PARAMANT

50 words

PARAMANT is a post-quantum encrypted file relay built for regulated industries. Files are encrypted client-side with ML-KEM-768 before upload, stored in RAM only, and destroyed after one download. Nothing is written to disk. EU/DE jurisdiction. Self-hostable. NIS2, NEN7510, and IEC 62443 ready.

150 words

PARAMANT Ghost Pipe is a post-quantum encrypted relay that makes secure file transfer genuinely simple. Data is encrypted in the browser or SDK using ML-KEM-768 + AES-256-GCM — before it leaves the device. The relay only ever sees fixed-size (5 MB) ciphertext blobs, never the original file, never a decryption key. Blobs are held in RAM and destroyed immediately after the recipient downloads them. There is no storage, no inbox, no user account. Every transfer is recorded in a public SHA3-256 Merkle tree — proving delivery without storing content. Five live sector relays cover healthcare (NEN 7510), legal (eIDAS), finance (DORA), industrial IoT (IEC 62443), and general use. Community Edition is free forever for up to 5 API keys. The relay runs on a Raspberry Pi, a VPS, or as a bootable USB — no cloud dependency required.

300 words

PARAMANT Ghost Pipe is a post-quantum secure file relay designed for healthcare providers, legal professionals, industrial operators, and financial institutions operating under strict data sovereignty requirements. It solves a specific problem: sending sensitive files between parties where neither party trusts the relay — and where the jurisdiction of storage matters.

The system is built around three hard guarantees. First, encryption is purely client-side: files are encrypted using ML-KEM-768 key encapsulation and AES-256-GCM symmetric encryption inside a Rust/WASM module that runs in the browser, before any data leaves the device. Second, the relay is RAM-only: encrypted blobs are never written to disk, making forensic recovery impossible. Third, burn-on-read: each blob is destroyed immediately after the first successful download. The relay cannot be compelled to hand over content it no longer holds.

PARAMANT runs five sector relays, each tuned to its compliance domain: health (NEN 7510, HL7 FHIR, DICOM), legal (eIDAS, KNB), finance (NIS2, DORA, ISO 20022), industrial IoT (IEC 62443, EU CRA), and general. Each sector is a separate container — a breach in one does not expose another.

Deployment takes two minutes: one docker compose command on any Ubuntu 22.04+ server. A Raspberry Pi installer and a bootable NixOS image (paramantOS) are available for dedicated hardware. The community edition is permanently free for up to 5 API keys per relay instance.

PARAMANT was independently security-audited in April 2026 by Ryan Williams (Smart Cyber Solutions, AU) and R. Zwarts. Twenty findings across two audits — including 4 critical — were fully resolved before public release. All findings are publicly documented.

Incorporated in the Netherlands. Infrastructure on Hetzner Frankfurt, DE. EU/GDPR jurisdiction only, no US CLOUD Act exposure.