QuantumAPI

Architecture & Security

QuantumAPI is built from the ground up for post-quantum security and European data sovereignty. This page explains the security architecture you are selling to your customers.

Edge Services + WAF (OWASP Top 10)TLS 1.3 — End-to-End EncryptionYARP API Gateway — Rate Limiting & Audit LoggingQuantumAPIEncryption-as-a-ServiceML-KEM · ML-DSA · SLH-DSAFIPS 203 / 204 / 205QuantumIDIdentity & AccessOpenIddict · SSO · OIDCMFA · FederationQuantumVaultKey Management SystemAES-256-GCM · QRNG noncesEnvelope EncryptionPostgreSQL 16Per-tenant encryption · Row-level securityIsolated databases · Encrypted at restRedis 7Sessions · Rate limit countersQRNG entropy bufferKubernetes · Scaleway Cloud (France) · GDPR by Design · NIS2 Ready🇪🇺 100% EU Sovereignty — All data stays in EuropeNo US Cloud Act exposure · Scaleway France (DC3/DC5) · ISO 27001 certified

Security layers explained

Edge Services + WAF

All traffic passes through Scaleway Edge Services with a Web Application Firewall configured for OWASP Top 10 protection. DDoS mitigation and bot detection included.

TLS 1.3 everywhere

All connections — client-to-edge, edge-to-gateway, inter-service, and database — use TLS 1.3. Certificates managed automatically by cert-manager with Let's Encrypt.

YARP API Gateway

The .NET YARP reverse proxy handles rate limiting, audit logging, and request routing. Per-tenant and per-API-key rate limits with configurable quotas.

Post-Quantum Cryptography (NIST PQC)

All cryptographic operations use NIST-standardized post-quantum algorithms: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) for signatures. Combined with AES-256-GCM for symmetric encryption.

Per-tenant encryption

Each tenant has isolated encryption keys. Data at rest is protected with envelope encryption: AES-256-GCM with QRNG-generated nonces, wrapped by a per-tenant master key. Row-level security ensures complete tenant isolation at the database level.

EU Sovereignty

All infrastructure runs on Scaleway Cloud in France (DC3/DC5 data centers). No data leaves the EU. No US Cloud Act exposure. ISO 27001 certified infrastructure. Compliant with GDPR and ready for NIS2 directive requirements.

Compliance

StandardStatusDetails
GDPRCompliantData processing in EU, DPA available, right to erasure supported
NIS2ReadySecurity measures aligned with NIS2 essential entity requirements
NIST PQCImplementedFIPS 203, 204, 205 algorithms in production
SOC 2 Type IIIn progressAudit scheduled, controls implemented
ISO 27001InfrastructureScaleway DC3/DC5 certified. Application-level certification planned
qapi — QuantumAPI CLI Documentation