PDF sealing API — one-line setup, docs you will actually read →

Velvet-rope engineering · internal memo energy

Business plan,
held up to a harsh light

seal.club is an avant-garde, developer-first brand: cute seals in a nightclub aesthetic, serious cryptography underneath. This page is a single-scroll story of how that could become a company — and why it might not. Treat every chart and headline from “the industry” as marketing by another name; we cite sources, but we do not worship them.

Hard disclaimers

  • This is not investment advice. It is a working hypothesis with cartoons.
  • “Market size” reports bundle e-sign, workflows, vaults, and national ID schemes. Most of that spend never touches “developers piping PDFs through an API.” Cherry-picking a big number flatters the narrative.
  • A seal.club certificate is not your customer’s trust anchor. If we mint signatures under infrastructure we operate, buyers must understand what is being proven (continuity, issuance policy, audit posture) — not magical proof that Acme Corp authored the PDF because Acme wanted it to be true.
  • Reseller economics depend on supplier terms. Our working model is SSL.com ($10k prepay → $10k credits, ~$209/year org certs, monthly upstream billing, prorated credits on cancel) — but every clause lives in a contract, not in this memo.

What we sell

Free tier: a PDF document certification API (and adjacent integration paths) using seal.club-operated issuance tied to a high-assurance chain. Where practical we attach evidence the subscriber controls — email or a domain they demonstrate — while remaining explicit that the certificate is ours, not a BYO private CA fantasy.

Paid motion: we resell SSL.com organization document-signing certificates with packaging that fits modern finance ops: monthly plans for customers even though upstream certs are annual seats; self-serve where regulations allow; concierge where they do not. The wedge is known COGS (~$209/year per org cert at reseller; RFC 3161 timestamps ride the free rfc3161.ai.moda router, so the per-seal stamp is $0 until that assumption breaks) and developer-grade ergonomics — not hoping list-price fairy tales save the margin.

SSL.com reseller economics (planning baseline)

TermHow we model it
Prepay / credits$10,000 upfront → $10,000 SSL.com account credits (prepaid wallet, not burned as “marketing spend”).
Reseller cert COGS$209/year per organization document-signing certificate ≈ $17.42/month amortized while active.
Timestamp authority (TSA)Each certifying signature embeds an RFC 3161 timestamp, fetched through the free rfc3161.ai.moda load-balanced router (fans out to multiple public TSAs, validates + retries) — so baseline stamp COGS is $0. Modeled here at $0 per seal — slide it up in the calculator to price the day we outgrow a free public service.
Upstream billingSSL.com bills us monthly against issuance / active seats — we mirror monthly packaging downstream without forcing customers into annual lock-in.
Customer cancelIf a subscriber cancels mid-term, SSL.com credits us the prorated remainder of the annual cert — churn partially refunds upstream COGS instead of leaving dead inventory on the books.

Credit runway at pure cert list COGS: ~47 org-years of certs sitting in the wallet before replenishment. Timestamps cost nothing while the free router holds, but they are per job — if we ever have to buy commercial TSA capacity, heavy sealers could spend more on stamps in a month than the cert seat costs all year; the calculator below lets you model that.

Go-to-market story: engineers ship PDFs that are mostly unsigned today. Through sharp docs and a deliberate media campaign, we teach a cultural reflex: if it matters and it’s allegedly from you, readers should expect a cert; absence is a yellow flag. That story collides with UX reality (readers ignore signature panels) and procurement reality (security teams buy suites). Skepticism is warranted.

Delivery economics: cryptographically, sealing a PDF is basically constant time — the hot path does not scale like “bigger PDF → exponentially more CPU.” The bill that moves with volume is moving the file: ingress from the client, egress back out, and whatever hops object storage or signing vendors add. Stack that on serverless-first Vercel and idle metal disappears; what’s left to model is mostly bytes × distance, plus modest function duration and vendor meters — not rack-rate servers pretending they’re the bottleneck. Each customer uploads a unique PDF and receives a unique sealed artifact back; we’re not running a library where the same file is fetched thousands of times, so edge caches don’t amortize seal traffic. Bytes land in short-lived staging only — retain what regulations demand, then lifecycle-delete the rest on a schedule so storage GB-months track pipeline depth, not “keep every PDF forever.”

