Qpher

Compliance

Qpher uses NIST-standardized post-quantum algorithms and is working toward industry certifications to meet enterprise compliance requirements.

NIST PQC Standards Alignment

Qpher exclusively uses NIST-standardized post-quantum algorithms. Kyber768 (ML-KEM-768, NIST FIPS 203) provides key encapsulation at NIST Security Level 3, and Dilithium3 (ML-DSA-65, NIST FIPS 204) provides digital signatures at NIST Security Level 3. Both algorithms are implemented via liboqs-python, the Open Quantum Safe project library. No proprietary or non-standard cryptographic algorithms are used.

Reference: ADR-0002

SOC 2 Type II Roadmap

[Planned for v1.1]

Qpher is pursuing SOC 2 Type II certification on a phased timeline. Phase 1 (current, v1.0): security controls are documented and published in this trust center. Phase 2 (planned, v1.1): engage an independent audit firm for SOC 2 Type I point-in-time assessment covering Trust Services Criteria CC6 (Access Controls), CC7 (System Operations), CC8 (Change Management), CC9 (Risk Mitigation), and A1 (Availability). Phase 3 (planned, v1.2): complete the SOC 2 Type II observation period (6-12 months). SOC 2 reports will be available to customers under NDA upon certification.

Reference: ADR-0022

GDPR

Qpher is designed for compliance with the EU General Data Protection Regulation (GDPR). Qpher acts as a Controller for customer account and billing data and as a Processor for customer cryptographic data (ciphertext, key pairs). Customer plaintext submitted for encryption is transient and never stored, logged, or persisted. GDPR rights are supported: data access and export (Art. 15), rectification (Art. 16), erasure with 30-day processing (Art. 17), portability (Art. 20), restriction of processing (Art. 18), and 72-hour breach notification (Art. 33). A Data Processing Agreement (DPA) is available at /legal/dpa for enterprise customers.

CCPA

Qpher is designed for compliance with the California Consumer Privacy Act (CCPA). The categories of personal information collected include identifiers (email, name), commercial information (billing records), and internet activity (API usage logs). Qpher does not sell personal information. CCPA rights are supported through the same mechanisms as GDPR: right to know (data export), right to delete (account deletion with 30-day processing), and right to non-discrimination (no price or service differences for exercising privacy rights).