Compliance
7 frameworks mapped at the control level
QNSP runs a compliance engine that maps 48 controls across SOC 2, HIPAA, GDPR, PCI DSS v4.0.1, ISO/IEC 27001:2022, PDPA (Singapore), and MAS TRM — and evaluates them in real time against live service-health probes. The seven frameworks below are the ones QNSP ships with mapped at the control level today, not the ones we plan to support someday.
NIST ACVP conformance
@noble/post-quantum 435/435 across FIPS 203/204/205 · @cuilabs/liboqs-native 0.15.1: 240/240 ML-KEM tests. SHA-3-256 tamper digest binds every evidence file.
/verify/conformance →
Reproducible PQC benchmarks
Per-algorithm p50 / p95 / p99 latency and throughput. Published as schema.org Dataset. Re-run the script from the public source mirror to reproduce.
/benchmarks →
Auditable entropy chain
End-to-end entropy chain with citations to NIST SP 800-90A/B/C, OpenSSL DRBG, Linux getrandom, CPU TRNG, and per-vendor HSM FIPS 140-3 DRBG records.
/trust/entropy →
Coverage
Framework matrix
The seven frameworks QNSP maps today, with cited standard, control count from the live compliance engine, and the crypto-policy tier at which each framework automatically activates.
| Framework | Standard | Controls | Activates on tier |
|---|---|---|---|
| SOC 2 Type II | AICPA Trust Services Criteria (2017) | 6 | strict, maximum, government |
| HIPAA Security Rule | 45 CFR Part 164 | 6 | strict, maximum, government |
| GDPR | Regulation (EU) 2016/679 | 5 | maximum, government |
| PCI DSS | v4.0.1 (PCI Security Standards Council) | 5 | maximum, government |
| ISO/IEC 27001 | ISO/IEC 27001:2022 | 7 | maximum, government |
| PDPA (Singapore) | Personal Data Protection Act 2012 (Rev. 2021) Singapore-resident regulator (PDPC). Mapped natively given QNSP's Singapore HQ — most US-HQ competitors do not enumerate PDPA on public Trust Centers. | 9 | strict, maximum, government |
| MAS TRM Guidelines | Technology Risk Management Guidelines (Jan 2021) Monetary Authority of Singapore. Mandatory framework for MAS-regulated FSI entities. Built into the compliance engine from day one given QNSP's Singapore HQ and FSI focus. | 10 | maximum, government |
| Total | 48 |
Source-of-truth file: apps/audit-service/src/services/compliance-service.ts (FRAMEWORK_METADATA + FRAMEWORK_CONTROLS).
Activation
Per-crypto-tier framework activation
QNSP's crypto-policy tier determines which compliance frameworks are automatically activated for a tenant. Tiers stack: maximum includes everything in strict, government includes everything in maximum, plus FIPS-finalized PQC restrictions and HSM-rooted keys.
| Crypto tier | Billing tiers | Frameworks activated |
|---|---|---|
| default | Free, Dev Starter, Dev Pro, Dev Elite, Dev Team | (no automatic framework activation) |
| strict | Business Team, Business Advanced, Business Elite | SOC 2 · HIPAA · PDPA |
| maximum | Enterprise Standard, Enterprise Pro, Enterprise Elite | SOC 2 · HIPAA · GDPR · PCI DSS · ISO 27001 · PDPA · MAS TRM |
| government | Government, Specialized (air-gapped, on-prem, BYOH) | SOC 2 · HIPAA · GDPR · PCI DSS · ISO 27001 · PDPA · MAS TRM (FIPS-finalized PQC only) |
Mechanism
Real-time control evaluation
QNSP's compliance engine does not depend on snapshots. Every control has explicit evidenceSources — backend services whose health endpoints attest to whether the control is operationally effective right now.
Source-bound
Each control names the backend services that attest to its effectiveness:
auth-service → identity and access controls, kms-service → key management, vault-service + storage-service → encryption at rest, edge-gateway → encryption in transit, audit-service → audit chain integrity, security-monitoring-service → continuous monitoring.Status calculus
All sources up → control status met. ≥ 50% of sources up → partial. < 50% up → not met. Surfaced live in the authenticated cloud portal at
/compliance.Evidence packs
Authenticated tenants on plans including the
evidence-compliance-pack add-on generate framework reports on demand. Pre-engagement evidence requests go through sales (see CTAs below).FAQ
What buyers and regulators ask
Direct answers to the seven questions QNSP gets asked most often about compliance posture. Each Q&A also emits schema.org FAQPage markup for search rich-snippet eligibility.
