Compliance

1. Compliance Overview

QuantaSeal is designed from the ground up to support customers in highly regulated industries including healthcare, financial services, government, and SaaS platforms operating globally. Our post-quantum cryptography platform forms a foundational compliance control for your own regulatory obligations.

This page documents our current compliance status, ongoing certification programmes, and the frameworks we support. Where we hold formal certifications, reports are available to customers under NDA on request at compliance@quantaseal.io.

2. SOC 2 Type II

QuantaSeal is pursuing SOC 2 Type II certification covering the following Trust Service Criteria (TSC):

• Security (CC): Controls protecting against unauthorised access to systems and data.
• Availability (A): System availability commitments and service level targets.
• Confidentiality (C): Protection of information designated as confidential.

We are currently in the readiness assessment phase. A Type I report is targeted for Q3 2026, with Type II audit period commencing thereafter. Customers requiring SOC 2 evidence prior to certification completion may request our security questionnaire and supporting control documentation.

Our AWS infrastructure sub-processors (AWS) hold SOC 2 Type II reports and ISO 27001 certification, copies of which are available through the AWS Compliance Centre.

3. ISO/IEC 27001

ISO/IEC 27001:2022 certification is on our roadmap for 2026. We have implemented an Information Security Management System (ISMS) aligned with ISO 27001 Annex A controls, covering:

• A.5 — Information security policies
• A.6 — Organisation of information security
• A.8 — Asset management
• A.9 — Access control
• A.10 — Cryptography (our primary differentiator — post-quantum algorithms)
• A.12 — Operations security
• A.13 — Communications security
• A.14 — System acquisition, development, and maintenance
• A.16 — Information security incident management
• A.17 — Business continuity management
• A.18 — Compliance

4. Australian Privacy Act 1988 (Cth)

As an Australian business, QuantaSeal complies with the Privacy Act 1988 (Cth) and all 13 Australian Privacy Principles (APPs). Key measures include:

We are registered with and subject to oversight by the Office of the Australian Information Commissioner (OAIC). We comply with the Notifiable Data Breaches (NDB) scheme and will notify the OAIC and affected individuals in the event of an eligible data breach.

5. GDPR (EU & UK)

For customers and end-users located in the European Economic Area (EEA) or United Kingdom, QuantaSeal acts as both a data controller (for account and billing data) and a data processor (for Customer Data you submit to our platform). Our GDPR programme includes:

• Legal Basis: We process personal data under clearly identified lawful bases (contract, consent, legitimate interests, legal obligation) as documented in our Privacy Policy.
• Data Subject Rights: We support all GDPR Article 15–22 rights (access, rectification, erasure, portability, restriction, objection). Requests are handled within 30 days.
• Data Protection by Design: Privacy and security controls are embedded at the architecture level, not bolted on.
• Breach Notification: We notify supervisory authorities within 72 hours (Art. 33) and affected individuals without undue delay (Art. 34) for eligible breaches.
• International Transfers: Transfers outside the EEA/UK are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
• Records of Processing Activities (RoPA): Maintained internally as required by Article 30.
• DPA Availability: A Data Processing Agreement compliant with GDPR Article 28 is available to all customers on request.

Supervisory authority complaints may be filed with the relevant EEA/UK data protection authority. Australian residents should contact the OAIC.

6. CCPA / CPRA (California)

For California residents, we comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• No Sale of Data: QuantaSeal does not sell personal information to third parties. We do not share personal information for cross-context behavioural advertising.
• Right to Know: California residents may request disclosure of personal information collected, the purposes for collection, and third parties with whom it is shared.
• Right to Delete: Requests for deletion are honoured subject to legal retention obligations.
• Right to Correct: Inaccurate personal information will be corrected upon verified request.
• Non-Discrimination: We do not discriminate against customers who exercise their CCPA rights.
• Opt-Out: As we do not sell or share personal information, no opt-out mechanism is required, but requests to compliance@quantaseal.io will be honoured.

7. HIPAA

QuantaSeal supports healthcare customers subject to the Health Insurance Portability and Accountability Act (HIPAA). Our platform's post-quantum encryption and access controls provide strong technical safeguards for Protected Health Information (PHI):

• Technical Safeguards (§164.312): ML-KEM-768 + AES-256 encryption at rest; TLS 1.3 in transit; RBAC with audit logging for all PHI access.
• Administrative Safeguards (§164.308): Security officer designation; risk analysis procedures; workforce security training; incident response plan.
• Audit Controls: Immutable, hash-chained audit logs record all access to, modification of, and deletion of Customer Data for HIPAA-required audit purposes.
• Business Associate Agreement (BAA): QuantaSeal will execute a BAA with covered entities and business associates who process PHI using our platform. Contact compliance@quantaseal.io to request a BAA.

