Not legal or prudential advice.This page provides QuantaSeal's operational commitments relevant to APRA CPS 230 assessments. It does not constitute legal, prudential, or compliance advice. APRA-regulated entities should engage their own legal counsel and compliance team when assessing service providers under CPS 230.
1. Overview of CPS 230
APRA Prudential Standard CPS 230 Operational Risk Management came into effect on 1 July 2025. It applies to all APRA-regulated entities: authorised deposit-taking institutions (ADIs), general and life insurers, private health insurers, and registrable superannuation entity (RSE) licensees.
CPS 230 requires regulated entities to maintain robust operational risk management, with specific obligations around service providers. Key requirements include:
Service Provider Management (s53–s63)
Regulated entities must maintain a register of material service providers and conduct thorough due diligence before engagement and on an ongoing basis.
Operational Resilience (s28–s40)
Business continuity plans, critical operations mapping, and tested recovery capabilities within defined tolerances.
APRA Right of Access (s61)
Agreements with material service providers must include APRA's right to access information and the entity's right to conduct audits.
Exit Management (s62–s63)
Regulated entities must maintain exit plans ensuring continuity of critical services if a material service provider relationship ends.
2. QuantaSeal as a Material Service Provider
CPS 230 requires regulated entities to identify "material service providers" - those whose failure could significantly disrupt a critical operation. QuantaSeal recognises that for customers who use our platform as a core component of their cryptographic infrastructure, credential management, or regulatory compliance programme, we may qualify as a material service provider.
The materiality assessment is the APRA-regulated entity's responsibility. To support that assessment, QuantaSeal provides the following information:
| Assessment Factor | QuantaSeal Detail |
|---|---|
| Nature of services | Post-quantum encryption, credential vault management, API proxy, compliance reporting - typically integrated into customer security infrastructure |
| Data handled | Encrypted customer data (credentials, API keys, PII) - see DPA for data categories |
| Jurisdiction | QuantaSeal Pty Ltd - incorporated in South Australia, Australia. Infrastructure on AWS ap-southeast-2 (Sydney) |
| Sub-processors | AWS (infrastructure), Stripe (billing), Resend (transactional email) - full list at /legal/sub-processors |
| Concentration risk | QuantaSeal uses AWS ap-southeast-2 as primary region. Multi-region capability available on Growth+ plans. |
| Regulatory compliance | SOC 2 Type II programme in progress; APRA CPS 234 mapped; ISO 27001 roadmap Q3 2027 |
3. Operational Resilience Commitments
QuantaSeal's service-level and resilience commitments relevant to CPS 230 operational continuity requirements:
SLA Uptime
99.9% (Starter) · 99.95% (Professional+)
Monthly measurement, per /legal/sla
Recovery Time Objective (RTO)
4 hours
Time to restore service from declared incident
Recovery Point Objective (RPO)
24 hours
Maximum data loss window under BCP scenario
Scheduled Maintenance Window
Sundays 00:00–04:00 ACST
Communicated 7 days in advance
Incident Response SLA
Critical: 1 hour · High: 4 hours · Medium: 24 hours
See /security/disclosure for severity definitions
Data Residency
AWS ap-southeast-2 (Sydney)
All Australian customer data remains in Australia by default
Full SLA terms, service credits, and exclusions are set out in our Service Level Agreement.
4. APRA Right of Access
CPS 230 paragraph 61 requires that service provider agreements include a right for APRA to access information about the services provided, and for the regulated entity to audit the service provider.
QuantaSeal agrees to include the following provisions in agreements with APRA-regulated entities (available in the MSA and as an addendum to the standard Terms):
APRA Information Access
QuantaSeal will provide APRA, or persons authorised by APRA, with access to information about the services provided to the regulated entity, as required under the Banking Act 1959, Insurance Act 1973, Life Insurance Act 1995, or SIS Act 1993 (as applicable).
Regulated Entity Audit Rights
The regulated entity (or its appointed auditors) may conduct audits of QuantaSeal's controls relevant to the services upon 30 days' written notice. Audit costs are borne by the regulated entity unless the audit reveals a material control failure.
