How paramant helps comply with NEN 7510

NEN 7510 §10.1 (based on ISO 27001 A.10.1) requires a policy for the use of cryptographic controls to protect information. Encryption of sensitive data in transit is a baseline requirement.

Post-quantum encryption: Paramant encrypts all data client-side using ML-KEM-768 (NIST FIPS 203, post-quantum key encapsulation) combined with ECDH X25519. Even if quantum computers become available in the future, historically intercepted files cannot be deciphered.

Key management: Encryption takes place exclusively on the sender’s device. The relay receives only encrypted data and never holds the decryption key. The receiver generates their own ephemeral key pair — the private key never leaves the receiver’s device.

No storage risk: No files are written to disk. After receipt, data is wiped from memory (burn-on-read). There is no “data at rest” that would need to be encrypted, because there is no storage.

NEN 7510 §8.2 requires information to be classified and handled in accordance with its sensitivity. §12.4 (log management) requires security-relevant events to be recorded and retained for audit purposes.

No content storage: Paramant stores no content — no patient names, no BSN numbers, no medical images. Only cryptographic hashes are recorded. This minimises the classification risk: there is no personal data present on the relay server to classify or protect.

Certificate Transparency log: Every key registration is added to a Merkle tree (Certificate Transparency-style). Each entry contains a hash, timestamp, and tree root — making the log tamper-evident. This log is publicly available at health.paramant.app/v2/ct/log and can be used as evidence during audits.

Operational log: The relay records all actions with timestamps and sector identification. Log files are exportable and can be connected to a SIEM system for reporting to supervisory authorities.

NEN 7510 §13.2 requires policies and procedures for secure information transfer. NEN 7512 specifies requirements for trusted information exchange in healthcare, including authentication of communication parties and protection of the transport layer.

DICOM transport support: Paramant supports transport of DICOM files (medical images) via the Ghost Pipe architecture. A DICOM file is encrypted client-side, forwarded via the relay, and automatically destroyed at the receiver upon receipt. The file format is not visible to the relay.

Mutual authentication: Every sender authenticates with an API key. Every receiver generates an ephemeral ML-KEM key pair for the session. The relay’s identity is verified via ML-DSA-65 signatures (NIST FIPS 204, post-quantum digital signature).

Trust-on-first-use (TOFU): The Python SDK supports TOFU fingerprint verification (~/.paramant/known_keys). Once a receiver is seen for the first time, their cryptographic fingerprint is stored. Future sessions with a changed fingerprint are blocked and flagged — similar to SSH host verification.

NEN 7510 §18.1 requires identification of relevant legislation and contractual obligations, including privacy law (GDPR). Healthcare organisations may not transfer patient data to parties outside the EEA without appropriate safeguards.

EU/DE jurisdiction: All paramant infrastructure runs on Hetzner servers in Falkenstein, Germany. No US cloud providers are used (no AWS, Azure, GCP). The US CLOUD Act — which gives US authorities the power to request data from US companies, even when data is stored in Europe — does not apply to Hetzner.

No data collection on the relay: Even if a court order were issued, the relay holds no personal data to hand over. There is no content, no patient metadata, no files — only cryptographic hashes in a public audit log.

Data Processing Agreement: Paramant acts as a data processor under GDPR Art. 28. A Data Processing Agreement (DPA) compliant with GDPR requirements and aligned with NEN 7510 §18.1 is available on request. The data controller remains the healthcare organisation.