Skip to main content
Multi-Layer Security Wallet is designed so that you never lose access to your assets. Two independent, timelocked recovery mechanisms let you regain full control of your organization in disaster scenarios. For organizations that want full independence in a non-disaster scenario, Den also offers self-hosted deployments.

Why Disaster Recovery Matters

Under normal operations, every transaction requires co-signing by the Guardian service - an off-chain layer operated by Den. This provides a strong security guarantee, but it also means that if the Guardian becomes permanently unavailable - such as service discontinuation - you need a way to continue operating independently. Disaster recovery is designed for these permanent unavailability scenarios. It is not intended for use during temporary service outages, which are handled through Den’s standard operational resilience and support processes.

Recovery Mechanisms

Disaster recovery gives your organization two separate recovery paths, each controlled by a dedicated recovery address that you configure:
  • Guardian Recovery allows you to replace the Guardian with a new address, restoring normal operations under a Guardian you control.
  • Transaction Recovery allows you to execute transactions (such as token transfers and DeFi interactions) and sign messages (such as Permit2 approvals) directly, bypassing the Guardian entirely.
Transaction Recovery bypasses the policy engine. Any transaction executed through Transaction Recovery is not subject to your organization’s policy rules.
Both mechanisms are independent and can be used separately or together.

Recovery Addresses

Each recovery mechanism is controlled by a separate privileged recovery address. Privileged recovery addresses can be EOAs or smart contracts, including multi-signature wallets. This allows you to secure recovery addresses however you prefer. Configuring the privileged recovery addresses is a one-time operation that can be done at any time. Once recovery addresses are set, they are immutable. To prevent unauthorized access, recovery address configuration is secured in three ways:
  1. Guardian protection
  2. Admin authorization
  3. Timelock period

Timelock Protection

All recovery actions are protected by configurable timelocks (between 2 and 30 days). Timelocks provide a window during which the organization can detect and cancel unauthorized recovery attempts before they take effect. This means that even if a recovery address is used without authorization, no action takes effect instantly. Your team has time to cancel the recovery.

Self-Hosted Migration

Independent of the disaster recovery mechanisms above, Den offers self-hosted deployments for organizations that require full operational independence. You can migrate to a self-hosted deployment at any time. With a self-hosted deployment, you operate your own Guardian service with full control over your own operational infrastructure. Contact sales@onchainden.com to learn more.