How Paramant compares to existing file transfer solutions on post-quantum encryption, EU jurisdiction, burn-on-read, audit trail, and self-hosting capability.
| Feature | Paramant | Tresorit | WeTransfer | SFTP / SCP | Q*Bird | NXP |
|---|---|---|---|---|---|---|
| Post-quantum encryption ML-KEM-768 / equivalent | ✓ML-KEM-768 + ECDH P-256 hybrid (FIPS 203) | ✗AES-256 only, no PQC | ✗TLS only, no E2E | ✗RSA / ECDSA, no PQC | ~Hardware QKD — network layer, not file-level | ~PQC chip-level; no file relay product |
| EU jurisdiction No US CLOUD Act exposure | ✓Hetzner Frankfurt DE — no US sub-processors | ~EU servers available but US-HQ (CLOUD Act risk) | ✗US company (Amsterdam offices, US parent) | ✓Self-hosted — jurisdiction depends on operator | ✓Dutch company, hardware only | ~Global — depends on deployment region |
| Burn-on-read File destroyed after first download | ✓Default — ciphertext in RAM, destroyed on first read | ✗Storage-based; files persist until manually deleted | ✗Files persist for 7–365 days | ✗Files persist on server; manual deletion required | ✗Network relay, not file storage/transfer | ✗Chip / crypto primitive — not a file relay |
| Zero persistent storage No bytes written to disk | ✓RAM-only by default; optional disk for resilience | ✗Cloud storage is the product — always persisted | ✗Files stored in cloud until expiry | ✗Files written to server disk | ✗N/A — not a file relay | ✗N/A — not a file relay |
| Tamper-evident audit log Merkle tree / cryptographic proof | ✓Merkle CT log — SHA-256 leaf hashes, append-only | ~Activity log — mutable, not cryptographic | ~Email notification only — no cryptographic proof | ✗Server logs only — mutable, no delivery proof | ✗N/A — network layer QKD | ✗N/A — crypto chip |
| Self-hostable Full control, your infrastructure | ✓Docker Compose — deploy in 60s on any VPS | ✗SaaS only — no self-hosted option | ✗SaaS only | ✓By definition — you run the server | ✗Hardware appliance — not software-deployable | ✗Chip integration — not a deployable relay |
| Open source Auditable codebase | ✓BUSL-1.1 — full source on GitHub | ✗Proprietary — client SDK only | ✗Proprietary | ✓OpenSSH is open source | ✗Proprietary hardware / firmware | ~Reference designs available; production firmware proprietary |
| NIS2 / NEN 7510 ready Compliance documentation | ✓NIS2 · NEN 7510 · IEC 62443 · DORA — docs available | ~ISO 27001 certified; NEN 7510 not specifically | ✗No specific NIS2/NEN 7510 documentation | ✗Protocol only — compliance is operator responsibility | ~IEC 62443 alignment (OT focus) | ~Common Criteria certified chips |
| Available today Production-ready | ✓5 live relay sectors, public | ✓Production SaaS | ✓Production SaaS | ✓Mature protocol | ~Limited availability — hardware pilots | ✓Chips available; no file relay product |
| Pricing Entry point | FreeCommunity Edition — self-hosted, ≤5 users Professional: €149/mo · Enterprise: custom |
€10/user/moBusiness plans from €10/user/mo | Free / €12/moPro €12/mo — no E2E, no PQC | FreeSelf-managed server costs only | HardwareHardware appliance pricing — on request | Chip licensingVolume chip licensing — not a relay product |
Each alternative solves a different problem. None of them address the full stack required by NEN 7510, NIS2, or IEC 62443 for file-level data in transit.
Tresorit is a cloud storage product with E2E encryption. Files persist until manually deleted — there is no burn-on-read. It is a US-headquartered company, which creates CLOUD Act exposure regardless of EU server location. No post-quantum encryption. No Merkle audit log.
WeTransfer encrypts the transport (TLS) but has no end-to-end encryption. Files are stored in plaintext on WeTransfer servers. A US company. Files persist for 7–365 days. No audit trail. No PQC. Not compliant with GDPR Art. 32 for sensitive data.
SFTP encrypts the channel with SSH (RSA/ECDSA), not the file. The server operator has full access to all files. Files are written to disk and persist indefinitely. Server logs are mutable — no cryptographic delivery proof. No PQC support in production deployments. Jurisdiction depends entirely on where you run the server.
Q*Bird builds QKD hardware for securing network links — a different problem. QKD requires physical fibre between sites, is not yet at scale, and does not address file-level encryption, burn-on-read, or audit trails. Not generally available; hardware pilots only as of 2026.
NXP produces cryptographic hardware (Secure Elements, HSMs, PQC-ready microcontrollers). This is enabling technology for building PQC applications, not a file relay product. NXP chips could be used inside a relay implementation, but NXP itself does not offer a competing service.
Deploy in 60 seconds. Full source code. All encryption features. No account required.