build 2.4.5 · keyex ml-kem-768 · fips 203/204 · STH

post-quantum · eu sovereign · zero-knowledge

Encrypted file transport.
RAM-only. Burn on read.

Paramant is a post-quantum encrypted file relay. ML-KEM-768 and ML-DSA-65, NIST Level 3. Operated from the Netherlands, infrastructure in Germany. No US owner, no CLOUD Act exposure. Your data lives in RAM only, destroyed on first read.

Send a file Why jurisdiction matters
ML-KEM-768 · FIPS 203
RAM-only · burn on read
Hetzner DE · EU-Central
BUSL-1.1 · self-hostable
01

Four steps. Nothing stored.

How it works
1
Encrypt client-side

Your file is encrypted in the browser before it leaves your device. The relay never sees plaintext.

2
Transit via Ghost Pipe

The ciphertext moves through the relay, padded to 5 MB and hashed into the CT Merkle log.

3
One-time download

The recipient decrypts locally. On download, the relay erases the blob from RAM. Burn-on-read.

4
Cryptographic proof

The Merkle root is updated. Transfer is proven without storing what was transferred.

01.5

Two modes. Pick your trust model.

Architecture

Anonymous

AES-256-GCM

Browser-generated key lives only in the URL fragment, never sent to the relay. Prove-by-design that we cannot decrypt what we relay.

Ideal for one-off sends that need zero setup. No registration. No key exchange.

Send a file →

Verified end-to-end

ML-KEM-768 Hybrid

ML-KEM-768 + ECDH P-256 hybrid key exchange via Rust/WASM. ML-DSA-65 signed receipts (FIPS 204). Fingerprint verification before send.

For when the audit trail matters. The receiver can prove who sent what.

Try ParaShare →
02

Products

Three tools

ParaSend

Send a file

AES-256-GCM. Key in URL fragment. Drop a file, get a burn link. 5 MB, up to 1 hour.

Try now →

ParaShare

Verified transfer

ML-KEM-768 hybrid with fingerprint verification. Post-quantum key exchange. Proof-of-delivery.

Try free →

ParaDrop

Local transfer

Browser to browser via WebRTC. No relay storage. No Apple. No cloud. Burn-on-read.

Try now →
03

Verifiable

CT log
Certificate Transparency Log — live
View all →
Log entries
Registered relays
STH signature
checking...
Current root
syncing...
SHA3-256 · tamper-evident · public
Recent activity
loading...
Every transfer hashed into a Merkle tree. Content never stored.
View live CT log → Why post-quantum now →
04

Pricing

Three tiers
Free
€0
No account · no card · forever

For one-off anonymous sends. No account, no tracking.

  • AES-256-GCM, browser-generated key
  • 5 MB per file
  • 1 hour link expiry
  • Burn on first read
  • 10 uploads per hour per IP
  • Up to 5 registered devices for ParaShare
Send a file free →
Pro
Coming soon
Join waitlist for launch pricing

For professionals who send regularly. Features, not bigger files.

  • Everything in Free
  • 24 hour link expiry
  • Up to 10 reads per link
  • Up to 50 registered devices
  • Send history and link management
  • Webhooks on upload and download
  • Email notifications via Resend
  • No IP rate limit
Get notified →
Enterprise
Custom
Dedicated relay · SLA · compliance

Dedicated infrastructure, compliance, and support.

  • Everything in Pro
  • 7 day link expiry
  • Up to 100 reads per link
  • Unlimited registered devices
  • Dedicated relay on our infra or yours
  • Configurable file size per tenant (default 5 MB, tested up to 50 MB on dedicated deployments)
  • IEC 62443 / NIS2 / NEN 7510 documentation
  • DPA (GDPR Art. 28), on-premise option
  • SLA 99.9%, priority support
Contact →
Full plan details and comparison →
05

Run your own relay.

Self-host

Source-available under BUSL-1.1. Free for up to 5 users. Works on a Raspberry Pi. If the managed service ever closes, every self-hosted relay keeps running indefinitely.

curl -fsSL https://paramant.app/install.sh | bash or docker compose up -d
Full deploy guide →