Page sections
Scan the major sections before moving into the full technical detail.
Customer-controlled keys in your jurisdiction.
Talk to our security teamEU data residency and Gaia-X alignment
EU data residency requirements — whether driven by GDPR, national data sovereignty laws, or sector-specific regulation — impose constraints that go beyond physical server location. When encryption keys are managed by a non-EU cloud provider, the data is effectively accessible to that provider’s jurisdiction even if the storage medium is in Frankfurt. Quanten’s sovereign cloud model separates the storage plane from the key management plane: data is encrypted in the cloud provider’s storage, but the keys are generated, stored, and rotated on infrastructure that the customer controls, in their legal jurisdiction, with no cloud-provider access path.
This model is mapped to the Gaia-X trust framework’s data sovereignty principles and to EU Cloud Services Schema (EUCS) high-assurance planning requirements. For public-sector organisations subject to the German BDSG or French RGPD supplements, Quanten’s deployment architecture supports technical and contractual evidence that personal data is processed under EU jurisdiction.
BYOK with PQC HSMs and customer-controlled escrow
Bring-Your-Own-Key (BYOK) architectures allow customers to supply the root key material that cloud providers use to derive data encryption keys. Standard BYOK implementations today use RSA-wrapped AES keys transmitted to the cloud provider’s key management service. Quanten extends this model: the wrapping mechanism is replaced with ML-KEM-1024 key encapsulation, so the key transport is quantum-safe. The root key material is generated inside the customer’s on-premises FIPS 140-3-aligned HSM and never exists outside that boundary in plaintext form, even during the BYOK exchange.
Key escrow — the ability to recover encrypted data if the primary key path is unavailable — is implemented through a multi-party computation (MPC) threshold scheme: the escrow key is split into shares held by the customer’s designated escrow custodians, with a configurable threshold (e.g., 3-of-5) required for reconstruction. No single custodian can reconstruct the key alone, and Quanten holds no escrow shares.
Engagement deliverables
- Jurisdiction map for workloads, storage planes, key-management planes, operators, and support paths.
- BYOK/HYOK design that keeps root key generation and escrow under customer-controlled boundaries.
- Audit-ready key event export for generation, wrapping, access, rotation, recovery, and destruction events.
- Gaia-X and EUCS high-assurance planning alignment
- ML-KEM-1024 BYOK wrapping — no RSA in the key transport path
- On-premises FIPS 140-3-aligned HSM for root key generation
- MPC threshold escrow with customer-controlled shares
- Zero standing access by Quanten to customer key material
Regulatory landscape for sovereign cloud
The regulatory pressure for genuine cloud sovereignty is intensifying. The Data Act, the in-force Cyber Resilience Act (Regulation (EU) 2024/2847), and national implementations of the EUCS scheme all push towards tighter requirements on where and by whom cryptographic key material is controlled. Quanten’s sovereign cloud deployment model is designed to support evidence for demanding interpretations of these requirements — not to claim a completed certification. Talk to our security team to map your cloud workloads against the applicable sovereignty requirements.