Comprehensive answers to common questions about QNSP's quantum-native security platform.

Frequently Asked Questions

Comprehensive answers to common questions about QNSP's quantum-native security platform.

QNSP (Quantum-Native Security Platform) is an enterprise security platform providing post-quantum cryptography (PQC) protection for AI workloads, document management, and secrets vault services. Built by CUI Labs, QNSP delivers PQC-signed JWT authentication, quantum-resistant key management, tamper-evident audit chains, and encrypted storage with searchable encryption.

When was QNSP created?

QNSP was conceived, architected, and engineered starting in December 2020. The current monorepo was bootstrapped in November 2025.

What makes QNSP different from other security platforms?

QNSP is PQC-native by design, not retrofitted. Every component—from authentication tokens to storage encryption—uses NIST-standardized post-quantum algorithms (FIPS 203, 204, 205). The platform provides:

Zero-trust ingress with PQC token validation at the edge
Hardware enclave support (8 types: Intel SGX, AMD SEV, NVIDIA CC, Intel TDX, ARM TrustZone, ARM CCA, AWS Nitro, IBM Secure Execution)
Cryptographic attestation with automated compliance checks (CNSA 2.0, FIPS 140-3)
Tamper-evident audit trails with Merkle checkpointing and PQC signatures

Is QNSP open source?

QNSP uses a multi-license model:

Public SDKs: Apache-2.0 (12 TypeScript packages on npm)
Core platform: BUSL-1.1 (Business Source License) with Change License to GPL-2.0-or-later
Patent materials: Proprietary

Post-Quantum Cryptography

What PQC algorithms does QNSP use?

QNSP implements NIST-standardized PQC algorithms:

Key Encapsulation (FIPS 203 - ML-KEM):

ML-KEM-512 (Kyber-512): Security level 1
ML-KEM-768 (Kyber-768): Security level 3 (default)
ML-KEM-1024 (Kyber-1024): Security level 5

Digital Signatures (FIPS 204 - ML-DSA):

ML-DSA-44 (Dilithium-2): Security level 2 (default for JWTs)
ML-DSA-65 (Dilithium-3): Security level 3
ML-DSA-87 (Dilithium-5): Security level 5

Hash-Based Signatures (FIPS 205 - SLH-DSA):

SLH-DSA (SPHINCS+): Conservative hash-based signatures for maximum assurance

Alternative Signatures:

Falcon-512: Compact signatures for bandwidth-constrained applications
Falcon-1024: Higher security level with compact signatures

All algorithms are NIST-approved and production-ready.

Why should I care about quantum computing threats now?

Harvest Now, Decrypt Later (HNDL) attacks are happening today. Adversaries collect encrypted data now and will decrypt it once cryptographically relevant quantum computers (CRQC) become available. The forecast window for CRQC is 2030-2035 (5-10 years from now).

Risk surface includes:

Long-term data archives and backups
AI training datasets and model weights
Encrypted communications and stored messages
Digital signatures on legal documents
PKI certificates and key material

Organizations should treat long-lived confidential data as exposed unless PQC migration plans are actively underway.

How does QNSP protect against quantum attacks?

QNSP uses a defense-in-depth approach:

PQC-Native Encryption: All data at rest encrypted with ML-KEM-768 (storage, vault, databases)
PQC-Signed Tokens: All JWTs signed with ML-DSA (Dilithium-2/3/5)
PQC-TLS: Hybrid TLS 1.3 with PQC key exchange at edge gateway
Hardware Enclaves: Encrypted AI training/inference in TEEs with attestation
Cryptographic Attestation: Real-time compliance monitoring and policy enforcement
Tamper-Evident Audit: Merkle-chained logs with PQC signatures

Can I use classical cryptography instead of PQC?

No. QNSP is PQC-native by design. Classical fallbacks are disabled by default to prevent downgrade attacks. This is a deliberate security decision—organizations using QNSP are explicitly choosing quantum-resistant protection.

What is the performance impact of PQC?

PQC algorithms have larger key sizes and signatures compared to classical algorithms:

ML-KEM-768 public keys: ~1.2KB (vs RSA-2048: 256 bytes)
ML-DSA-3 signatures: ~3.3KB (vs ECDSA P-256: 64 bytes)

However, QNSP optimizes performance through:

Hardware acceleration where available
Efficient caching strategies (5-minute default TTL for auth tokens)
Batch operations for bulk encryption/signing
Enclave pre-warming for AI workloads

In practice, the performance impact is negligible for most workloads (<5% overhead).

Pricing & Tiers

How does the free tier work?

The free tier is free forever for everyone—from individual users to global enterprises. No credit card required, no time limits.

Free tier includes:

5GB quantum-secure storage
2,000 API calls/month
PQC storage + limited KMS (1 key, 5,000 ops/month)
Full access to all 12 TypeScript SDKs
Community support

Perfect for POCs, pilots, and small-scale production workloads.

What happens when I exceed free tier limits?

When you approach your limits, you'll receive notifications via the cloud portal. Your account will be rate-limited until you upgrade or your monthly quota resets. There's no automatic overage billing.

Can I upgrade or downgrade my plan?

Yes. You can upgrade anytime through the cloud portal with immediate effect. Downgrades take effect at the end of your current billing period. Annual plans offer 15-20% savings compared to monthly billing.

What features require paid tiers?

Feature tier requirements (from packages/shared-kernel/src/tier-limits.ts):

Feature	Minimum Tier	Description
Storage	Free	Quantum-secure storage (all tiers)
Search	Free	Full-text and vector search (all tiers)
Vault	Dev Pro	Secrets management with envelope encryption
SSE	Dev Pro	Server-side encryption for search
AI Inference	Dev Pro	AI inference (non-enclave)
Enclaves	Enterprise Standard	Secure enclave execution (8 hardware types)
AI Training	Enterprise Pro	Encrypted AI training and fine-tuning

What SDKs are available?

QNSP provides 12 TypeScript SDKs published to npm under the @qnsp scope:

@qnsp/auth-sdk - Authentication, FIDO2 passkeys, Personal Access Tokens (PATs), session management
@qnsp/vault-sdk - Secrets management, credential storage, lease rotation
@qnsp/storage-sdk - Document upload/download, lifecycle management, compliance controls
@qnsp/search-sdk - Full-text search, SSE token filtering, index optimization
@qnsp/ai-sdk - AI workload orchestration, enclave management, GPU scheduling
@qnsp/kms-client - PQC envelope encryption client, BYOK workflows, signing helpers
@qnsp/tenant-sdk - Tenant management, subscription, metadata operations
@qnsp/billing-sdk - Invoice management, usage tracking, payment processing
@qnsp/access-control-sdk - Policy management, capability tokens, authorization flows
@qnsp/audit-sdk - Audit log querying, compliance reporting, event retrieval
@qnsp/crypto-inventory-sdk - Crypto asset discovery, PQC migration tracking, inventory management
@qnsp/browser-sdk - Browser-compatible PQC encryption: client-side encryption, signing, key encapsulation

All SDKs are free and included with every tier. View them at npmjs.com/org/qnsp.

What are the tier storage and API limits?

Tier	Storage	API Calls/Month	Price
Free	5GB	2,000	$0 forever
Dev Starter	50GB	50,000	$99/mo
Dev Pro	200GB	250,000	$450/mo
Dev Elite	500GB	500,000	$599/mo
Business Team	500GB	1M	$1,499/mo
Business Advanced	2TB	5M	$3,999/mo
Business Elite	3.5TB	7.5M	$5,999/mo
Enterprise Standard	5TB	10M	$7,999/mo
Enterprise Pro	10TB	25M	$14,999/mo
Enterprise Elite	Unlimited	Unlimited	Custom
Specialized	Custom	Custom	Custom

Annual plans offer 15-20% savings. Enterprise Elite and Specialized tiers include custom configurations.

Technical Implementation

What hardware enclaves does QNSP support?

QNSP supports 8 hardware enclave types with cryptographic attestation:

Intel SGX (MEE) - Memory Encryption Engine
AMD SEV - Memory Guard + SEV-SNP
NVIDIA CC - GPU memory encryption
Intel TDX (TME) - Total Memory Encryption (supports Google Cloud Confidential VMs/GKE)
ARM TrustZone - ARM secure world isolation
ARM CCA/RME - Confidential Compute Architecture (supports Google Cloud Confidential GKE)
AWS Nitro Enclaves - AWS-specific enclave technology
IBM Secure Execution - IBM Z and LinuxONE secure execution

All enclaves provide hardware-backed isolation and attestation. Available on Enterprise Standard tier and above.

How does QNSP integrate with HSMs?

QNSP supports PKCS#11 integration with major HSM vendors:

Thales Luna - Network HSM and PCIe HSM
Entrust nShield - Connect and Edge HSMs
AWS CloudHSM - FIPS 140-2 Level 3 validated
Azure Dedicated HSM - Thales Luna-based

The certification level depends on your selected HSM and deployment environment. Root keys can be HSM-backed for high-security deployments. HSM integration is configured via environment variables in KMS service.

Can I use QNSP APIs without SDKs?

Yes. QNSP provides REST APIs with OpenAPI specifications and WebSocket APIs for real-time operations. However, the TypeScript SDKs handle:

PQC token management and refresh
Automatic retry logic with exponential backoff
Request signing and authentication
Type-safe interfaces
Tier-aware feature gating

Using SDKs is strongly recommended for production deployments.

What authentication methods does QNSP support?

User Authentication:

Email/password with PQC-signed JWTs
FIDO2 passkeys (WebAuthn)
OAuth 2.0 / OIDC federation (SSO)
Multi-factor authentication (MFA)

Service Authentication:

Service accounts with long-lived credentials
Personal Access Tokens (PATs) with PQC tier-aware signing
Capability tokens for fine-grained access control

Token Details:

Access tokens: 15 minutes TTL (default)
Refresh tokens: 30 days TTL (default)
All JWTs signed with ML-DSA (Dilithium-2/3/5)

How does searchable encryption work?

QNSP implements server-side encryption (SSE) for search:

Client-side: Generate SSE key (AES-256-GCM)
Indexing: Documents encrypted with SSE key before indexing
Search: Query tokens encrypted with same SSE key
Results: Encrypted results returned, decrypted client-side

SSE ensures the search service never sees plaintext data. Available on Dev Pro tier and above.

What is the audit trail architecture?

QNSP provides tamper-evident audit trails with:

Event Logging:

30 crypto-critical event types across 7 services
Structured JSON format with requestId/traceId propagation
Severity levels: info → critical

Cryptographic Protection:

Each event signed with ML-DSA-3 (Dilithium-3)
SHA3-512 hash chains linking events
Merkle tree checkpoints every N events
Checkpoint signatures for batch verification

Compliance Export:

SIEM integration (Splunk, Datadog)
6 additional integrations (Slack, GitHub, AWS, Azure, GCP, Okta)
Configurable retention policies
Immutable storage with WORM guarantees

What is Cryptographic Attestation?

Cryptographic Attestation provides real-time visibility into your cryptographic posture:

Features:

NIST algorithm registry with lifecycle status (Final/Draft/Deprecated)
CBOM (Cryptographic Bill of Materials) export with SHA3-256 hash
Automated compliance checks (CNSA 2.0, FIPS 140-3)
Policy enforcement: audit mode or hard-block mode
Migration planning for deprecated algorithms

Access:

Public endpoint: /platform/v1/crypto/posture/public
TLS evidence: /platform/v1/crypto/tls/evidence/public
Admin dashboard: Cloud portal → Security → Crypto Attestation

Deployment & Operations

What deployment options are available?

QNSP Cloud (Fully managed SaaS):

Multi-tenant shared infrastructure
Available regions: Singapore (ap-southeast-1), N. Virginia (us-east-1), Ireland (eu-west-1)
Public endpoints: api.qnsp.cuilabs.io
Free tier available immediately

Private/VPC (Customer-controlled cloud):

Single-tenant compute in your AWS/Azure/GCP account
Full network isolation with VPC peering or PrivateLink
Custom compliance configurations
Available on Enterprise tiers

On-Premises (Air-gapped/sovereign):

Partner-delivered installations
Air-gapped operation support
Custom HSM integration
Sovereign cloud requirements
Available on Specialized tier

All deployment models support the same APIs and SDKs.

Can I self-host QNSP?

Yes. Enterprise and government customers can deploy QNSP in private/VPC environments or on-premises through partner-delivered installations. Self-hosted deployments support:

Air-gapped operation
Custom HSM integration
Sovereign cloud requirements
Data residency controls
Offline signing workflows

Contact enterprise@cuilabs.io for self-hosted deployment options.

Does QNSP support multi-region deployments?

Yes. Business Advanced tier and above include multi-region PQC support. You can:

Specify primary region for data storage
Configure allowed regions for processing
Set replication restrictions
Enforce data residency requirements

Enterprise tiers support custom region configurations and cross-region disaster recovery.

What is the platform uptime guarantee?

Uptime commitments (if any) are defined in your subscription terms and, for Enterprise, in your signed agreement.

SLO targets for hosted production are documented in the observability section. SLA coverage and credits depend on plan and contract.

Monitor real-time service health:

Status page: qnsp.cuilabs.io#overview
Live metrics: Cloud portal dashboard
Public health endpoints: /health and /ready on all services

How do I monitor QNSP services?

Observability Stack:

OTLP streaming for metrics and traces
Prometheus-compatible metrics endpoints
Structured JSON logging with correlation IDs
Health checks: /health (liveness), /ready (readiness)

Integration Options:

Datadog, Splunk, New Relic, Grafana
AWS CloudWatch, Azure Monitor, Google Cloud Monitoring
Custom OTLP collectors

Key Metrics:

Request latency (p50, p95, p99)
Error rates by service and endpoint
Token issuance and validation rates
Storage and KMS operation throughput
Enclave attestation success rates

Compliance & Security

Is QNSP FIPS 140-3 certified?

QNSP uses NIST-standardized PQC algorithms (FIPS 203, 204, 205). For deployments requiring FIPS 140-3 certification, you can integrate customer-managed HSMs that hold the appropriate certification level.

FIPS-Approved Algorithms:

ML-KEM (FIPS 203): Key encapsulation
ML-DSA (FIPS 204): Digital signatures
SLH-DSA (FIPS 205): Hash-based signatures

Certification level depends on your selected HSM and deployment environment.

Yes. QNSP supports:

Data residency controls: Specify primary region and allowed processing regions
Right to be forgotten: Crypto shredding for instant data deletion
Data minimization: Configurable retention policies
Access logging: Complete audit trail of data access
Encryption at rest: All data encrypted with PQC algorithms
Tenant isolation: Strict multi-tenant boundaries

Multi-region deployments allow you to enforce EU data residency for GDPR compliance.

Is QNSP FedRAMP authorized?

QNSP follows FedRAMP roadmap requirements and supports IL5/FedRAMP High alignment for deployment-specific configurations. For classified or sensitive government workloads, we offer:

Private/VPC deployments
Air-gapped installations
Customer-controlled HSM integration
ITAR program support (deployment-specific)
Data residency guarantees

Contact enterprise@cuilabs.io for government deployment options.

What compliance certifications does QNSP have?

Current Status:

SOC 2 Type II: In progress
ISO 27001 (ISMS): In progress
ISO 9001 (QMS): In progress
ISO 14001 (EMS): In progress
ISO 45001 (OH&S): In progress
ISO 22301 (BCMS): In progress
HIPAA: Compliant architecture (BAA available for Enterprise)
GDPR: Compliant
PCI DSS: Not applicable (no payment card processing)

Compliance Frameworks Supported:

NIST Cybersecurity Framework
NIST 800-53 controls
CIS Controls
CNSA 2.0 (Commercial National Security Algorithm Suite)

How does QNSP handle security incidents?

Incident Response:

Detection: Real-time monitoring and alerting
Containment: Automatic token revocation and resource quarantine
Remediation: 5-step key compromise response (record → rotate → rewrap → revoke → audit)
Recovery: Automated failover and service restoration
Post-mortem: Root cause analysis and prevention measures

Key Compromise Response (automated):

Record compromise event in audit log
Rotate affected keys via KMS
Rewrap encrypted data with new keys
Revoke capability tokens
Generate correlation report across services

Downgrade Attack Remediation:

Protocol tracking: PQC-TLS → TLS 1.3 → TLS 1.2
Algorithm monitoring: ML-DSA → ECDSA downgrades
Automatic IP/user blocking on critical severity
Escalation to key compromise handler

How do I report a security vulnerability?

Security Contact: qnsp-security@cuilabs.io

Responsible Disclosure:

Email details to qnsp-security@cuilabs.io
Include: vulnerability description, reproduction steps, impact assessment
Allow 90 days for remediation before public disclosure
We'll acknowledge within 48 hours

Bug Bounty: Coming soon (post-GA)

Migration & Integration

How do I migrate from HashiCorp Vault?

QNSP provides migration tooling for Vault:

Inventory: Use crypto-inventory-service to discover Vault secrets
Export: Export secrets from Vault (requires admin access)
Import: Bulk import to QNSP Vault with PQC encryption
Validation: Verify secret integrity and access policies
Cutover: Update applications to use QNSP SDKs

See Migration Guide for detailed steps.

How do I migrate from AWS KMS/Secrets Manager?

Similar process to Vault migration:

Discovery: Inventory AWS KMS keys and Secrets Manager secrets
BYOK: Import existing keys to QNSP KMS (optional)
Rewrap: Re-encrypt data with PQC keys
Update: Modify applications to use QNSP SDKs
Validate: Test encryption/decryption workflows

QNSP supports BYOK (Bring Your Own Key) for smooth migration.

Can I use QNSP with existing CI/CD pipelines?

Yes. QNSP integrates with:

GitHub Actions: Use service accounts or PATs for authentication
GitLab CI: Environment variables for credentials
Jenkins: Credential plugins for secret injection
CircleCI: Context-based secret management

Best Practices:

Use service accounts (not user credentials) in CI/CD
Rotate PATs regularly (30-90 days)
Scope tokens to minimum required permissions
Store tokens in CI/CD secret managers (not in code)

Does QNSP support Terraform?

Yes. QNSP provides Terraform provider for infrastructure-as-code:

provider "qnsp" {
  api_url = "https://api.qnsp.cuilabs.io"
  token   = var.qnsp_token
}

resource "qnsp_tenant" "example" {
  name = "acme-corp"
  tier = "business-advanced"
}

See Integrations → Terraform for full documentation.