Compliance & Standards
Qpher is built for organizations that need to meet regulatory and compliance requirements. This page summarizes our current compliance posture, the standards we align with, and our roadmap for certifications.
NIST Post-Quantum Cryptography Standardsâ
Qpher implements the algorithms standardized by NIST for post-quantum cryptography:
| Algorithm | NIST Standard | FIPS Document | Use in Qpher |
|---|---|---|---|
| Kyber768 (ML-KEM-768) | ML-KEM | FIPS 203 | Key Encapsulation Mechanism for encryption |
| Dilithium3 (ML-DSA-65) | ML-DSA | FIPS 204 | Digital signatures |
Both algorithms provide NIST Level 3 security, which offers strong protection against both classical and quantum computer attacks. These are the same algorithms recommended by NIST, NSA, and CISA for transitioning to quantum-resistant cryptography.
NIST Level 3 provides security roughly equivalent to AES-192 against classical attacks and strong resistance against known quantum algorithms. It balances security strength with performance for most enterprise use cases.
SOC 2 Type IIâ
| Item | Detail |
|---|---|
| Status | Currently in preparation |
| Target | SOC 2 Type II certification |
| Scope | Security, Availability, Confidentiality |
Qpher is actively working toward SOC 2 Type II certification. Our infrastructure and processes are designed with SOC 2 controls in mind from day one:
- Access control: Role-based access, API key authentication, Zero Trust policy engine
- Encryption: AES-256-GCM at rest, TLS 1.3 in transit
- Monitoring: Centralized logging, audit trails, alerting
- Change management: CI/CD pipeline with automated testing
- Incident response: Documented process with 72-hour breach notification
Enterprise plan customers can request our current SOC 2 readiness report and discuss specific compliance requirements with our team. Contact security@qpher.ai.
GDPR Complianceâ
Qpher complies with the General Data Protection Regulation (GDPR) for customers processing data of EU residents.
Data Processingâ
| Aspect | How Qpher Handles It |
|---|---|
| Role | Qpher acts as a data processor on your behalf |
| Data minimization | We process only the data you send for encryption or signing |
| Purpose limitation | Your data is used solely for the requested cryptographic operation |
| Storage | Ciphertexts and signatures are returned to you; we do not store your plaintext |
| Retention | Key metadata is retained while your account is active; deleted upon account closure |
| Portability | Public keys and metadata can be exported at any time |
Data Processing Agreement (DPA)â
A Data Processing Agreement is available for customers who need one. The DPA covers:
- Scope of data processing
- Sub-processor list
- Data breach notification (72-hour commitment)
- Data deletion upon termination
- Technical and organizational security measures
Contact legal@qpher.ai to request a DPA.
Right to Erasureâ
When you delete your Qpher account or request data erasure:
- All API keys are immediately revoked.
- All PQC key pairs are securely deleted (private keys are overwritten before deletion).
- Tenant metadata is purged from the database.
- Audit logs are retained for 180 days (for regulatory compliance), then deleted.
Data Residencyâ
| Plan | Data Residency Options |
|---|---|
| Free, Starter, Growth, Pro | Default region (US) |
| Enterprise | Configurable data residency (US, EU, APAC) |
Enterprise customers can specify where their cryptographic keys and metadata are stored. This is essential for organizations subject to data sovereignty regulations.
Audit Loggingâ
Every cryptographic operation and administrative action in Qpher generates an audit log entry. Audit logs are designed for compliance reporting and incident investigation.
What Is Loggedâ
| Event Type | Examples |
|---|---|
| Authentication | API key used, login attempt, JWT issued |
| Cryptographic operations | KEM encrypt, KEM decrypt, sign, verify |
| Key management | Key generated, key rotated, key retired, key archived |
| Administrative | Plan changed, API key created, API key revoked |
| Security events | Rate limit exceeded, policy denial, invalid API key |
Log Propertiesâ
| Property | Value |
|---|---|
| Retention | 180 days |
| Format | Structured JSON |
| Fields | timestamp, event_type, tenant_id, request_id, result, metadata |
| Tamper protection | Append-only log storage |
| Access | Available to account administrators through the portal |
Audit logs never contain private keys, plaintext data, or full API keys. Sensitive fields are automatically redacted before logging.
Security Contactâ
If you have questions about Qpher's compliance posture, need documentation for a procurement review, or want to report a security concern:
- Security team: security@qpher.ai
- Legal team: legal@qpher.ai
- Trust center: qpher.ai/trust