How It Works

Every Byte. Encrypted. Every Hop.

QuantaSeal sits between your enterprise systems as a quantum-safe cryptographic proxy. Data never travels directly from System A to System B — it passes through QuantaSeal, where it is encrypted with ML-KEM-768 + AES-256-GCM, signed with ML-DSA-65, and audit-logged before moving a single bit.

View All 42 Integrations Platform Architecture

42+

System adapters

ML-KEM-768

Key encapsulation

ML-DSA-65

Digital signatures

Plaintext on the wire

Operating Modes

Three Ways Data Moves Through QuantaSeal

Every data movement — from a single API call to a continuous bidirectional sync — uses the same post-quantum encryption envelope and the same immutable audit trail.

Outbound Proxy

Your app calls QuantaSeal. QuantaSeal encrypts the payload with ML-KEM-768 + AES-256-GCM, signs it with ML-DSA-65, then forwards the encrypted envelope to the target system.

Salesforce → QuantaSeal → AWS S3

App sends plaintext to QuantaSeal API
QuantaSeal wraps in PQC envelope
Encrypted payload forwarded to target
Audit log written with SHA3-256 hash chain

Inbound Proxy

An external system sends an encrypted payload to QuantaSeal. QuantaSeal verifies both ML-DSA-65 and HMAC-SHA-512 signatures, checks the replay nonce, then decrypts and delivers to your system.

AWS S3 trigger → QuantaSeal → Salesforce

External system delivers encrypted envelope
Replay nonce checked in Redis (5-min window)
Both signatures verified before decryption
Plaintext delivered to destination system

Bidirectional Sync

QuantaSeal continuously reads from both systems, applies your field mappings, resolves conflicts, and writes encrypted records to both sides — with checkpoint-based pause and resume.

Salesforce Contacts ↔ Snowflake

Read changes from both systems since last sync
Apply field mapping and transforms
Detect and resolve conflicts (newest-wins / manual)
Write encrypted records to both sides

PQC Envelope

Inside the Encryption Envelope

Every payload — regardless of source or destination — is wrapped in the same four-layer HybridCryptoEnvelope before any data leaves QuantaSeal.

ML-DSA-65 Signature

NIST FIPS 204 — ~3,309 bytes

Verified BEFORE decryption begins

HMAC-SHA-512 Signature

64 bytes — belt-and-suspenders auth

Both signatures must pass (bitwise &)

AES-256-GCM Ciphertext

Your actual payload — encrypted

Key derived via HKDF-SHA-512

ML-KEM-768 Encapsulation

NIST FIPS 203 — ~1,088 bytes

Ephemeral shared secret per request

tenant_id · nonce (never logged) · algorithm: ML-KEM-768+AES-256-GCM+ML-DSA-65+HMAC-SHA-512

Hybrid mode is mandatory

ML-KEM-768 encapsulates the shared secret. HKDF-SHA-512 stretches it to 32 bytes. AES-256-GCM encrypts your data. Pure PQC or pure classical is never used.

Both signatures must pass

ML-DSA-65 and HMAC-SHA-512 are verified with a bitwise & — not a short-circuit &&. If either fails, decryption never starts. This prevents chosen-ciphertext attacks.

End-to-End Example

Salesforce → AWS S3, Step by Step

Trace a single outbound proxy call from the moment your app sends plaintext to when the encrypted object lands in S3 — with every security check in between.

Salesforce

QuantaSeal

AWS S3

Authenticate

JWT validated by QuantaSeal API. Tenant ID extracted from the access token — every subsequent query is scoped to this tenant.

Load PQC Keys

ML-KEM-768 and ML-DSA-65 keypairs fetched from the DB. Private keys are KMS-wrapped and never written to disk in plaintext.

Encrypt & Sign

Payload wrapped in a HybridCryptoEnvelope: ML-KEM-768 encapsulation → HKDF-SHA-512 → AES-256-GCM encrypt → ML-DSA-65 + HMAC-SHA-512 sign.

