Security at QCrypton

Last updated: May 22, 2026

Security is not just a feature of QCrypton — it is the foundation of everything we build. As a quantum-resilient security platform, we hold ourselves to the highest standards of security practice.

Infrastructure Security

QCrypton's infrastructure is designed with defense-in-depth principles:

  • Encryption in transit: All communications use TLS 1.3 with post-quantum-ready cipher suites
  • Encryption at rest: All data is encrypted using AES-256-GCM with HKDF-SHA3-256 derived keys
  • Network isolation: Multi-layer network segmentation with strict firewall rules
  • DDoS protection: Enterprise-grade DDoS mitigation at the edge
  • WAF: Web Application Firewall with custom rules for API protection

Authentication & Access Control

  • SSO: SAML 2.0, OAuth 2.0, and per-tenant OIDC support
  • MFA: Multi-factor authentication available for all accounts
  • SCIM 2.0: Automated user provisioning and deprovisioning
  • RBAC: Fine-grained role-based access control with permission overrides
  • IP allowlisting: Restrict access by IP address or CIDR range
  • Per-user rate limiting: Configurable rate limits per user and API key
  • Session management: Secure session handling with configurable timeouts

Cryptographic Standards

All cryptographic implementations follow published standards with zero external crypto dependencies:

  • HPKE (RFC 9180) with DHKEM(X25519) + AES-256-GCM
  • LSH-256 (KS X 3262) for quantum-resistant hashing
  • BB84 QKD with enhanced eavesdrop detection
  • HSM integration with FIPS 140-3 Level 3 validated hardware (Entrust nShield, AWS KMS, Azure Key Vault, Google Cloud KMS, Thales Luna)
  • NIST PQC algorithms: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205)

Compliance

  • SOC 2 Type II: Audited controls for security, availability, and confidentiality
  • ISO 27001:2022: Information security management system certification
  • 44+ controls: Comprehensive control framework with live tenant statistics
  • GDPR: Article 17 data deletion, Article 20 data export (JSON/CSV)
  • Audit logging: Full audit trail with severity filtering and SIEM forwarding

Data Protection

  • Multi-tenant data isolation with strict tenant boundaries
  • Shamir secret sharing (GF(256), k-of-n threshold) for key management
  • AES-256-GCM encrypted vault with version tracking
  • Automated data retention policies
  • GDPR-compliant data export and deletion

Application Security

  • 13 runtime threat scanners protecting against prompt injection, data exfiltration, credential stuffing, and more
  • Automated code scanning across 6 languages for weak cryptography
  • Input sanitization middleware strips malicious patterns
  • SARIF 2.1.0 output for GitHub Security tab integration
  • CI/CD quality gate with configurable policies

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

  • Email: security@qcryptonapp.com
  • Please include a detailed description of the vulnerability, steps to reproduce, and potential impact
  • We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours
  • We ask that you do not publicly disclose the vulnerability until we have had an opportunity to address it

Incident Response

QCrypton maintains a documented incident response plan with the following SLAs:

  • Critical: Response within 1 hour, resolution target within 4 hours
  • High: Response within 4 hours, resolution target within 24 hours
  • Medium: Response within 1 business day, resolution target within 5 business days
  • Low: Response within 2 business days, resolution target within 30 days

Contact

For security-related inquiries, please contact security@qcryptonapp.com.