland Act on Data Protection and the Processing of Personal Data No. 90/2018, GDPR-aligned via the EEA.

  Shield: Strong constitutional privacy under Article 71 of the Constitution of Iceland; long-standing journalistic-source-protection tradition (the IMMI initiative). No equivalent of a UK-style Technical Capability Notice in domestic law.

• ZurichSwitzerland

  Custody shard

  Banking heritage, neutrality, contract enforcement under federal civil law.

  Privacy regime: Federal Act on Data Protection (revFADP, in force 2023).

  Shield: Article 13 of the Swiss Federal Constitution protects the right to privacy of communications. The Swiss data-localization tradition predates GDPR and is reinforced by the FADP 2023. Switzerland is not a member of the EU and is not bound by an EU Production Order or EU Chat Control regulation directly.

• SingaporeRepublic of Singapore

  Witness shard

  APAC anchor, mature legal system, tech-fluent regulator, independent of US, EU, and PRC pressure axes.

  Privacy regime: Personal Data Protection Act 2012 (PDPA), revised 2020.

  Shield: Strict purpose limitation and a do-not-call regime. Cybersecurity Act 2018 governs critical-information-infrastructure designation but does not authorize compelled-decryption against non-CII operators by default.

• TorontoCanada

  Audit shard

  North-Atlantic counterweight to the US shard, mature financial-services audit culture.

  Privacy regime: Personal Information Protection and Electronic Documents Act (PIPEDA).

  Shield: Section 8 of the Canadian Charter of Rights and Freedoms protects against unreasonable search and seizure. R. v. Spencer (2014, SCC) recognized a reasonable expectation of privacy in subscriber information. PIPEDA does not contain a Technical Capability Notice equivalent.

• SantiagoChile

  Archive shard

  Southern-hemisphere anchor, stable democratic governance, independence from northern-hemisphere correlated risk.

  Privacy regime: Law No. 19.628 on the Protection of Private Life, modernization in progress (Bulletin 11.144-07).

  Shield: Article 19, Section 4 of the Constitution of Chile protects the inviolability of private communications. The pending data-protection modernization aligns Chile with the GDPR principles. Chile is a party to Convention 108+.

• AucklandNew Zealand

  Mirror shard

  Pacific anchor, stable common law, geographically remote.

  Privacy regime: Privacy Act 2020.

  Shield: Twelve information-privacy principles binding all agencies. New Zealand has historically declined to follow Five Eyes partners on the most aggressive technical-capability legislation; the Privacy Act 2020 contains no compelled-decryption provision.

• DublinRepublic of Ireland

  Foundation shard

  EU anchor, common-law tradition, AION Foundation candidate domicile.

  Privacy regime: GDPR (Regulation (EU) 2016/679) and the Irish Data Protection Act 2018.

  Shield: Article 8 of the EU Charter of Fundamental Rights protects personal data. Ireland is the lead supervisory authority for many large operators under the GDPR one-stop-shop mechanism, with significant institutional capacity. Ireland is a member of the EU but has historically resisted aggressive EU surveillance proposals.

If three jurisdictions go dark — by sanctions, regulatory upheaval, infrastructure failure, or political seizure — the vault remains openable from the surviving four. If five go dark, the vault is locked but not lost: the encrypted ciphertext and the surviving shards are bit-perfect, awaiting any future moment when four-of-seven holds again.

The threshold itself is not negotiable per-vault. It is a property of the cryptography, fixed at sealing, refusable to change without the holder’s consent.

Each holding operates under a stewardship agreement that contains the same Sunset on Notice rule recorded in the Charter. Receipt of a binding compelled-decryption order, a Technical Capability Notice (UK Investigatory Powers Act 2016 or analogous), an Article 28 directive (PRC Cybersecurity Law), a Yarovaya-style key-disclosure order, a Chat Control client-side-scanning mandate, or any directive that would aggregate shards or weaken a primitive triggers automatic sunset of that holding within thirty days. The shard is removed from the active grid. The remaining six continue.

Compelling a sovereign holder achieves no decryption. It achieves the holder’s own removal from a position of international trust. The cost falls on the orderer, not on AION’s users.

AION will not designate one sovereign as authoritative. There is no “tiebreaker” jurisdiction. There is no court of last resort. AION will not designate a jurisdiction whose domestic law contains a compelled- decryption provision (UK IPA, Australia AAA Act, PRC CSL Article 28, Russian No. 374-FZ) as a holder for a vault that has not been explicitly informed and consented at sealing. A vault opens by math and quorum, or it does not open. This is the lock that distinguishes AION from a custodian.