Security Overview

Multi-layered security from the cryostat to the cloud — how k&z safeguards your quantum workloads, data, and intellectual property.

Security Philosophy

Quantum computing handles some of the most sensitive workloads in existence — from cryptographic research to defense simulations. k&z treats security as a foundational design constraint, not an afterthought. Every layer of our stack, from the physical cryogenic facilities to the API gateway, is engineered with defense-in-depth principles. We assume breach at every boundary and verify trust continuously.

Physical Security

Cryogenic Facility Access

Our quantum processors operate inside dilution refrigerators cooled to 15 millikelvin — colder than outer space. The facilities housing these systems are secured with multiple physical controls:

  • Biometric access control — Retinal scan and fingerprint authentication required at all entry points. No single credential grants access; dual-factor physical authentication is mandatory.
  • 24/7 on-site security — Trained security personnel monitor all facilities around the clock, supported by CCTV with 90-day recording retention.
  • Mantrap entry vestibules — All personnel pass through interlocking door systems that prevent tailgating and verify identity before granting access to the clean room.
  • Visitor escort policy — No unescorted visitors are permitted beyond the lobby. All visitor access is logged and pre-approved by facility management.
  • Environmental monitoring — Temperature, humidity, vibration, and electromagnetic interference sensors continuously monitor conditions that could affect QPU performance or indicate physical tampering.

Network Security

Private VLAN Isolation

Each customer's quantum workloads execute within an isolated network segment. Private VLANs ensure that no cross-tenant traffic is possible at the network layer, even for customers sharing the same physical QPU cluster through time-multiplexed scheduling.

  • Dedicated VPN tunnels — Enterprise customers can establish site-to-site IPsec or WireGuard tunnels for private connectivity to their k&z environment.
  • Zero-trust network architecture — All internal service-to-service communication is authenticated and encrypted using mutual TLS (mTLS) with short-lived certificates rotated every 24 hours.
  • DDoS mitigation — Multi-layer DDoS protection at the network edge, including rate limiting, traffic scrubbing, and automatic failover to geographically distributed ingress points.
  • Intrusion detection — Network-based and host-based intrusion detection systems (NIDS/HIDS) analyze traffic patterns and system behavior for anomalies in real time.

HSM-Backed Key Management

All cryptographic keys — including API signing keys, TLS certificates, and data encryption keys — are generated, stored, and managed within FIPS 140-3 Level 3 certified Hardware Security Modules (HSMs). Keys never exist in plaintext outside the HSM boundary. Key rotation occurs automatically every 90 days, with the ability to trigger immediate rotation if a compromise is suspected.

Data Encryption

Encryption at Rest

All customer data stored on k&z infrastructure is encrypted using AES-256-GCM. This includes:

  • Submitted quantum circuits and job parameters
  • Measurement results and post-processed outputs
  • Account credentials, API keys, and session tokens
  • Logs, audit trails, and billing records

Encryption keys are managed through our HSM infrastructure with per-customer key isolation available for Enterprise tier customers.

Encryption in Transit

All data transmitted between your applications and k&z services is protected with TLS 1.3. We do not support legacy TLS versions. Certificate pinning is available for customers who require it. Internal service mesh traffic uses mTLS with Ed25519 certificates issued by our private certificate authority.

Access Controls

k&z enforces role-based access control (RBAC) across all platform resources:

  • Organization Owner — Full administrative access including billing, user management, and API key provisioning.
  • Admin — Can manage team members, create projects, and configure device preferences. Cannot modify billing.
  • Developer — Can submit jobs, view results, and access device calibration data within assigned projects.
  • Viewer — Read-only access to job history and results. Cannot submit new workloads.

All role assignments are logged in an immutable audit trail. Multi-factor authentication (MFA) is enforced for all accounts, with hardware security key (FIDO2/WebAuthn) support for organizations that require phishing-resistant authentication.

Incident Response

k&z maintains a formal incident response plan that is tested quarterly through tabletop exercises and annual red-team engagements. Our incident response process follows NIST SP 800-61 guidelines:

  1. Detection & Analysis — Automated monitoring and alerting identify potential security events. Our Security Operations Center (SOC) triages alerts 24/7/365.
  2. Containment — Affected systems are isolated immediately. Customer workloads are migrated to unaffected infrastructure with minimal disruption.
  3. Eradication & Recovery — Root cause is identified and remediated. Systems are restored from verified backups and re-validated before returning to service.
  4. Post-Incident Review — A detailed post-mortem is published within 5 business days, including timeline, impact assessment, and preventive measures.

Affected customers are notified within 72 hours of confirmed data breaches, in compliance with GDPR and applicable regulations. Critical security incidents trigger immediate notification to impacted organizations.

Penetration Testing

k&z engages independent third-party security firms to conduct penetration testing on a quarterly basis. Testing scope includes:

  • External network and application penetration testing
  • API security assessment (authentication, authorization, injection, rate limiting)
  • Cloud infrastructure configuration review
  • Social engineering and phishing simulation
  • Physical security assessment of cryogenic facilities

Findings are remediated on a risk-prioritized basis — critical vulnerabilities within 24 hours, high within 7 days, medium within 30 days. Penetration test summaries are available to Enterprise customers under NDA upon request.

Responsible Disclosure

We welcome security researchers to report vulnerabilities through our Responsible Disclosure program. Reports can be sent to support@kandz.co and are acknowledged within 24 hours. We offer a bug bounty for qualifying vulnerabilities.

Ready to Get Started?

Request access to quantum infrastructure today.

Request Quantum Access →