Mutual consent, as a computable primitive.
Two people answer alone. The system reveals only what both said yes to — and is built so that nothing else can leave, even by us.
BothWant runs a reveal protocol: partners answer intimate questions independently, and the only readable output is the intersection both consented to. Everything below exists to make that guarantee structural rather than promissory — enforced by key custody, query shape, type systems, and failure posture, not by policy documents.
This page describes the shipped architecture, in production at bothwant.com. It is written for a technical buyer evaluating mutual-consent reveal as a licensable primitive for their own product surface.
RSA-4096 envelope encryption; the private key never touches the cloud
Free-text intake (partner-authored questions) is sealed in the browser-facing tier with envelope encryption: a random AES-256-GCM data key per item encrypts the text, and an RSA-4096-OAEP (SHA-256) public key wraps the data key. The web tier, the deployment platform, and the database hold only the public half.
The private key exists solely on operator-controlled offline hardware. Nothing with access to the codebase, the hosting environment, or the database — the service role included — can recover raw text. The single decryption point is a local worker that processes the item, writes back a PII-stripped derivative, and nulls the ciphertext. Compromise of the entire cloud footprint yields sealed blobs.
Only the intersection is ever readable
Match computation runs in a privileged server context. Each partner's raw answers are write-only from the client's perspective; the readable output is the set of items where both partners answered yes. One-sided answers are never rendered, never returned by any API, and never eligible as AI input.
Near-misses are handled under a swap-invariance law: no output changes if partner A and partner B are exchanged, which structurally prevents who-said-what inference. Where near-miss signal is surfaced at all, it is reduced to symmetric, topic-level aggregates that carry counts and never sides.
Population statistics with a hard suppression floor
Public statistics are produced by a single sealed SQL aggregation function that returns category-level counts only — no user, partnership, question, or text identifiers exist in its return type, so the leak boundary is the function signature itself.
A k-floor is applied in the aggregation (categories with fewer than five contributing couples are suppressed entirely), and execution rights are revoked from every client-facing database role. Only the server-side service context can call it; a client asking directly gets a permission error, not a small aggregate.
Un-guarded data is a compile error, not a code-review hope
Every couple-facing AI surface must pass its inputs through a leak-guard module that enforces the invariants by construction: only mutual items may surface as readable desire text, per-person response payloads are rejected on key presence alone, and all outputs are swap-invariant.
The guard's outputs carry a branded type, and prompt builders accept only that brand — so wiring raw response data toward a model or a persisted row fails type-checking before it can fail privacy. A standing red-team suite attacks the guard and every route that uses it as a pre-ship gate.
When the private side is unavailable, features wait — they never degrade
AI-derived artifacts (insights, recommendations, blurbs) are precomputed by an owner-controlled worker and served as reads. The serving tier runs no inference on intimate data and holds no credentials that could.
When a precomputed artifact does not exist yet, the request enqueues a deduplicated job and answers "generating" — there is no hosted-model fallback and no silent widening of data flow under load or outage. The failure posture is closed: absence of the private compute path means absence of the feature, never a softer privacy stance.
The primitive travels.
Sealed intake, mutual-yes reveal, k-floored aggregates, leak-guard typing, and a fail-closed compute spine compose into a general pattern: two-party consent gating over sensitive preference data. If you are evaluating it for health, matchmaking, HR, or research surfaces, we license the architecture and its verification suite.
Start a licensing conversation →