Overview
QuantaSeal's platform incorporates cryptographic software subject to export control regulations in Australia, the United States, and other jurisdictions. This page describes our compliance posture and the obligations that apply to customers and resellers.
Disclaimer
This page provides general information only. It is not legal advice. If you are engaged in defence, government, or dual-use technology transactions, consult a licensed export controls attorney before proceeding.
Australian Defence and Strategic Goods List (DSGL)
QuantaSeal is incorporated in Australia. The relevant Australian export control framework is the Defence and Strategic Goods List (DSGL) administered by the Department of Defence under the Defence Export Controls framework.
DSGL Part 2 - Dual-Use Goods
Cryptographic software capable of encryption above 56-bit symmetric keys is controlled under Category 5 Part 2 of the DSGL. QuantaSeal uses AES-256-GCM and post-quantum algorithms exceeding this threshold.
Mass Market Exception
Software made generally available to the public without restriction and not specially designed for military or intelligence use may qualify for the mass market exception. QuantaSeal's commercial SaaS offering is designed to qualify, but this determination is fact-specific.
ASD Cryptography Approval
For Australian government and ASD-classified deployments, QuantaSeal recommends customers confirm DSGL classification with the Department of Defence before procurement.
Supply to sanctioned persons
Supply of QuantaSeal software or services to sanctioned persons or entities listed on the Consolidated List is prohibited under Australian sanctions law.
US Export Administration Regulations (EAR)
QuantaSeal's cryptographic software may be subject to the US Export Administration Regulations (EAR) administered by the Bureau of Industry and Security (BIS), even though QuantaSeal is an Australian company, because:
- QuantaSeal's infrastructure runs on AWS, which uses US-origin technology
- The platform incorporates open-source cryptographic libraries (liboqs) with US-nexus development
ECCN Classification
QuantaSeal is provisionally classified as ECCN 5D002 (Information Security - software) under EAR Category 5 Part 2. The applicable licence exception may be ENC (encryption items) or TSU (technology and software unrestricted) for publicly available, publicly known encryption.
Post-Quantum Cryptography Note
ML-KEM (FIPS 203) and ML-DSA (FIPS 204) are NIST-standardised algorithms. As of 2026, BIS has not published specific ECCN classifications for these algorithms. QuantaSeal monitors BIS guidance and will update this page when classifications are confirmed.
Restricted destinations
QuantaSeal does not provide services to persons or entities in countries subject to US comprehensive sanctions (Cuba, Iran, North Korea, Russia, Syria, Crimea, DNR/LNR regions). Customers represent that they are not on the BIS Entity List, OFAC SDN List, or any equivalent list.
CMMC 2.0 - US Defence Supply Chain
The US Cybersecurity Maturity Model Certification (CMMC) 2.0 framework incorporates post-quantum requirements under NIST SP 800-171r3 and proposed SP 800-172. QuantaSeal's ML-KEM-768 and ML-DSA-65 implementation directly supports CMMC Level 2 and 3 requirements for organisations handling CUI (Controlled Unclassified Information).
AC.3.012
Employ cryptographic mechanisms
AES-256-GCM + ML-KEM-768 satisfies the requirement for FIPS-validated encryption of CUI
SC.3.177
Employ FIPS-validated cryptography
ML-KEM-768 (FIPS 203) and ML-DSA-65 (FIPS 204) are NIST-standardised. Note: liboqs 0.14.1 is not CAVP-validated - see NIST note below.
SC.3.187
Establish and manage cryptographic keys
AWS KMS CMKs with per-tenant isolation, HSM-backed, automated rotation
Important: NIST CAVP validation status
QuantaSeal uses liboqs 0.14.1 which implements ML-KEM-768 and ML-DSA-65. While these algorithms are standardised as FIPS 203/204, liboqs 0.14.1 has not yet received NIST CAVP (Cryptographic Algorithm Validation Program) certification as of May 2026. For US federal and CMMC contracts that explicitly require CAVP-validated implementations, please contact export-controls@quantaseal.io to discuss implementation alternatives or timeline for CAVP certification.
Security of Critical Infrastructure Act 2018 (SOCI Act)
The Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), as amended by the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, imposes obligations on responsible entities for critical infrastructure assets in 11 sectors, including:
QuantaSeal's role: QuantaSeal is not itself a responsible entity for a critical infrastructure asset. However, customers in SOCI-regulated sectors who use QuantaSeal as part of their security infrastructure should assess whether QuantaSeal is a direct interest holder, operator, or material service provider within the meaning of their own Critical Infrastructure Risk Management Programme (CIRMP) obligations.
CIRMP Cooperation
QuantaSeal will cooperate with reasonable requests from responsible entities in the context of their CIRMP obligations, including providing information about our security controls, incident history, and sub-processor chain.
Incident Notification
QuantaSeal notifies customers of security incidents affecting their data within 72 hours. For SOCI-regulated customers, this supports your own obligation to notify the Australian Signals Directorate (ASD) within 12 hours of becoming aware of a significant cyber incident affecting a critical infrastructure asset.
Positive Security Obligation (PSO)
If QuantaSeal is designated as part of your SOCI supply chain security assessment, we can provide security attestations, penetration test summaries, and access to our SOC 2 report under NDA to support your PSO.
For SOCI-related questions or to request a security assessment package, contact export-controls@quantaseal.io.
Customer Obligations
By using QuantaSeal, customers represent, warrant, and agree that:
- They are not located in, or acting on behalf of any government of, a US-sanctioned country or Australian-sanctioned jurisdiction
- They are not named on any government denied parties list, including the OFAC SDN List, BIS Entity List, or Australian Consolidated List
- They will not use QuantaSeal to process, store, or transmit data in violation of applicable export control laws
- They will obtain any required export licences or government approvals before exporting or re-exporting the Services to controlled destinations
- They will notify QuantaSeal immediately if they become aware that any of these representations are no longer accurate
Export controls enquiries
For questions regarding export controls, CMMC requirements, ASD licensing, or defence supply chain compliance:
export-controls@quantaseal.io