Unseal Credentials

Integration credentials are KMS-unwrapped and PQC-decrypted in memory. For Salesforce, a JWT Bearer token is signed inside the Nitro Enclave — the private key never leaves it.

Check Allowlist

Operation compared against Integration.allowed_operations. "put" not in the list? 403 returned before any network call is attempted. Default-deny by design.

SSRF Guard

Target URL DNS-resolved and validated. Private IP ranges (10.x, 192.168.x, 172.16–31.x, 127.x) and internal suffixes (.local, .internal) are blocked unconditionally.

Forward to Target

Encrypted envelope sent to AWS S3 via httpx with AWS Signature v4 headers. S3 stores the ciphertext — it never sees plaintext. Object metadata tags the file as QuantaSeal-encrypted.

Audit & Return

INTEGRATION_PROXY_OUTBOUND logged to AuditLog with SHA3-256 hash chain entry and ML-DSA-65 signature. Response returned to caller.

What AWS S3 actually stores

{
  "encrypted": {
    "ciphertext_kem":  "e3b0c44298fc1c149af...",  // ML-KEM-768 ~1088 bytes
    "ciphertext_data": "9f86d081884c7d65...",      // AES-256-GCM ciphertext
    "nonce":           "[NEVER LOGGED]",            // 12-byte GCM nonce
    "tenant_id":       "a1b2c3d4-...",
    "algorithm":       "ML-KEM-768"
  },
  "signature": {
    "pqc_signature":  "3082014a0201003...",         // ML-DSA-65 ~3309 bytes
    "hmac_signature": "a665a45920422f9...",         // HMAC-SHA-512 64 bytes
    "algorithm":      "ML-DSA-65+HMAC-SHA-512"
  }
}
// S3 object metadata:
// x-amz-meta-quantaseal-encrypted: true
// x-amz-meta-quantaseal-tenant-id: a1b2c3d4-...

Bidirectional Sync

Keep Two Systems In Sync — Automatically

Define field mappings, choose a conflict strategy, and let QuantaSeal continuously reconcile data between any two connected systems with checkpoint-based pause and resume.

Sync Modes

full_batch

Read every record and write all to target. Use for initial loads.

incremental

Only records modified since the last run (timestamp/cursor based).

cdc

Real-time change data capture. Salesforce CometD, Kafka consumer groups.

bidirectional

Two-way sync with conflict detection and resolution on both sides.

Conflict Resolution

source_wins

Source version always overwrites target.

target_wins

Target version is preserved, source changes ignored.

newest_wins

Record with the later LastModifiedDate wins.

manual_review

Both versions stored; flagged _conflict: true for human review.

Checkpointing: Progress stored in Redis after every page (default 200 records). Jobs can be paused mid-run and resumed exactly from the last cursor.

Field Mapping Transforms

Map any source field to any target field with built-in transforms. Mark sensitive fields encrypt_in_transit: true for a second PQC encryption layer at the field level.

DIRECTUPPERCASELOWERCASETRIMTRUNCATEDATE_FORMATCONCATSPLITREGEX_EXTRACTLOOKUPENCRYPTHASHCURRENCY_CONVERTROUNDDEFAULT_VALUE

42 Integrations

Every Enterprise System. One Proxy.

QuantaSeal ships a dedicated adapter for each system — speaking the native protocol (SOQL, OData, AMQP, JDBC, gRPC) while wrapping all traffic in the same PQC envelope.

CRM

Salesforce
HubSpot
Dynamics 365
Zoho
Pipedrive

Cloud Storage

AWS S3
GCP Storage
Azure Blob

Databases

PostgreSQL
MySQL
MongoDB
Snowflake
Elasticsearch

Messaging

Kafka
AWS SQS/SNS
RabbitMQ
Azure Service Bus
GCP Pub/Sub

Identity

Okta
Auth0
Azure AD
Ping Identity

Collaboration

Slack
GitHub
Jira
Teams

Payments

Stripe
Shopify
Twilio

ERP

SAP S/4HANA
Oracle ERP
NetSuite

Don't see your system? Use generic_rest, generic_grpc, or generic_webhook — or build a custom adapter with the Adapter SDK.