Independent Assurance Reports
QuantaSeal will make available its most recent SOC 2 Type II report (or equivalent independent assurance) upon request under NDA, in lieu of a direct audit, where the regulated entity agrees.
Regulatory Directions
QuantaSeal will comply with any direction given to it by APRA under applicable prudential legislation, or by the regulated entity acting on APRA's instructions.
To request these provisions in your agreement, contact legal@quantaseal.io.
5. Business Continuity Summary
QuantaSeal maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) aligned with CPS 230's operational continuity requirements. A summary is available below; the full BCP document is available to APRA-regulated customers under NDA upon request.
Infrastructure Redundancy
ImplementedProduction workloads run on AWS ECS Fargate (multi-AZ within ap-southeast-2). Aurora PostgreSQL is deployed in Multi-AZ configuration with automatic failover < 30 seconds. ElastiCache Redis uses cluster mode with replica sets.
Database Backup
ImplementedAutomated daily snapshots retained for 35 days. Point-in-time recovery (PITR) enabled on Aurora with 1-minute granularity. Cross-region snapshot copy available for enterprise customers.
Key Material Recovery
ImplementedAWS KMS CMKs are backed up via the AWS KMS key deletion protection (minimum 7-day deletion window). A backup KMS CMK is maintained per tenant for recovery. PQC key material for TenantKeys is stored with KMS-wrapped encryption.
Incident Communication
ImplementedStatus page at status.quantaseal.io updated within 15 minutes of a confirmed incident. Affected customers notified by email within 1 hour of P1 (Critical) incidents.
Annual BCP Testing
Scheduled - Q4 2026Full tabletop exercise annually. DR failover test annually with documented RTO/RPO validation. Results available to APRA-regulated customers under NDA.
Third-Party Concentrations
Partial - Enterprise plansAWS is the primary infrastructure provider. QuantaSeal monitors AWS service health and maintains a documented dependency map. In the event of a sustained AWS ap-southeast-2 outage, failover to ap-southeast-4 (Melbourne) is available on Enterprise plans.
6. Exit Management
CPS 230 requires regulated entities to maintain exit plans for material service providers. QuantaSeal supports your exit planning with the following:
Data Export on Termination
Upon termination (customer-initiated or QuantaSeal-initiated with 30 days notice), all Customer Data is made available for export in JSON/CSV format for 30 days. Vault entries are provided in decrypted form (with re-encryption key) or as encrypted archives with key material.
Export Assistance
For APRA-regulated customers, QuantaSeal provides up to 90 days of exit assistance including data migration support, API migration documentation, and a point-of-contact engineer.
No Data Hostage Clauses
QuantaSeal's Terms and MSA do not contain data hostage provisions. Your data is yours. We charge no exit fees for standard data export on Growth and Enterprise plans.
Portability of Cryptographic Configuration
Algorithm configuration (ML-KEM-768, ML-DSA-65) is documented and exportable. PQC key material (public keys) can be exported for continuity purposes. KMS-wrapped private keys require AWS KMS access and are governed by the AWS shared responsibility model.
7. APRA CPS 234 (Information Security)
In addition to CPS 230, APRA-regulated entities must also assess service providers under CPS 234 Information Security. QuantaSeal's CPS 234 control mapping is documented on our Compliance page.
CPS 234 §22
Information security capabilities defined and maintained - ML-KEM-768 + ML-DSA-65 capability register maintained
CPS 234 §27
Information assets classified and protected - all vault entries tagged with data classification metadata
CPS 234 §36
Notification to APRA of material information security incidents within 72 hours - QuantaSeal commits to 72-hour customer notification
8. Service Provider Attestation
QuantaSeal can provide a signed CPS 230 Service Provider Attestation to APRA-regulated customers. The attestation covers:
- Confirmation of operational resilience commitments (RTO/RPO/SLA)
- Confirmation that APRA right of access provisions are available for inclusion in the services agreement
- Summary of sub-processors and their roles
- Confirmation of Australian data residency (ap-southeast-2)
- Summary of information security controls relevant to CPS 234
- Status of independent assurance programme (SOC 2 Type II)
To request an attestation, email compliance@quantaseal.io with your organisation name, APRA entity type (ADI, insurer, RSE), and the services in scope. Attestations are typically provided within 10 business days.