Outside numbers (handle with tongs)

  • Broad digital signature TAM forecasts swing wildly. Analysts routinely quote multi‑billion totals through 2030 with high double‑digit CAGRs — but the category definition is doing heavy lifting. See, for example, Grand View Research’s digital signature outlook. Useful as backdrop; misleading if read as “PDF API slice.”
  • Threat narratives ≠ buying urgency. Security vendors document persistent abuse of PDFs in email-borne attacks — useful context for why tamper-evidence matters, not a guaranteed budget line for document signing. Example discussion: Check Point on PDF-borne threats.
  • Document fraud analytics are vendor-colored. Vendors scanning huge populations report shocking tamper rates — worth reading as a reminder that integrity checks exist, not as a precise census of your customers’ PDFs. Resistant AI’s document fraud reporting is representative of the genre.

Why the business might be invalid

  1. Behavioral: recipients rarely validate signatures; the marketing story might not change habits on mobile clients or inside browsers.
  2. Product bundling: Adobe, DocuSign, Box, Google Workspace, and friends own procurement budgets; “best API” loses to “already licensed.”
  3. Trust semantics: a seal.club certificate proves our issuance pipeline said “yes” — translating that to brand authenticity requires education and liability clarity.
  4. Compliance drag: organization validation, key storage (token/HSM), and regional rules cap how “self-serve” this can be globally.
  5. Supplier concentration: SSL.com as fulcrum means roadmap, credit policy, and validation quirks ultimately sit upstream.
  6. TSA freeloading risk: timestamps currently ride the free rfc3161.ai.moda router — one person’s goodwill project, no SLA, no contract. If it rate-limits us, shuts down, or we outgrow polite usage, we buy commercial TSA capacity and the fee is per job, not per year — at thousands of seals daily it can exceed cert COGS.
  7. Prepaid credit cliff: the $10k→$10k wallet is finite at hypergrowth — ~47 org-year certs of headroom at $209 each before another tranche — model replenishment, not magic float.
  8. Free tier cannibalization: if the free cert satisfies the moral craving (“we signed something”), paid upgrades stall unless hard limits bite exactly right.
  9. Bandwidth cliffs: the seal itself is cheap; the freight isn’t. Fat PDFs and chatty retries mean the invoice is often ingress and egress per unique job, not CPU — edge CDNs don’t rescue a workload where almost every response is a one-off sealed blob.

The contrarian investment case anyway

If PDF signing is “merge hygiene” for regulated outputs (invoices, audit packs, HR notices, generated statements), then latency-to-first-signature and honest verification UX matter more than maximalist feature breadth. A developer-native reseller that respects monthly cash cycles and publishes viciously clear trust docs could punch above its weight — even inside a noisy market — provided unit economics survive supplier SLAs and mostly-self-serve support (docs, status, automation — not a payroll floor).

Translation for investors: small SAM, plausible ASPs, miserable defaults — but if the surface stays boring and automation handles the hot path, there’s room for a lean margin story without assumed payroll: revenue minus certificates and freight, not “hire your way to credibility.”

Infra posture: sealing work is near–constant time; in models, stress moving PDFs in and out (transfer in/out of our boundary first). Serverless on Vercel matches that story — compute duration is usually noise next to file freight unless we pipe giant blobs through functions the dumb way. We’re not modeling salary drag here: success is supposed to look like automation plus vendor APIs, not headcount for its own sake.

Interactive assumptions (play pessimist)

All figures illustrative — tune until your spreadsheet giggles or cries. Sealing is roughly constant-time. We assume the product mostly runs itself: there is no payroll line in the slider below — only light fixed ops (domains, tooling, billing rails). Variable COGS is SSL.com cert seats (TSA defaults to $0 via the free rfc3161.ai.moda router — raise the slider to stress-test paying per stamp). Hosting still tracks PDF ingress/egress before CPU.

