Security Architecture

Security Without Compromise

Three independent layers of cryptographic protection. Every algorithm NIST-approved. Every key per-tenant. Every log zero-knowledge. Here is exactly how we protect your data.

View Compliance Certifications Read Security Policy

Defence-in-Depth

Three IndependentSecurity Layers

A breach of any single layer leaves the other two intact. Defence-in-depth by design.

Transport Layer

TLS 1.3 + ML-KEM-768 hybrid

TLS 1.3 with post-quantum key exchange
Certificate pinning on all API calls
HSTS with 2-year max-age enforced
Perfect Forward Secrecy on every connection

Storage Layer

AES-256-GCM + AWS KMS

Per-tenant Customer Master Keys (CMKs)
Envelope encryption at every write
Automatic key rotation every 365 days
Cross-region key replication for DR

Application Layer

Zero-plaintext runtime

Secrets held in ephemeral memory only
No plaintext in logs, traces, or telemetry
Fail-closed rate limiting on all endpoints
JWT issuer + audience validation enforced
Sanitised error responses — no internal leaks

NIST-Standardised Cryptography

Every Algorithm NIST-Approved

No home-grown cryptography. No experimental algorithms. Every primitive is standardised by the National Institute of Standards and Technology.

ML-KEM-768Primary

FIPS 203

Key Encapsulation

Data-in-Transit Encryption

192-bit post-quantum

ML-DSA-65Primary

FIPS 204

Digital Signatures

API Auth & Code Signing

192-bit post-quantum

SLH-DSASecondary

FIPS 205

Stateless Hash Signatures

Long-term Data Signing

256-bit post-quantum

AES-256-GCMHybrid

FIPS 197

Symmetric Encryption

Payload Encryption Layer

256-bit classical

HKDF-SHA-512Supporting

FIPS 198-1

Key Derivation

Per-Session Key Material

512-bit output

Algorithm	FIPS Standard	Type	Use in QuantaSeal	Security Level	Role
ML-KEM-768	FIPS 203	Key Encapsulation	Data-in-Transit Encryption	192-bit post-quantum	Primary
ML-DSA-65	FIPS 204	Digital Signatures	API Auth & Code Signing	192-bit post-quantum	Primary
SLH-DSA	FIPS 205	Stateless Hash Signatures	Long-term Data Signing	256-bit post-quantum	Secondary
AES-256-GCM	FIPS 197	Symmetric Encryption	Payload Encryption Layer	256-bit classical	Hybrid
HKDF-SHA-512	FIPS 198-1	Key Derivation	Per-Session Key Material	512-bit output	Supporting

Cryptographic Agility Engine

QuantaSeal's Cryptographic Agility Engine allows seamless algorithm migration without re-encrypting your data. When NIST publishes new standards or updates existing ones, your platform migrates automatically \u2014 on the next key rotation cycle.

Threat Model

What We Protect YouAgainst

Every QuantaSeal control maps to a concrete threat. Here is our full threat model and how we address each vector.

"Harvest Now, Decrypt Later"

Adversaries collect today’s encrypted traffic to decrypt it once quantum computers are available. Data with a 10-year sensitivity window is at risk right now.

Our Mitigation

ML-KEM-768 hybrid encryption makes harvested ciphertext permanently unrecoverable — even with a quantum computer.

Key Compromise

A single compromised key can expose all data encrypted under it — the classic single point of failure in traditional KMS architectures.

Our Mitigation

Per-tenant CMKs with automatic rotation mean a compromised key exposes exactly one tenant’s data from one rotation period.

Insider Threat

Engineers with database or infrastructure access can read sensitive data in systems that don’t enforce field-level encryption.

Our Mitigation

QuantaSeal encrypts at the field level before data reaches the database. Infrastructure access yields only unreadable ciphertext.

Supply Chain Attacks

Compromised dependencies or build pipelines can inject malicious code that exfiltrates secrets during execution.

Our Mitigation

Pinned dependency versions, SBOM generation, automated vulnerability scanning on every build, and signed releases via ML-DSA-65.

