Active risk: Adversaries are archiving encrypted government traffic today — to decrypt when quantum computers arrive (HNDL). What is HNDL? →
Government & Public Sector

Post-Quantum File Transfer
for Government

The Dutch Court of Audit (February 2026) found that 71% of government organisations surveyed have no post-quantum plan. NIS2 requires documented cryptographic controls by end of 2026. Paramant is open source, self-hostable, and deployable in days — not quarters.

Request free API key → Technical documentation
71%
No PQC plan
2026
NIS2 deadline
2029
Q-Day estimate
0€
Community Edition
Dutch Court of Audit — February 2026

Report: Quantum computers and the security of digital communications

The report found that most government organisations have insufficient insight into their cryptographic dependencies and no concrete plan for post-quantum cryptography. Recommendation: before Q2 2026, inventory all systems using quantum-vulnerable encryption and produce a documented plan in line with NIS2 Article 21. Paramant provides exactly that foundation — as open source, self-hostable software.

What Paramant provides

Working software — not a consultancy report.

Post-quantum file transfer

Ghost Pipe uses ML-KEM-768 + AES-256-GCM (NIST FIPS 203). Files are encrypted in the browser before upload. The relay never sees plaintext. Burn-on-read: destroyed after first download.

Tamper-evident audit log

Every transfer is hashed into a public Merkle tree (CT log). The signed tree head (STH) is independently verifiable via paramant-verify-sth. Exportable for audits, SIEM integration, or BIO/NEN 7510 accountability.

Independent relay verification

paramant-verify-sth --relay <url> verifies the ML-DSA-65 signed tree head against the relay’s public key — no trust in the operator required. paramant-verify-peers cross-checks all registered relays for root consistency and flags any tampering.

Self-hostable relay

The full relay stack runs on your own Ubuntu server or government cloud in one command. No data leaves your jurisdiction. Community Edition: free for up to 5 users under BUSL-1.1.

Data Processing Agreement (GDPR Art. 28)

A model agreement under GDPR Article 28 is available here. When self-hosting on your own server, the processing relationship is eliminated — you are both controller and processor.

Sector routing

Dedicated subdomains for each sector — health, legal, finance, iot — provide routing isolation and sector-specific compliance documentation. All nodes run identical Ghost Pipe software.

Compliance coverage

Designed for the Dutch and EU public sector.

Standard Requirement How Paramant addresses it
NIS2 art. 21 Documented cryptographic controls ML-KEM-768 + AES-256-GCM; verifiable via CT log and paramant-verify-sth
BIO Encryption of sensitive data in transit ML-KEM-768 + AES-256-GCM; no plaintext on relay
GDPR / AVG art. 28 Data Processing Agreement for external processing DPA available; not required when self-hosting
NEN 7510 Healthcare information security health.paramant.app sector; DICOM transfer documented
DigiD connection requirements TLS 1.3, strong encryption, audit logging Relay uses TLS 1.3; DigiD coupling requires additional assessment
Government cloud criteria Data location in EU/NL, no US CLOUD Act exposure Hetzner Falkenstein (DE); no US jurisdiction
EU CRA (Cyber Resilience Act) PQC by default in software supply chain — 2027 ML-KEM-768 by default; roadmap documented in SECURITY.md
ML-KEM-768 (FIPS 203) ML-DSA-65 (FIPS 204) AES-256-GCM TLS 1.3 Hetzner DE BUSL-1.1 DigiD: additional assessment required

Data jurisdiction

No US CLOUD Act. No Cloudflare. Direct from Hetzner DE.

Hetzner Online GmbH — Falkenstein, Germany

The managed relay runs exclusively on Hetzner servers in Germany. No Cloudflare — TLS terminates directly on nginx, with no third party in the path. Hetzner operates under German and EU law. No US CLOUD Act exposure.

When self-hosting, you choose your own jurisdiction — your own datacenter, a government cloud, or any EU provider. The relay software is fully open source (BUSL-1.1).

Getting started

From zero to a running post-quantum relay in under two minutes.

1

Request a free API key

Go to paramant.app/request-key. No credit card. No account. You receive a pgp_ key for end-user access or a plk_ key to unlock your self-hosted relay beyond 5 users.

2

Deploy the relay

On any Ubuntu or Debian server: curl -fsSL https://paramant.app/install.sh | bash. For a Raspberry Pi: curl -fsSL https://paramant.app/install-pi.sh | bash. Choose the sector that fits your use case: health, legal, or finance.

3

Verify the relay independently

Run paramant-verify-sth --relay https://your-relay-url to verify the ML-DSA-65 signed tree head. Run paramant-verify-peers to cross-check all registered relays for root consistency. Exit 0 means the log is intact.

4

Data Processing Agreement (managed relay only)

If using the Paramant-managed relay, sign the Data Processing Agreement (GDPR Art. 28). When self-hosting, no DPA is required — you control all infrastructure.

Paramant Community Edition is free.

Self-host in under two minutes. No credit card. No account required.
Questions: privacy@paramant.app

Request free API key → Data Processing Agreement (GDPR Art. 28)
Free up to 5 users Self-host on your own server Hetzner DE — no US jurisdiction github.com/Apolloccrypt/paramant-relay