Worked transfer math (1000 orgs × 1000 PDFs/day × 1 MB)

  • Volume: 1,000 × 1,000 × 30 days30 million PDFs/month. At 1 MB average file size, payload is about 30 TB/month if each document crosses the wire once in a given direction (upload-only or download-only mental model). Signing is cold-path traffic: novel inputs in, novel outputs out — not a repeatedly downloaded canonical asset.
  • Naive API proxy: piping full uploads and full sealed responses through Vercel’s billed paths is often modeled as ~2× the PDF bytes60 TB/month — exact metering depends on edge vs origin SKUs, but every trip is a fresh payload; there’s little to cache away.
  • Versus “the $20 Vercel tier”: Vercel’s limits doc lists 1 TB/month Fast Data Transfer included on Pro (100 GB on Hobby). The headline subscription/credits are not a ceiling on bytes — at this workload you burn the inclusion almost immediately and ride overage. (Allowances move when billing changes; verify your live dashboard.)
  • Rough overage cash (order-of-magnitude): Regional Fast Data Transfer pricing is commonly quoted around ~$0.15–$0.35/GB beyond what’s bundled. After ~1 TB inclusion, each extra ~29 TB ≈ 29,000 GB × $0.15 → ~$4.3k/month in one counting convention; double-counting ingress+egress like the naive proxy pushes toward an ~$8k–$20k/month band before discounts, multi-region nuance, or architecture fixes.
  • Fixed-burn modeling: baseline assumes no headcount — if ops is automation-first, “fixed burn” is tiny compared to certificates and bytes. Don’t tuck PDF freight into “$20 infra.” Either model a separate multi‑thousand-dollar monthly transfer envelope when payloads ride Vercel directly, or ship presigned uploads / object storage so sealers pull by URL and the platform mostly moves JSON — then expire staging objects on a schedule — collapsing this line item dramatically.

Alternative hosting envelopes (same volumes: ~30M PDFs/mo × 1 MB)

Below uses the same throughput anchor: 30 million PDFs/month × ~1 MB30 TB/month of file payload in one direction (e.g. customer download). Where APIs proxy bodies both ways, reuse the ~60 TB/month duplex shorthand from the Vercel card. Figures are public list-price envelopes — contracts and credits move them; CDN cache hits barely apply to unique seal responses. Compute (Lambdas, Workers, Fly machines) is extra everywhere but usually loses to internet egress at this profile unless bytes bypass expensive hops.

Napkin monthly freight vs approach · same workload (~30 TB one-way payload ≈ ~60 TB duplex if full bodies traverse twice)

Hosting approachWhat crosses the expensive meterEst. monthly freightNotes
Vercel — naive full-body proxy~60 TB/mo Fast Data Transfer-style metering~$8k–$20k+After ~1 TB included on Pro; ~$0.15–0.35/GB overage band · excludes compute.
Vercel — thin API onlyPDF bodies via presigned URLs elsewhere; Vercel moves mostly JSON~$20–$300Platform subscription + stray traffic; PDF freight billed elsewhere.
AWS S3 → internet egress30 or 60 TB/mo out~$2.6k · ~$5.0kTiered egress (first 10 TB ~$0.09/GB then steps down).
GCS → internet egress30 or 60 TB/mo out~$2.7–3.2k · ~$5.1kRegional tiers; same napkin band as S3.
Cloudflare R2 staging + opsR2 egress $0; Class A/B + ephemeral GB-months~$150–350~30M writes + internal reads ballpark; staging lifecycle’d · add Workers/browser egress for final sealed PDF path separately (often still ≪ naive Vercel proxy).
Budget VPS / dedi (bundled cap)All bytes through one NIC; plans often 10–40 TB/mo incl.~$50–500 + ?Base rent + possible overage/throttle; fair-use roulette at sustained 30–60 TB.

Reality checks: list retail, ignores credits & enterprise discounts · sealing traffic is unique blobs (no CDN amortization) · compliance may force a pricier region or custody story · always reconcile against live vendor dashboards.

Monthly revenue
$7,600
Monthly cert COGS
$1,393
Monthly TSA COGS
$0.00
Monthly variable COGS (cert + TSA)
$1,393
Per org (while active)
cert $17.42 + TSA $0.00
Monthly gross profit
$6,207
After fixed ops (non-payroll)
$5,007
Run-rate revenue (12 mo)
$91,200
Orgs to cover fixed ops (at current ARPU & COGS)
16
Implied paying orgs from funnel inputs
200

The funnel implies more payers than modeled — check saturation of free tier or ARPU elasticity.

seal.club — seals on the dancefloor, certs in the trunk. · If this page ever stops feeling embarrassing to publish, we’ve lost the plot.

Pricing · Product