Do you support MAS TRM?
Yes. MAS TRM Guidelines (Technology Risk Management Guidelines, January 2021) is one of QNSP's 7 mapped frameworks, with 10 controls covering Sections 4 (IT Governance), 5 (TRM Framework), 6 (Project Management + Security-by-Design), 7 (System Security), 8 (Cryptography), 9 (Data + Infrastructure Security), 10 (Access Control), 11 (Cyber Security Operations), 12 (Cyber Incident Management), and 13 (Audit Logging + Monitoring). MAS TRM is automatically activated on the maximum and government crypto-policy tiers. Singapore-HQ build by Singapore-incorporated CUI LABS PTE. LTD.
Is QNSP SOC 2 Type II compliant?
QNSP maps SOC 2 controls (AICPA Trust Services Criteria, 2017) at the control level inside the compliance engine, with live evaluation against the platform's authn, access-control, encryption-in-transit, encryption-at-rest, audit, and security-monitoring services. The compliance engine activates SOC 2 mapping on strict, maximum, and government tiers. Formal SOC 2 Type II audit timing depends on customer-driven attestation cycles — request an evidence pack via sales for the current attestation status.
What does PDPA (Singapore) mapping mean?
Personal Data Protection Act 2012 (Revised 2021) is Singapore's primary data-protection regulation, enforced by the PDPC. QNSP maps 9 PDPA obligations: Consent (s.13), Purpose Limitation (s.18), Access + Correction (s.21, s.22), Protection (s.24), Retention Limitation (s.25), Data Breach Notification (s.26A-E), Transfer Limitation (s.26), Data Protection Officer (s.11(3)), and Data Protection Policies (s.12). PDPA activates on strict, maximum, and government crypto-policy tiers.
How is FedRAMP progressing?
FedRAMP authorisation is on QNSP's roadmap. The platform's underlying control set (SOC 2, HIPAA, encryption-in-transit and at-rest, cryptographic policy enforcement, audit trail, security monitoring) maps to FedRAMP Moderate baseline. Active CAVP engagement with NIST (correspondence opened 2026-05-12 with the CAVP Program Manager) is a prerequisite for FIPS 140-3 module validation, which is in turn the cryptographic foundation for FedRAMP. Timeline: CAVP cert first (6-12 months), then CMVP / FIPS 140-3 cert (12-24 months), then FedRAMP. Customers pursuing FedRAMP today should engage sales to discuss the joint authorisation path.
Can I get a compliance evidence pack?
Yes. Evidence packs include the live framework status report, control-level evidence (which backend services attest which controls), the most recent NIST ACVP conformance report with SHA-3-256 digest, the entropy chain documentation, and the cryptographic bill of materials (CBOM). Authenticated tenants on plans that include the evidence-compliance-pack add-on can generate packs on demand from the cloud portal. Pre-engagement evidence requests go through sales — see the CTA below.
How is 'real-time control evaluation' different from a SOC 2 attestation report?
A SOC 2 attestation is a point-in-time auditor's report on whether controls were effective over a defined period. QNSP's compliance engine additionally evaluates control effectiveness on every page load by probing live service-health endpoints (authn, access-control, KMS, vault, audit, encryption-in-transit, encryption-at-rest, security-monitoring). If a control's evidence source is degraded, the framework's status reflects that immediately — not at the next audit. Both approaches coexist: live evaluation is operational telemetry; periodic attestation reports are the contractual deliverable.
Do you support CNSA 2.0?
QNSP ships the FIPS 203 ML-KEM, FIPS 204 ML-DSA, and FIPS 205 SLH-DSA algorithms required by CNSA 2.0 today, plus Falcon (FN-DSA, pending FIPS 206). The government crypto-policy tier restricts to FIPS-finalized PQC only (ML-KEM-1024, ML-DSA-87, SLH-DSA-SHA2-256f, SLH-DSA-SHAKE-256f) with HSM root keys, matching the CNSA 2.0 transition timeline (January 2027 for National Security Systems). Full CNSA 2.0 alignment evidence is included in government-tier evidence packs.
Next
Continue from here
Request an evidence pack →
Pre-engagement: live framework report + NIST ACVP digest + entropy chain + CBOM.
See your tenant's live compliance →
Authenticated cloud portal: real-time framework status, per-control evidence, downloadable reports.
Read the technical mapping →
Docs: cryptographic attestation, CBOM, policy engine internals, evidence sources.