The user triggers “cloud sync” by a deliberate gesture (triple-tap + fingerprint). A one-time TLS 1.3 session negotiates a 256-bit ephemeral key; the handshake includes a hardware-rooted attestation certificate proving the firmware has not been modified. Once the encrypted payload is acknowledged, the radio stack powers down, the session key is zeroised, and the device reverts to air-gap—total window < 3 s, no background telemetry possible.