View Integration Status Page

Workflow Automation

Multi-Step Pipelines Without Code

Chain integrations together with Workflows — trigger on webhooks, schedules, or CDC events, transform data, encrypt, write to a target system, and notify your team.

Example: Salesforce Lead Created → Enrich → Snowflake → Slack

TriggerWebhook · Schedule · CDC Event · Manual · Integration Event

Vault UnsealRetrieve API key / token from QuantaVault

HTTP / ProxyCall enrichment API or forward to integration

Field MapTransform, coerce, encrypt PII fields

PQC EncryptWrap output in HybridCryptoEnvelope

Write TargetSync to destination system

NotifySlack / Teams / email on success

AuditHash-chained audit log entry

Trigger types

webhook
schedule (cron)
cdc_event
manual
sync_complete

Step actions

ENCRYPT_PAYLOAD
FIELD_MAP
SYNC_DATA
HTTP_REQUEST
BRANCH
DELAY
NOTIFY

Error handling

fail (stop workflow)
skip (continue)
retry (0–10 attempts)
condition expressions

Security Architecture

Seven Layers of Protection. No Exceptions.

Every proxy call, sync batch, and workflow execution passes through the same security stack. There are no fast paths that bypass encryption, audit logging, or tenant isolation.

Tenant Isolation

Every database query includes tenant_id in WHERE. Cross-tenant data access is architecturally impossible. All comparisons use hmac.compare_digest() to prevent timing attacks.

QuantaVault Credentials

Integration credentials sealed with 3-layer encryption: HybridCryptoEnvelope → AWS KMS CMK wrap. Plaintext never persists to disk. Unsealed only for the single request lifetime.

SSRF Protection

Every outbound URL is DNS-resolved and checked against private IP ranges before any HTTP call is made. Trusted SaaS domains (amazonaws.com, salesforce.com) bypass DNS resolution.

Operation Allowlist

Each integration has an allowed_operations list. Default-deny: if the operation is not in the list, the request is rejected before any credential is unsealed.

Replay Prevention

Every inbound request nonce is stored in Redis with a 5-minute TTL. Duplicate nonces are rejected immediately — preventing replayed webhooks and duplicate messages.

Circuit Breaker

All outbound HTTP calls go through a 3-state circuit breaker. After 5 consecutive failures the circuit opens for 30 seconds, preventing cascading failures.

Immutable Audit Trail

Every operation written to AuditLog as a SHA3-256 hash-chained, ML-DSA-65-signed entry. Modifying any entry breaks the chain. Streamed to S3 WORM bucket for long-term retention.

Get Started

Ready to put quantum-safe encryption between your systems?

Connect your first integration in minutes. QuantaSeal provides adapters, SDKs, and a hosted API — no infrastructure to manage on the Starter plan.

Start Free Trial Read the Docs Talk to Sales

QUANTASEAL

{ "encrypted": { "ciphertext_kem": "e3b0c44298fc1c149af...", // ML-KEM-768 ~1088 bytes "ciphertext_data": "9f86d081884c7d65...", // AES-256-GCM ciphertext "nonce": "[NEVER LOGGED]", // 12-byte GCM nonce "tenant_id": "a1b2c3d4-...", "algorithm": "ML-KEM-768" }, "signature": { "pqc_signature": "3082014a0201003...", // ML-DSA-65 ~3309 bytes "hmac_signature": "a665a45920422f9...", // HMAC-SHA-512 64 bytes "algorithm": "ML-DSA-65+HMAC-SHA-512" } } // S3 object metadata: // x-amz-meta-quantaseal-encrypted: true // x-amz-meta-quantaseal-tenant-id: a1b2c3d4-...