ML-KEM
DSA-65
QUANTASEAL
ML-KEM-768AES-256-GCMML-DSA-65
Initializing Quantum Vault
QUANTASEAL
Last updated: May 2026
In accordance with our Data Processing Agreement, this page lists all third parties (sub-processors) that process personal data on behalf of QuantaSeal customers. We will notify customers at least 30 days before adding or replacing any sub-processor.
Subscribe to sub-processor change notifications
We'll email you 30 days before adding or replacing any sub-processor - as required by GDPR Article 28.
How QuantaSeal minimises sub-processor exposure
QuantaSeal's core architecture is designed to ensure that no sub-processor ever receives plaintext customer data. All personal data is encrypted with ML-KEM-768 + AES-256-GCM before leaving the QuantaSeal application layer. Sub-processors such as AWS S3 and RDS receive only ciphertext. AWS KMS holds key material but never receives plaintext data - only wrapped key blobs. The optional AI Copilot providers (Anthropic, OpenAI) receive only the query text explicitly submitted by the user, never vault contents.
| Sub-Processor | Country / Region | Purpose | Data Processed | DPA |
|---|---|---|---|---|
Amazon Web Services (AWS) | USA (ap-southeast-2, Sydney primary) | Cloud infrastructure - compute (ECS Fargate), storage (S3, RDS PostgreSQL, ElastiCache Redis), key management (KMS), secrets management (Secrets Manager), load balancing | All customer data (encrypted at rest and in transit) | View DPA |
Stripe | USA | Payment processing - subscription billing, invoicing, payment method storage | Billing contact name, email, company name, payment card data (handled directly by Stripe, never touches QuantaSeal systems) | View DPA |
Resend | USA | Transactional email - account verification, notifications, billing receipts | Email address, name (in email content only) | View DPA |
Cloudflare | USA | CDN, DDoS protection, WAF, DNS, SSL/TLS termination | IP addresses, HTTP request metadata (no payload content - encrypted end-to-end) | View DPA |
Anthropic (optional) Only if tenant selects Anthropic as Copilot provider | USA | Quanta Copilot LLM provider - processes AI agent queries when tenant configures Anthropic as LLM backend | Query text submitted to Quanta Copilot only; no vault contents or plaintext credentials | View DPA |
OpenAI (optional) Only if tenant selects OpenAI as Copilot provider | USA | Quanta Copilot LLM provider - processes AI agent queries when tenant configures OpenAI as LLM backend | Query text submitted to Quanta Copilot only; no vault contents or plaintext credentials | View DPA |
AWS Bedrock / Anthropic on AWS (default) | USA (ap-southeast-2 for AP region tenants) | Quanta Copilot default LLM provider - Claude Sonnet via AWS Bedrock | Query text submitted to Quanta Copilot only; data residency enforced per tenant region setting | View DPA |
Sentry (optional) Only when SENTRY_DSN is configured | USA | Application error monitoring and performance tracking | Error stack traces, request context (automatically scrubbed of PII) | View DPA |
PagerDuty (optional) Only when PAGERDUTY_ROUTING_KEY is configured | USA | On-call alerting and incident management for operational incidents | Alert metadata (no customer data content) | View DPA |
International transfers
Several sub-processors are located in the United States. All transfers of personal data from the EU/EEA or UK to these sub-processors are governed by Standard Contractual Clauses (EC Decision 2021/914) and/or UK IDTA. Customers requiring EU-only or UK-only data residency should contact dpa@quantaseal.io. QuantaSeal's primary data region is ap-southeast-2 (Sydney, Australia) which is covered by an EU adequacy assessment for Australian Privacy Act data.
Questions or objections regarding this list? Contact dpa@quantaseal.io. See our DPA for the process to object to a new sub-processor.