API Injection

Malformed requests can exploit processing pipelines to leak data or execute unintended operations.

Our Mitigation

Input validation against strict JSON schemas, parameterised queries only, rate limiting, and HMAC-signed API payloads.

Nation-State Adversaries

Sophisticated actors with access to near-future quantum hardware target long-lived sensitive data in financial, healthcare, and government sectors.

Our Mitigation

NIST FIPS 203/204/205 algorithms are specifically designed and validated to resist attacks from cryptographically relevant quantum computers.

Security Controls

Controls Mapped toEvery Risk

Our security control library is mapped to SOC 2 Type II, NIST CSF 2.0, ISO 27001, and the Australian Privacy Act. Full documentation available to Enterprise customers under NDA.

SOC 2 Type IICompliant

ISO 27001Compliant

HIPAACompliant

PCI DSSCompliant

NIST FIPS 203/204/205Compliant

Australian Privacy ActCompliant

GDPRCompliant

Security Control Summary

Encryption at Rest

AES-256-GCM + AWS KMS per-tenant CMK

Encryption in Transit

TLS 1.3 + ML-KEM-768 hybrid key exchange

Authentication

OAuth 2.0 + PKCE, JWT with issuer/audience validation

Authorisation

RBAC with least-privilege defaults, per-endpoint auth

Rate Limiting

Per-endpoint limits, fail-closed when service degraded

Cryptographic Agility

Automatic algorithm migration on NIST updates

Observability

OpenTelemetry traces, metrics, and distributed tracing

Logging

Immutable audit logs — all access events

Feature Flags

Controlled rollouts with admin-only flag management

Vulnerability Scanning

Daily SAST/DAST on CI pipeline

Dependency Auditing

GitHub Dependabot + OSV Scanner

Penetration Testing

External pentest before GA launch

Incident Response

24h detection SLO, public status page

Data Residency

Australia (ap-southeast-2), EU (eu-west-1) optional

Backup Encryption

Separate backup CMK, cross-region replication

Zero-Knowledge Logs

Logs contain no sensitive field values ever

Error Handling

Sanitised responses — no internal details exposed

Report aVulnerability

We take security reports seriously. If you discover a vulnerability, we commit to:

24 hours

Initial acknowledgement

72 hours

Severity triage complete

90 days

Maximum remediation window

Email security@quantaseal.io with a detailed description of the issue. PGP key available on request. We practise coordinated disclosure and will credit researchers in our security advisories.

Read Full Security Policy

Get Protected

Ready to Secure Your Enterprise?

Deploy post-quantum protection across all your systems in 30 minutes or less.

Talk to Sales View Compliance

QuantaSeal

Algorithm

FIPS Standard

Type

Use in QuantaSeal

Security Level

Role

ML-KEM-768

FIPS 203

Key Encapsulation

Data-in-Transit Encryption

192-bit post-quantum

Primary

ML-DSA-65

FIPS 204

Digital Signatures

API Auth & Code Signing

192-bit post-quantum

Primary

SLH-DSA

FIPS 205

Stateless Hash Signatures

Long-term Data Signing

256-bit post-quantum

Secondary

AES-256-GCM

FIPS 197

Symmetric Encryption

Payload Encryption Layer

256-bit classical

Hybrid

HKDF-SHA-512

FIPS 198-1

Key Derivation

Per-Session Key Material

512-bit output

Supporting

Controls Mapped toEvery Risk

Our security control library is mapped to SOC 2 Type II, NIST CSF 2.0, ISO 27001, and the Australian Privacy Act. Full documentation available to Enterprise customers under NDA.

SOC 2 Type IICompliant

ISO 27001Compliant

HIPAACompliant

PCI DSSCompliant

NIST FIPS 203/204/205Compliant

Australian Privacy ActCompliant

GDPRCompliant

Report aVulnerability

We take security reports seriously. If you discover a vulnerability, we commit to:

24 hours

Initial acknowledgement

72 hours

Severity triage complete

90 days

Maximum remediation window

Email security@quantaseal.io with a detailed description of the issue. PGP key available on request. We practise coordinated disclosure and will credit researchers in our security advisories.