Note: HIPAA compliance is a shared responsibility. QuantaSeal provides the technical infrastructure controls, but customers must implement appropriate administrative and physical safeguards within their own environments.

8. PCI DSS

QuantaSeal does not store, process, or transmit cardholder data. Payment processing is handled exclusively by Stripe, which is a PCI DSS Level 1 Service Provider.

Customers who use QuantaSeal to encrypt data that may include payment card information benefit from our encryption controls, which can form part of a cardholder data environment (CDE) segmentation and encryption strategy. Specifically:

• Field-level encryption via QuantaSeal can render data unreadable to systems outside the authorised decryption path (PCI DSS Requirement 3.5).
• Cryptographic key management practices align with PCI DSS Requirements 3.6 and 3.7.
• Audit logging supports PCI DSS Requirement 10 (logging and monitoring).

Customers subject to PCI DSS should engage their Qualified Security Assessor (QSA) to determine how QuantaSeal integrates into their overall PCI compliance scope.

9. NIST Frameworks

9.1 NIST Post-Quantum Cryptography Standards

QuantaSeal implements all three NIST post-quantum cryptography standards finalised in 2024:

9.2 NIST Cybersecurity Framework (CSF 2.0)

Our security programme is aligned with the NIST CSF 2.0 core functions:

9.3 NIST SP 800-53 & SP 800-171

For US Federal and defence-sector customers, QuantaSeal's controls map to NIST SP 800-53 Rev 5 (Federal Systems) and NIST SP 800-171 Rev 3 (Controlled Unclassified Information). A control mapping document is available on request.

10. Financial Services Regulations

10.1 Australia — APRA CPS 234

APRA-regulated entities (banks, insurers, superannuation funds) subject to CPS 234 (Information Security) benefit from QuantaSeal's controls, which address:

• Information asset classification and cryptographic protection (CPS 234 §19–23).
• Incident response aligned with APRA's 72-hour notification requirement for material incidents.
• Third-party risk management documentation for QuantaSeal as a technology service provider (CPS 234 §36–40).
• Annual testing and independent review documentation available to regulated entities.

10.2 Australia — CDR / Open Banking

QuantaSeal's API proxy and field encryption capabilities are designed to support Consumer Data Right (CDR) data holders and accredited data recipients requiring secure API communication and data minimisation at the field level.

10.3 Global — DORA (EU Digital Operational Resilience Act)

EU financial entities subject to DORA (effective January 2025) can leverage QuantaSeal's cryptographic controls, audit logging, and incident response capabilities to address ICT risk management requirements. Control mapping documentation available on request.

11. Salesforce AppExchange Security Review

QuantaSeal's Salesforce managed package and connected app are designed to meet and exceed Salesforce's AppExchange Security Review requirements:

• All data leaving the Salesforce org is encrypted with ML-KEM-768 before transit to QuantaSeal APIs.
• Outbound Salesforce API calls use PQC-JWT authentication tokens signed with ML-DSA-65, replacing standard Named Credentials.
• The managed package requests only the minimum required Salesforce permissions (principle of least privilege).
• No Salesforce credentials, session tokens, or org data are persisted outside of the encrypted QuantaVault.
• The package is reviewed against Salesforce's Secure Coding Guidelines and the AppExchange Security Review checklist.
• We participate in the Salesforce ISV partner programme and submit to the Salesforce CSAT and Security Review process.

12. Audit & Reporting

We maintain comprehensive audit capabilities for customers requiring evidence for their own compliance obligations:

• Immutable Audit Trail: All platform events (data access, encryption/decryption operations, key usage, admin actions) are recorded in a hash-chained, tamper-evident log.
• Customer Audit Logs: Customers can export their own audit logs via API for integration with SIEM tools.
• Compliance Reports: SOC 2 report, penetration test summary, and security questionnaire responses are available to customers and prospects under NDA.
• Sub-processor List: A current list of sub-processors is maintained and available in our Privacy Policy and on request.

To request compliance documentation, contact compliance@quantaseal.io.

13. Shared Responsibility Model

Like all cloud platforms, QuantaSeal operates on a shared responsibility model:

14. Data Processing Agreements

Customers who require a Data Processing Agreement (DPA) — for GDPR Article 28, HIPAA BAA, APRA CPS 234 third-party requirements, or other regulatory purposes — may request one from us:

• GDPR DPA: Available to all customers, includes Standard Contractual Clauses (SCCs) for cross-border transfers.
• HIPAA BAA: Available to healthcare customers; required before processing Protected Health Information.
• Enterprise Custom DPA: Enterprise plan customers may negotiate custom data processing terms in their master agreement.

To request any agreement, email compliance@quantaseal.io with your company name, the applicable regulation, and your preferred agreement format.

15. Contact

For compliance inquiries, audit report requests, DPA/BAA execution, or regulatory questions: