QuantumAuth Hardware security
Get Started
Home About Security SDK Docs Pricing
Privacy Terms
Get Started
LEGAL

Enterprise Terms of Service

Last updated: 2025-12-20

1. Introduction

These Enterprise Terms govern the use of QuantumAuth’s authentication platform (“Service”). QuantumAuth is designed to provide secure, device-bound, cryptographic authentication using hardware security modules (TPMs, enclaves, or equivalent technologies).

By accessing or using the Service, you agree to these Terms. If you are entering into this agreement on behalf of an organization, you represent that you have the authority to do so.

2. Compliance Framework Alignment (ISO 27001 / SOC 2)

QuantumAuth maintains security, operational, and governance practices aligned with ISO/IEC 27001 and SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy).

These include, but are not limited to:

  • Formal risk management and security governance processes.
  • Access control based on least privilege and role-based authorization.
  • Mandatory logging, monitoring, and incident response procedures.
  • Vendor and supply-chain risk management reviews.
  • Secure software development lifecycle (SSDLC) controls.
  • Encryption of data in transit using modern cryptographic standards.
  • Separation of duties, change management, and code review policies.

QuantumAuth may provide compliance documentation (e.g., policy summaries, SOC bridge letters, or security overview) upon reasonable request for enterprise evaluation.

3. Customer Responsibilities

Under the shared responsibility model, customers retain responsibility for:

  • Securing devices, servers, and environments where QuantumAuth is deployed.
  • Managing user identities, access configurations, and authorization logic.
  • Safeguarding recovery keys, device credentials, and backup hardware.
  • Ensuring that administrators follow internal governance requirements.
  • Configuring integrations according to recommended practices.

QuantumAuth has no access to customer private keys and cannot recover them. Customer-controlled keys remain on customer hardware by design.

4. Zero Access to Cryptographic Secrets

QuantumAuth enforces a strict zero-knowledge, zero-access architecture:

  • Private keys never leave customer devices or hardware security modules.
  • QuantumAuth cannot decrypt, export, or reconstruct private keys.
  • Only public, non-sensitive materials are transmitted to QuantumAuth servers for validation operations.
  • Authentication signatures are generated locally and verified cryptographically by the Service.

5. Availability & Service Levels

QuantumAuth targets high availability and operational reliability, consistent with enterprise requirements. Specific uptime commitments, performance guarantees, or custom SLAs may be established in a separate enterprise agreement where applicable.

6. Limitation of Liability

To the extent permitted by law, QuantumAuth is not liable for indirect, incidental, consequential, special, or exemplary damages, including but not limited to loss of data, lost revenue, or business interruption.

QuantumAuth is not responsible for damages arising from:

  • Misconfiguration of customer integrations or identity systems.
  • Loss or compromise of customer-managed private cryptographic keys.
  • Customer-side security failures, malware, or device compromise.
  • Use of the Service outside recommended or documented practices.

7. Updates to These Terms

QuantumAuth may modify these Terms to reflect evolving regulatory, security, or operational requirements. Updates will be posted on this page. Continued use of the Service constitutes acceptance of the updated Terms.

8. Contact & Compliance Inquiries

For compliance, security, or enterprise procurement questions, contact our security team at:

security@quantumauth.io